An Auditor’s Perspective
Navigating the COSO internal control cube is no easy task; there are more than 1,000 combinations to consider between the 17 Principles and the related Points of Focus as put forward in 2013. Here are some practical starting points and guidance for assessing risks and addressing them before signing off to the public.
Those who sign and file internal control representation documents with regulators, such as the SEC, are often guided by the Internal Control – Integrated Framework (or should be). This Framework is published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has a mission to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence. Often thought of as the world’s gold standard for internal control frameworks, the COSO Framework presents the daunting challenge of three dimensions to mix and match, similar to a Rubik’s Cube.
The COSO Framework has an Executive Summary available to the public, which has a diagram of the cube on page 6. Factoring in the Principles and related Points of Focus clarified in the 2013 version, the COSO cube has over a thousand possible combinations to consider. Therefore, identifying the main objectives and then deciding where to start and how best to proceed is the key to proper utilization. A CPA with COSO training, such as the COSO Internal Control Certificate Program, can be a valuable partner.
The Cube’s Sides and Their Practical Starting Points
The top side of the cube has three internal control objectives: operations, reporting and compliance. This turn of the cube for an annual management assessment of the effectiveness of the Internal Controls over Financial Reporting (ICFR) per SEC requirements should start with the External Financial Reporting objective. A simple reason is that the public relies on public company external financial reports and executive officers, specifically the CEO and CFO (or equivalent), to certify that they have evaluated the effectiveness of disclosure controls, which includes ICFR (i.e., the “signers”). This is not to diminish the importance of operating objectives, which address performance goals and the safeguarding of assets. Also, compliance objectives pertaining to the adherence of laws and regulations certainly merit adequate attention.
The right side of the cube addresses the hierarchy of an organization as descending from entity, division, operating unit, down to functions. Typically, the signer is an executive with clear visibility of the Framework’s relevant activities from the entity to operating unit levels. It is at the functional level where visibility often becomes unclear to the signer due to details, volume and lack of time to address issues. Therefore, risk becomes more difficult to assess.
Being an astute reader of a balance sheet and income statement, core reports in SEC reporting does not enable the executive to detect material ICFR deficiencies. Controls to prevent material errors pertaining to revenue recognition, inventory, fair valuations and capital vs. period cost, etc., generally occur at a functional level within the control activities component and respective principles. Accordingly, this is a good side of the cube to start with.
The front face side of the cube has five levels known as components: control environment, risk assessment, control activities, information & communications and monitoring activities. The second level, which is not visible on the Framework’s cube, is the 17 Principles in support of the five components. Finally, on average, each Principle has 5 Points of Focus.
For this final side of the cube, control activities is our starting point. This will be explained as we proceed and take the lead from the Public Company Accounting Oversight Board (PCAOB) Standards from an external audit perspective.
Words of Caution
Before going further, it is critically important to note that the cube’s objectives, organization levels, components and principles are all interconnected and interdependent. And if any one of the relevant 17 Principles are not properly designed or operating effectively (respectively referred to by the Framework as “present” and “functioning”), the entire associated component cannot be present and functioning. Further, the Framework defines a “major deficiency” when the company cannot conclude a relevant Principle is present and functioning. When this happens, the company cannot conclude that it has met the requirements of an effective system of internal control, which is akin to a “material deficiency” as defined by the SEC and PCAOB. While starting with the Framework’s cube set on external financial reporting, function and control activity, it can be safely assumed that any deficiencies will lead to turning the cube and exploring from a different but related paradigm to address the cause of the deficiencies. For example, control activity accounting internal control deficiencies are almost always related to control environment weaknesses, such as competencies and accountabilities.
How to Best Proceed
With a CPA versed in the COSO Framework as your partner, the best place to start with the cube turned to external financial reporting, function and control activity is the company’s trial balance.
At first, the trial balance may seem to be just a list of numbers, often voluminous, in debit and credit format. However, it represents the culmination of the economic activity of a reporting entity at a period of time. The most basic financial reports showing the entity’s financial position (balance sheet) and results of operations (income statement) are directly derived from the trial balance. Under each account listed are activities that capture the economic events from point of origination to understandable summation. Many accounting firms refer to the trial balance as the “lead schedule,” as it leads up to the financials and down to the underlying activity.
Management’s Reporting Assertions and Risk Assessment
When management asserts to the public that their entity’s financial statements are free of material misstatement and the ICFR is free of material deficiencies, this can only be based on an understanding of the assertions. Assertions are being made about accounts that could individually or collectively cause a material misstatement, along with other requirements. The assertions as defined by PCAOB Standards AU Section 326 are:
- Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
- Completeness – All transactions and accounts that should be presented in the financial statements are so included.
- Valuation or allocation – Asset, liability, equity, revenue and expense components have been included in the financial statements at appropriate amounts.
- Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
- Presentation and disclosure – The components of the financial statements are properly classified, described and disclosed.
- Cut-off is proper.
An important logistical step to create order and reduce account volume to a practical level is to apply the assertions by accounts as grouped by related function and related control activities, in addition to financial statement order. For example:
- Revenue cycle grouping – revenue, accounts receivable, deferred revenue, bad debts.
- Procurement cycle – inventory, accounts payable, expenses.
- Contractual obligations – contracted services, leases, acquisitions.
- Human resources – compensation, benefits, taxes.
- Tax accounting – deferred assets, liabilities, expenses.
- General accounting – fixed assets, depreciation, accruals.
An audit requirement is to gain an understanding of the entity’s internal controls, which is akin to “are they present” in COSO Framework terms. The key is to identify those policies and procedures that contain the selected and developed control activities to mitigate the risk of a material reporting misstatement. This includes general information technology (IT) controls, as well as software application controls. Accordingly, the questions to ask for each identified functional account grouping are:
- What policies and procedures constitute a design that would preclude a material error from occurring in the normal course of business?
- Are they present?
- Are they functioning?
Some policies and procedures should be considered “must-have” for internal controls to be considered adequate, such as credit checks. Others should be evaluated for cost benefit, for example manually cancelling paid invoices.
Referring to the PCAOB guidance again, each of the account groupings should be assessed for risk of material misstatement as the assertion level by management as follows:
- Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls.
- Control risk, which is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company’s internal control. Control risk is a function of the effectiveness of the design and operation of internal control, which, again, is akin to “present” and “functioning” per the Framework.
Of course, if the design is not adequate, proceed with corrective action using the COSO Framework and SEC standards as the guide, along with the help of a CPA versed in both the Framework and SEC regulations.
The COSO Framework process is iterative, systemic and ongoing. The first turns of the cube – reporting, function and control activity – should get the process going in a positive direction. In the final analysis, the entire Framework cube should be turned and evaluated from every side, similar to the colors matching on Rubik’s cube. The mission is assessing risks across the entire cube and reacting until risks are reduced to a level deemed acceptably low in the judgment of management and those charged with governance before signing off to the public.