The Wall Street Journal reported in November that smaller companies were slow to adopt new rules for internal controls put in place by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – the 2013 Internal Control Integrated Framework.
The framework was designed to help organizations implement internal controls in response to changes in business and operating environments since the issuance of the original framework in 1992. The framework also broadens requirements for the application of internal controls, clarifying what constitutes an effective internal control, defined by COSO as “a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”
Now, for companies large and small, time is up: the deadline to map to the new rules was December 15.
While, technically, the rules are not requirements, they do constitute a “suitable framework” to comply with Sarbanes Oxley (SOX) provisions for internal control and financial reporting, providing meaningful standards for auditing with little room for deviation. As a result of the “suitable framework” language, adopting the COSO framework allows publicly traded companies in the United States to effectively kill two birds with one stone, integrating the best practices provided by the COSO framework while also complying with the regulatory requirements of SOX.
If you’re an executive at a publicly run company and you’ve just now discovered this lapse, you might be feeling overwhelmed as you run through the scenarios and begin planning how you’ll get your business up to par. You may want to consider engaging a partner – someone who has implemented this framework before.
For those seeking guidance, here are six tips to consider – before the Securities and Exchange Commission (SEC) comes knocking at your door:
- Get up to speed. Assess the situation and obtain the information you’ll need to ensure everyone on your team knows what they need to know. If necessary, find a third-party partner who can help.
- Design an implementation plan. Identify who, what, when, where, how and why for all of the integral steps you’ll need to comply with the new rules.
- Assess to determine control gaps. COSO’s guidance includes 17 principles across five components of internal controls: control environment, risk assessment, control activities, information and communication and monitoring. You’ll want to align your control activities with the COSO principles and remediate any design controls that fall short.
- Validate all data sources.
- Follow through – and integrate across your enterprise. Complete your plan, identifying the resources you’ll need, the tests you’ll want to conduct and a realistic and concrete timeline to implement.
- Test your controls for operating effectiveness. Do your controls monitor what you intend them to?
- Communicate your results. Ensure leadership and all other parties are aware of the process and the need for improved data integrity overall.
Missing the COSO deadline was a mistake, sure, but you still have time before the SEC starts looking at companies still operating under the 1992 guidelines. Follow these steps and you’ll quickly move toward compliance.