COSO II: The Transition
By J. Stephen McNally CPA
A decade ago, the Sarbanes-Oxley compliance clock was ticking quickly as many U.S. public companies were aggressively documenting, testing, and enhancing their internal controls over external financial reporting and disclosure to ensure compliance with Section 404 of the Sarbanes-Oxley Act (SOX) of 2002.1
Since then, the majority of these companies have been using the COSO Internal Control – Integrated Framework of 1992 as the basis for evaluating the design and effectiveness of their internal controls. In May 2013, however, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) board released an updated version of its internal control framework, noting that it will supersede the 1992 edition in December 2014. As a result, the SOX compliance clock is ticking again.
This feature provides highlights regarding the updated framework as well as one approach, including five steps, to transitioning to it.
SOX was signed into law in July 2002 to restore public trust in the U.S. securities markets after this trust was jeopardized by Enron, WorldCom, and other corporate debacles. Section 404 specifically requires management to state their responsibility for establishing and maintaining an adequate system of internal control over external financial reporting and disclosure. Management must annually assess the design and operating effectiveness of their controls, and must also identify the internal control framework used to make this assessment. COSO’s Internal Control – Integrated Framework, although first published in 1992, gained wide acceptance with the passage of SOX.
The Refresh Project and Deliverables
In 2010, COSO’s board initiated a comprehensive review, refresh, and modernization of the original framework to ensure it remains relevant despite dramatic business and operating environment changes and evolving stakeholder expectations since 1992.
Business models have evolved, including greater use of shared services and outsourced service providers, and the demands, complexity, and pace of change in rules, regulations, and standards have intensified. Regulators and other stakeholders have higher expectations regarding governance oversight, risk management, and the prevention of fraud. The need for competency and accountability is greater than ever before.
In applying COSO’s original framework, the business community learned several lessons. For example, practitioners have not fully leveraged the framework, primarily using it for external financial reporting only, which is just a subset of one of three overall categories of objectives. The concept of internal control principles was embedded in the original framework, but it seems it was buried within the details. Thus, codifying the underlying principles; increasing focus on operations, compliance, and nonexternal financial reporting objectives; and enhancing usability were additional drivers behind COSO’s upgrade initiative.
The multiyear project culminated with the release of the updated Internal Control – Integrated Framework in May 2013.
COSO’s original framework will remain available through Dec. 15, 2014, at which time it will be considered superseded. COSO’s board believes its continued use during the transition period is appropriate. Companies using COSO for external reporting purposes during the transition, however, should clearly disclose whether the 1992 or 2013 edition is used.
If you are successfully using COSO’s 1992 framework for SOX compliance today, is there a compelling reason to complete your transition prior to December 2014? Indeed, do you need to transition at all?
According to COSO’s news release issued with the new framework, “COSO believes that users should transition their applications and related documentation to the updated framework as soon as is feasible under their particular circumstances.”2 In a speech soon after, Paul Beswick, chief accountant with the Securities and Exchange Commission (SEC), said that “SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or commission actions become necessary or appropriate at some point in the future,” but, in the meantime, “I’ll simply refer … to the statements COSO has made about their new framework and their thoughts about transition.”3
SEC staff offered another hint during a meeting with the Center for Audit Quality’s SEC Regulations Committee. Specifically, “the [SEC] staff indicated the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement for a suitable, recognized framework.”4 One can infer that the SEC expects U.S. public companies subject to SOX Section 404 to transition to COSO’s 2013 framework on, or before, Dec. 15, 2014, COSO’s stated transition date.
As co-lead of Campbell Soup Co.’s original global SOX team, I played a key role in defining Campbell’s SOX compliance methodology and approach. Like many companies, we selected the 1992 COSO framework and then leveraged it to assess the design and effectiveness of Campbell’s internal controls over external financial reporting and disclosure.
Considering COSO’s newly released framework is a refresh, and the principles and requirements of effective internal control are theoretically embedded in the 1992 edition, I expect Campbell Soup and other U.S. public companies to have a relatively smooth transition. Indeed, assuming a company properly interpreted the original framework in developing their SOX compliance program, transitioning to the 2013 framework may be limited to updating the format of several summary SOX reports. There should be no impact on the underlying SOX compliance methodology, approach, or key controls.
Even though transitioning may result in few if any changes, you still need to work through it. The following five-step process5 represents one way to navigate through the transition, although there are surely other approaches as well.
Step One: Awareness and Expertise
The first step is to build internal awareness and subject matter expertise by obtaining and reviewing COSO’s newly released publications, including the Internal Control Integrated Framework (ICIF) & Appendices, the ICIF Executive Summary, the ICIF Illustrative Tools for Assessing Effectiveness of a System of Internal Control, and Internal Control over External Financial Reporting: A Compendium of Approaches & Examples.
These publications represent nearly 500 pages of guidance. To obtain an overview, review the ICIF Executive Summary, recent COSO press releases, COSO’s ICIF presentation deck, a frequently asked questions document, and other materials available on COSO’s website (www.coso.org). Several of COSO’s sponsoring organizations have been hosting a series of webinars, in-person seminars, forums, and training sessions, many of which are available free to the public. Your external auditor, other public companies, regulatory authorities, and other relevant parties can also be great resources. Finally, networking and building connections with peers at similar companies may also benefit you and your team.
As you begin developing your awareness of the updated framework, the following concepts and insights may be of particular interest.
Timeless Concepts – Internal control continues to be defined as a process effected by people that is designed to provide reasonable assurance regarding the achievement of an entity’s objectives. COSO’s 2013 framework still provides for three major categories of objectives – Operations, Reporting, and Compliance – and still consists of five integrated components of internal control – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. The framework continues to be adaptable, allowing you to consider internal controls from an entity, divisional, operating unit, or functional level. Finally, management’s important role in designing, implementing, and conducting internal control, as well as assessing its effectiveness, is retained.
Codified Principles – The original framework conceptually introduced 17 principles associated with the five components of internal control. These principles are essential in assessing whether the five components are present and functioning. They have now been clearly articulated. The COSO board believes each principle adds value, is suitable to all entities, and, therefore, is presumed relevant. If management determines a given principle is not relevant to their organization, they should document their rationalization.
Requirements of Effective Internal Control – Each of the five components of internal control and each relevant principle must be present and functioning for management to conclude their system of internal control is effective. “Present” implies that a given component or principle exists within the design and implementation of an internal control system. “Functioning” implies the component or principle continues to exist in the operation and conduct of the control system. Effective internal control also requires that each of the five components operate in an integrated manner. If each component is present and functioning and the aggregation of internal control deficiencies across the components does not result in one or more major deficiencies, management can judgmentally conclude they do.
Points of Focus – COSO’s updated framework describes points of focus, which represent important characteristics of the respective principles, to assist management in designing, implementing, and conducting internal control, and in assessing whether or not the 17 principles are present and functioning. Relevant and suitable points of focus for a given entity can help you understand the respective principles. There is no requirement, however, for management to separately assess whether these points of focus are in place.
Internal Control Deficiencies – A major deficiency exists, according to the updated framework, if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving its objectives. If management determines that a relevant principle or associated component is not present and functioning, or the five components are not operating together, the entity has a major deficiency. When it comes to SOX or other compliance requirements, however, management should only use relevant criteria as established by regulators, standard-setting bodies, and other relevant third parties for defining the severity of, evaluating, and reporting internal control deficiencies.
Step Two: Preliminary Impact Assessment
For those who interpreted the original framework consistent with the COSO board and, using this knowledge, designed, implemented, and maintained an effective system of internal control, the impact may be minimal. For others who may have misinterpreted the original framework or have been less sophisticated in designing, implementing, or maintaining the internal control environment, the impact will be more significant.
To conduct a preliminary impact assessment, consider mapping your existing system of internal control against the new COSO framework. Specifically, start with COSO’s principles and then conduct a gap analysis by mapping your company’s controls to the principles. You will learn whether or not all principles are appropriately addressed, and you may realize that certain controls are redundant or unnecessary. You could also go the other way, mapping principles to controls, and still end with an effective system of internal control. There is greater risk, however, that certain principles may be missed or not fully addressed. Or, at a minimum, you may not identify opportunities to scale back or eliminate redundant controls. If you determine there are gaps in your internal control design, you will need to remediate them accordingly.
Step Three: Broad Awareness and Comprehensive Assessment
In this step, you will engage the broader organization, building awareness and pressure-testing the preliminary impact assessment.
SOX compliance efforts, depending on the nature and complexity of your company, may occur centrally or may entail multiple layers of assessment. Each business unit or location, for example, may prepare its own local-level assessments that are centrally rolled up. Either way, you should facilitate broad awareness of COSO’s updated framework among key stakeholders, including the board of directors, senior and operational management, process and control owners, and internal and external auditors. Also leverage key stakeholders, especially process/control owners and business-unit SOX leads, to pressure-test the preliminary internal control mapping and impact assessment, especially in a more decentralized or highly complex environment.
Step Four: COSO Transition Plan
Once you have built broad awareness regarding the updated framework, gained alignment that a timely transition is important, and completed a comprehensive impact assessment, it is time to develop and execute your company’s transition plan.
During the planning phase, finalize your company’s new SOX compliance methodology and approach, define project governance and decision rights, develop a detailed project plan with key milestones, identify and assign resources, and complete other standard planning activities. Most important, be realistic in your expectations, plans, and timelines. Even for companies with sophisticated SOX compliance programs today, the effort to transition may be minimal, but there will be effort just the same.
As you execute a transition plan, you will likely pass through three phases:
* Documentation and Evaluation – During the first phase you may need to update the format or flow of underlying documentation, aligning it to the new mapping created during step two. The underlying documentation must now support management in concluding that each of the five components of internal control and each relevant principle is present and functioning. This phase also entails evaluating the design of the underlying controls and enhancing the design as needed.
* Validation Testing and Gap Remediation – Once comfortable that your company’s controls around financial reporting and disclosure are effective in their design, you need to perform validation testing to ensure the controls have been implemented and are operating as expected. And if deficiencies are identified, gap remediation may be required.
* External Review and Testing – Ultimately, your external auditor will need to assess and gain comfort with your updated SOX compliance program and supporting documentation.
Step Five: Continuous Improvement
You will surely complete the transition to the 2013 edition of COSO’s framework by December 2014. But in the true spirit of corporate governance, challenge yourself to drive continuous improvement thereafter as there is a difference between having an adequate system rather than best-in-class internal controls. For a public company, stronger corporate governance should translate into stronger business results and increased shareowner value.
Ensure, for example, that there is appropriate tone at the top. Clearly communicate the company’s commitment to integrity and ethical values, the importance of maintaining an effective control environment, and the expectation that all employees fulfill their internal control obligations. To truly embed internal control responsibility into the fabric of a company’s culture, business processes, and procedures, implement a control self-assessment (CSA) program. CSA is a sustainable process that drives management accountability.6 Also consider using technology to support monitoring activities, comparing transaction details against predetermined thresholds, monitoring for trends and patterns, and assessing automated performance indicators and metrics. Or consider developing dashboards related to key processes, activities, or controls that can alert you to potential anomalies or failures. These are but a few examples of how you can drive continuous improvement of internal controls.
Call to Action
Companies currently using COSO’s 1992 framework in conjunction with SOX compliance requirements should complete their transition to the 2013 version no later than December 2014, when the original framework will be considered superseded.
The onus is on CPAs to build awareness of COSO’s updated framework, to gain senior management’s alignment and support to begin the transition, to assess how the updated framework affects existing SOX compliance activities, and then to complete a timely transition. The five-step process outlined in this feature is one approach that can support you and your team in this endeavor.
1 J. Stephen McNally, “The Year of Internal Control: The Clock is Ticking for Sarbanes-Oxley Compliance,” Pennsylvania CPA Journal, Spring 2004, pp. 22-25.
2 COSO news release, “COSO Issues Updated Internal Control-Integrated Framework and Related Illustrative Documents,” May 14, 2013.
3 Tammy Whitehouse, “SEC Top Accountant Defers to COSO on Framework Adoption,” Compliance Week, June 5, 2013.
4 Tammy Whitehouse, “SEC Drops New Hint: Update to New COSO Framework,” Compliance Week, Nov. 12, 2013.
5 J. Stephen McNally, “The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition,” Strategic Finance, June 2013, pp. 45-52. Available for free downloading at www.coso.org.
6 J. Stephen McNally, “Control Self-Assessment: Everybody Pitching in with Internal Controls,” Pennsylvania CPA Journal, Fall 2007, pp. 32-35.
J. Stephen McNally, CPA, is finance director and controller for Campbell Soup’s North American Supply Chain – Napoleon Operations in Napoleon, Ohio. McNally is a former member of the Institute of Management Accountants’ (IMA) global board of directors, IMA’s representative on the COSO ICIF Refresh Project Advisory Council, and a member of the
Pennsylvania CPA Journal Editorial Board. He can be reached at firstname.lastname@example.org.
LAST UPDATED 3/3/2014