For publicly traded companies subject to SEC periodic reporting, now is the time to take serious action in transitioning from COSO’s 1992 framework to its 2013 framework. SEC staff discussed this at a meeting on September 25, 2013, stating that “the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework (particularly after December 15, 2014 when COSO will consider the 1992 framework to have been superseded by the 2013 framework).” More recently, on March 26, 2014, PCAOB Board member Jeanette Franzel stated that “We are currently in a “perfect storm” in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain.” She calls upon audit committees, management and internal and external auditors to utilize this opportunity to take a fresh look at controls to prevent and detect material misstatements in the spirit of protecting investors. This article offers some transitioning ideas, especially for management and audit committees.
Don’t Wait
For those companies with a fiscal year ending (FYE) December 31, 2014, COSO considers the 1992 framework to be superseded as of the FYE, which is the date management must conclude on the operating effectiveness of their internal control over financial reporting (ICFR). While the SEC may continue to accept the use of the 1992 framework beyond the COSO’s superseded date, it will likely raise a red flag to the SEC reviewer responsible for reviewing the Form 10-K. Why cast a doubt with SEC staff that your company may not be prioritizing ICFR, or even worse, possibly ignorant of the need to transition to the new framework?
Despite the foundational pillars remaining the same between the 1992 and 2013 frameworks, the differences are far more than superficial and need to be clearly understood for proper transitioning. If the 2013 framework is not currently on the agendas of management and audit committees, chances are they are already behind on a reasonable implementation timeline. The transitioning workload effort will vary greatly from company to company, depending on the status of current ICFR documentation, especially pertaining to the entity-level control components of control environment, risk assessment, monitoring activities and information and communication. However, even for a company that has robust documentation in these areas, they should be aligning their efforts to the 2013 framework well before FYE.
Focus on the 17 Principles
While there are certainly several enhancements to the 2013 framework, the most significant is the requirement to address 17 specific principles. Why? – Because COSO makes it very clear that all “relevant” principles must be present and functioning in order for a company to conclude that their ICFR is effective. The 2013 framework views 17 principles to be suitable for all entities except in rare industry, operating or regulatory situations in which management has determined that a principle is not relevant to them. The burden of proof is on management to argue that any one of these principles is not relevant to their company:
Control Environment
- The organization demonstrates a commitment to integrity and ethical values.
- The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with Board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
Control Activities
- The organization selects and develops control activities that contribute to risk mitigation and the achievement of objectives at acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting internal control’s functioning.
Monitoring Activities
- The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.
In working with hundreds of companies over my career, I cannot recall a single instance in which one of these 17 principles was not relevant. Therefore, according to the 2013 framework, a failure involving the presence and functioning of any one of these principles at FYE means that a “major” deficiency exists and that the company cannot conclude that it has met the requirements for an effective system of internal control.
Top-Down, Risk-Based Approach
Here is the beauty of the 2013 framework – the 17 principles dovetail nicely into a top-down, risk-based approach to be ideally addressed as a precursor to more detailed management evaluation plans, internal audit programs and external audit planning. Indeed, PCAOB’s Staff Audit Practice Alert #11 reminds external auditors to gain an understanding of the overall risks of ICFR by focusing on entity-level controls (i.e., the 17 principles) and then working down to the significant accounts, disclosures and their relevant assertions. Risk assessment is the key element of a top-down approach and the 17 principles is a logical place for management, internal audit and external audit to start with their approaches. As stated by PCAOB board member Franzel on March 26, 2014, “I believe it is necessary and productive to take a fresh look at management’s process in light of the 2013 COSO Framework, so that the entire system functions effectively. And, of course, auditors and issuers need to have a productive dialogue about these issues.”
Judgment
Not to harp on the rules-based versus principles-based debate, but one should remember that the 2013 framework, like most other recent professional frameworks, provides a structured starting point that needs to be customized to suit different operating environments. Adhering to the spirit of this concept takes us away from a “checklist” approach in attempting to respond to all of the 17 principles strictly through the suggested points of focus within each. The points of focus are provided as guidance rather a strict roadmap. That being the case, a company does not need to address all points of focus, nor should they feel handcuffed to them. Instead, management needs to understand the spirit of the principle and leverage thoughts from the points of focus while also adding their own points of focus as they see fit. As a result, no two companies should have the same documentation; it should be customized to fit each company’s own environment.
Scalability
Similar to the topic of judgment, the depth of rigor and documentation in adopting the 2013 framework will vary greatly between companies dependent on their industries, sizes, locations, risks, applicable SEC regulations (e.g., smaller reporting company vs. a large accelerated filer) and a host of other variables. Simply put, the larger and more complex the business, the more risks to investors, and the more resources and documentation that are then expected in meeting the spirit of the 2013 framework (as was the case for the 1992 framework). As with any project, a clear understanding of what, who, when, where, why and how this gets tackled is necessary. Management and the Board of Directors through its audit committee should be on the same page. They also need to understand that this is an ongoing project in which the design of controls will need to be perpetually undated to keep pace with changing environments.
Conclusions
The transitioning to the 2013 framework involves much more work than simply changing the “1992” to “2013” in Item 9A(b) of the Form 10-K. It involves a reasonable level of documentation aligning to the five components and 17 principles of the 2013 framework. The documentation must go beyond a checklist approach of simply stating that the company met each of the 17 principles, as it must demonstrate examples and confirm a sincere spirit in meeting the components and principles. External auditors are facing increased scrutiny by the PCAOB regarding their rigor and evidence of complying with standards regarding their ICFR opinions. Expect ICFR, especially with regard to the 17 principles, to come under increasing scrutiny as the SEC and PCAOB turns up the heat on both management and auditors.
One more parting comment – don’t fall into the mindset that the 2013 framework is only about ICFR. Sure, it does address financial reporting objectives and controls, but it also can and should be voluntarily used in helping to meet compliance and operating objectives.
This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 1, published on March 31, 2014