The 2013 COSO Framework introduces 17 principles of internal control, each attached to one of the five components of the COSO Framework –and each principle included several points of focus within it. The analysis here looks at the four principles for the COSO risk assessment component (In this case, Principles 6, 7, 8 and 9).
All relevant principles of the 2013 Framework should be implemented for an entity to conclude that it has effective internal controls. The points of focus (which we’ll explain below), help users understand each principle — but they’re not explicit requirements.
First, a little background:
Public companies listed in the United States, as well as other companies in various jurisdictions, have been working on adopting the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control Framework.[1] The 2013 Framework is an enhancement and update, rather than a massive overhaul, of the original 1992 guidance and is intended to update the framework to address the changes in the economic, technological and regulatory climate that have occurred over the past 20 years.
While the five broad components of internal control did not change in the updated Framework, the new guidance accompanying the risk assessment component presents companies with an excellent opportunity to define and achieve important operational, reporting and compliance objectives. Indeed, for some companies, the new guidance — and the linkages to an existing strategic planning process it requires — can substantially change how they manage their business, create operational efficiencies and even boost profitability.
Principle 6: Specify objectives with clarity
This principle lays the groundwork to do the risk assessment itself. For some companies, this may be an area to consider enhanced processes and related documentation. A company ordinarily needs to describe its operational, reporting (external financial, external nonfinancial, internal) and compliance objectives. As the guidance states, “While setting strategies and objectives is not part of the internal control process, objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established.”[2] The risk assessment component is now tied much more closely to the overall objectives of the company and the strategic reporting process.
Operations objectives
Objectives for external financial reporting requirements are an important focus of external auditors, and hence a focus of company financial staff. It is important for management to be vigorous in specifying objectives for each category as appropriate to the organization. Specifying operations objectives can be particularly valuable. The points of focus for the operations objectives can help a company become better managed and help it mitigate risk. Indeed, from an operational standpoint, they can be as important as those objectives that apply to financial statement risk.
Developing and implementing operations objectives is essential for executing the strategic planning that some companies sorely lack. For many firms, especially large companies that already have a robust strategic planning process, the new risk assessment guidance may have little impact. But many medium-size firms, and in particular, start-up firms, have not developed robust strategic planning processes. Those companies could benefit from achieving sufficient clarity of objectives in order to identify and assess risk.
Reporting objectives
The 1992 Framework included language applicable to various forms of company reporting other than external financial reporting. But with the passage of the Sarbanes-Oxley Act, and related Securities and Exchange Commission rulemaking, the COSO internal control framework became closely associated with external financial reporting[3]. The 2013 Framework discusses in detail the use of the guidance for other reporting situations in order to provide context for applying the components and principles more broadly.
In describing external nonfinancial reporting objectives, the Framework specifically mentions sustainability reporting, which is far more prevalent and important now than 20 years ago; indeed, the oft-used Global Reporting Initiative guidelines weren’t published until the late 1990s. Internal reporting systems have also become more important and sophisticated–not only for managing the company, but ensuring that expanded regulatory requirements are met.
Compliance objectives
In following the compliance objectives of Principle 6, a company also has to manage the enormous amount of guidance it receives from a wide variety of regulatory bodies. A recommended approach would be to first meet COSO requirements. Next, homogenize, where reasonable, the language in your documentation to other compliance mandate checklists that address a similar attribute (Financial Industry Regulatory Authority, Basel III, etc.). In other words, a company should have a single response, applying a “one-to-many” concept, where applicable, for all of the risk assessment mandates it must follow.
Principle 7: Identify and analyze risks across the entity
Principle 7 is used to answer the following questions:
(1) What are the risks of achieving the objectives identified in Principle 6 across the various levels of the entity — subsidiary, division, operating unit and function — as well as the entity itself?
(2) What is the likelihood of a specific risk occurring, how severe could it be, how quickly will it affect the company and for how long?
(3) In the event of an occurrence, how should management respond? There are four types of responses: acceptance, avoidance, reduction and sharing.
Under the 1992 guidance, the focus was on transactional risk, i.e., risks in processes carried out at operational and functional levels. The 2013 Framework, with its emphasis on organizational objectives, puts a greater weight on entity-level risk. Moreover, this approach demands that risk be looked at on an ongoing basis, rather than as a once-a-year exercise.
Principle 8: Consider the potential for fraud in assessing risks to the achievement of objectives
This principle looks at how fraud could prevent the entity from achieving the objectives identified in Principle 6. The assessment management performs with respect to this principle considers fraudulent reporting, possible loss of assets and corruption resulting from the various ways that fraud and misconduct can occur.
In tackling the demands of the new principle, companies can adopt various approaches. The “illustrative tools”[4] COSO has issued offer helpful recommendations including the following:
(1) Conduct a fraud risk assessment to identify the various ways fraud risk can occur. Management should consider:
- The degree of estimates and judgments in external financial reporting
- Methodology for recording and calculating certain accounts, like inventory
- Fraud schemes and scenarios common to the industry sector and markets where the company operates
- The geographic regions where the company does business
- Nature of automation
- Unusual and complex transactions subject to significant management influence
- Last-minute transactions
(2) Consider approaches to how individuals in the firm might circumvent or override fraud controls.
(3) Consider fraud risk in the internal audit plan.
(4) Review pressures and incentives in compensation programs for management and employees to commit fraud.
Read: Reimagining Enterprise Fraud Risk Management
Principle 9: Identify and assess changes that could significantly impact the system of internal control
This principle requires an assessment of change in the organization on an ongoing basis — both externally and internally —that could affect risk. External changes include those in the economic, regulatory and physical environment. Internal changes include those in company’s business lines and operations, overseas markets and operations, new technologies, as well as changes in leadership and company philosophy.
Implementing the COSO risk assessment component
All of the relevant principles in the Framework should be present and functioning in order for management to conclude that internal controls are effective. Many companies are starting with the Framework, determining if there are existing controls that satisfy the principles and then considering what new controls or improved documentation may need to be implemented to evidence how a principle is satisfied.
As discussed above, points of focus may be particularly helpful in assisting management and auditors in evaluating principles that may not have been as thoroughly developed in the 1992 Framework. As a best practice, management should at least consider every point of focus, determine whether the relevant points of focus are present and determine if other considerations are appropriate. They should then document and support that the appropriate number of points of focus have been satisfied to substantiate that the underlying principle is in place and operating effectively.
In adopting the new guidance for COSO risk assessment and other Framework components, internal audit will ordinarily be responsible for the facilitation of the mapping of controls to principles. Implementing controls and remediating control weaknesses, however, will generally be the work of the CFO, the controller’s function and general counsel, and others such as internal audit. Boards and audit committees also have an important role to play in ensuring that any deficiencies in internal control noted by those charged with monitoring and reporting, including external bodies, are corrected. Overall responsibility, however, falls to management: It is their responsibility to ensure that the checks and balances in the organization exist for a sound system of internal control.
While the transition to COSO 2013 may take a great effort for some companies, the new guidance around risk assessment presents an opportunity to achieve important operational objectives. When implemented, the Framework can be more than just a compliance exercise — the requirements can help improve operational efficiencies and increase productivity.
[1] See the COSO website at http://www.coso.org/ic.htm for more information.
[2] COSO, Internal Control Integrated Framework 2013, p. 42
[3]McNally, J. Stephen. “The 2013 COSO Framework and SOX Compliance,” Strategic Finance, July 2013.
[4] “Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples,” COSO, 2013.