Heads Up — Challenges and leading practices related to implementing COSO’s "Internal Control — Integrated Framework"
by Jennifer Burns, Deloitte LLP; and Sandy Herrygers, Deloitte & Touche LLP
Introduction
In response to a confluence of regulatory statements and standard-setting activities (e.g., by COSO,1 the PCAOB, and the SEC), companies, audit committees, auditors, and regulators have increased their focus on internal control over financial reporting (ICFR). Statements by representatives from the SEC and PCAOB have emphasized that companies and auditors should increase the attention they give to internal control. For example, in a December 2013 speech, SEC Deputy Chief Accountant Brian Croteau stated the following:
As we maintain or increase the intensity of our focus in [ICFR] . . . I remain convinced that at least some of the PCAOB’s inspection findings related to the audits of internal control over financial reporting are likely indicators of similar problems with management’s evaluations of ICFR, and thus potentially also indicative of risk for unidentified material weaknesses [and] I continue to question whether all material weaknesses are being properly identified. . . . This could be either because the deficiencies are not being identified in the first instance or otherwise because the severity of deficiencies is not being evaluated appropriately.
And in a March 2014 speech, PCAOB Board Member Jeanette Franzel noted:
We are currently in a “perfect storm” in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain. Management, internal auditors, and external auditors will be navigating the updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal Control — Integrated Framework” at the same time that external audit firms are taking steps to respond to PCAOB inspection findings associated with their audits of internal control.
Since COSO issued its Internal Control — Integrated Framework (the “2013 Framework”) in May 2013,2 management teams have been taking steps to implement it in accordance with COSO’s transition guidance.
While the 2013 Framework’s internal control components (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities) are the same as those in the 1992 Framework, the new framework requires companies to assess whether 17 principles are present and functioning in determining whether their system of internal control is effective. Further, the 17 principles are supported by points of focus, which are important considerations in a company’s evaluation of the design and operating effectiveness of controls to address the principles. These changes will drive the need for a different deficiency evaluation process. From an ICFR perspective, when one or more of the 2013 Framework’s 17 principles are not present and functioning, a major deficiency exists, which equates to a material weakness under Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX 404”).3 In addition, it is important to recognize that entity-level controls are generally indirectly related to the financial statements and therefore are more difficult to quantitatively evaluate than direct process-level controls. Entity-level controls are also typically more tailored to the size, complexity, and risk profile of the organization and therefore their evaluation is more qualitative.
While companies use COSO’s framework in connection with SOX 404 compliance and ICFR, a significant trend has emerged regarding extending its application to other regulatory or operational risks. Overall, companies have both an impetus and an opportunity to use their implementation of the 2013 Framework as a means to objectively reevaluate their internal controls, identify areas of improvement and synergies, and identify opportunities for systematically managing regulatory, operational, and reporting risks.
This Heads Up discusses issues related to the timing of implementing the 2013 Framework as well as implementation challenges and leading ICFR practices. It also provides observations and perspectives regarding applying the 2013 Framework for operational and regulatory compliance purposes. See Deloitte’s June 10, 2013, Heads Up for an overview of the 2013 Framework.
Implementation Timing
Questions have arisen about whether companies are required to adopt the 2013 Framework in the current year. COSO provided transition guidance that recommends adoption of the 2013 Framework by December 15, 2014, at which time the 1992 Framework will be superseded. The SEC requires companies to use a “suitable, recognized control framework.”4
Most companies are moving forward with adopting the 2013 Framework this year, in accordance with COSO’s transition guidance. They have cited a number of reasons for doing so, including:
- Boards, audit committees, and management teams desire to demonstrate the use of the latest guidance and leading practices from COSO.
- The principles and points of focus used in the 2013 Framework provide a clearer explanation of the components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities) than the older framework. Evaluating the state of an organization’s internal control against the principles and points of focus may provide value to organizations by streamlining and enhancing the effectiveness of systems of internal control (i.e., mitigating risks).
- Companies do not want to be perceived as being behind their industry peers, which are likely to be adopting in the current year.
- Adopting the 2013 Framework in accordance with COSO’s transition guidance may be expected by investors, bankers, industry regulators, and other stakeholders.
These companies have their gap assessment under way right now, with a target to have the gap assessment and initial testing of ICFR completed by the end of the third quarter. This leaves the fourth quarter for remediation of internal control gaps and retesting. This timing helps ensure an efficient and effective ICFR attestation process for management at year-end.
We have observed some instances in which companies have decided to continue to apply the 1992 Framework for the current calendar year. Their decisions were generally based on consultations with a number of stakeholders, including the board, audit committee, and internal and external auditors. Regardless of their decision, companies should clearly disclose in their annual assessment of ICFR whether they used the 1992 Framework or the 2013 Framework.
Editor’s Note: Under SEC rules (17 CFR Section 240.13a-15(c)), the “framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.” PCAOB Auditing Standard 55 states that the “auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company’s internal control over financial reporting.” As a result, the timing of when the auditor makes the transition to the 2013 Framework for auditing ICFR will depend on the timing of the company’s transition. We believe that in a manner consistent with the approach for disclosing the exact COSO framework used in management’s ICFR assessment, it would be appropriate to indicate in the auditor’s report the exact framework used. |
Implementation Challenges and Leading Practices
As companies work their way through the implementation process, some may resort to a checklist approach in complying with the new framework. To truly unlock the value that can be achieved by adopting the 2013 Framework, management should take a step back and evaluate how it is addressing the risks to its organization in light of the company’s size, complexity, global reach, and risk profile. In companies’ implementation of the 2013 Framework, there is a difference between doing the minimum to address the framework’s principles and doing the right thing to effectively address the principles. Companies that choose to do the right thing will unlock the value, reduce fraud risk, avoid financial reporting surprises, and support sustained business performance over the long term.
The table below summarizes the 2013 Framework’s principles by component, and the paragraphs that follow discuss common challenges that companies are experiencing as they work to implement the framework for SOX 404 purposes as well as leading internal control practices that may help address the implementation challenges.
Demonstrating an Effective Ethics Program (Principles 1, 2)
As organizations evolve and change, their ethics programs may become stale or inadequate, and compliance with them may become “check the box” exercises. In addition, although many organizations have established ethics programs, they do not always address financial reporting or ICFR. Enron’s code of conduct was widely acknowledged to be world-class at the time of the fraud scandal that ultimately ended the company and affected so many. In material fraud cases, there are often other alternate and conflicting messages in addition to those about integrity and ethical values. In many cases, the pressure on earnings and the personalities delivering alternate messages are so strong that they overpower the organization’s message on integrity and ethical values. The tone that pervades such organizations can become a factor in employees’ decisions to commit and rationalize fraud that they might not otherwise entertain. When it comes to tone at the top, actions speak louder than words.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
As organizations evolve and change, their ethics programs may become stale or become “check the box” exercises. Further, although many organizations have established ethics programs, they do not always focus on integrating their financial reporting and ICFR expectations. Organizations often:
|
Control environment:
Information and communication:
|
Risk Assessment, Including Performing an Effective Fraud Risk Assessment (Principles 7, 8)
Management’s attention to risk assessment may be focused more on operational or regulatory risks than financial reporting risks; and in the context of financial reporting, it may be focused more on safeguarding assets and fraud, such as theft of inventory or fraudulent expense reporting (which generally represents only about 3 to 4 percent of the material frauds actually identified6), than on the risk of fraudulent financial reporting. Carefully identifying the entity’s fraud risks, particularly when earnings pressures and aggressive incentive compensation programs exist, is an important part of a fraud risk assessment. In addition, management often does not adequately consider industry-specific risks and potential fraud schemes as part of the fraud risk assessment. For example, the potential for management override of internal control and financial reporting areas involving significant judgment and estimates should be specific areas of focus in a fraud risk assessment related to ICFR.
Because the risk assessment underpins the design and implementation of controls, an incomplete or ineffective risk-assessment process can have a significant effect on the effectiveness of ICFR. Further, significant errors or deficiencies (individually or in the aggregate) may indicate that the principles related to the risk-assessment component were not effective.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
As organizations evolve and change, their risk-assessment process may become stale, and making updates, if they are made at all, may have become a “check the box” exercise. In addition, the entity’s risk assessment may focus on operational or regulatory matters without adequately taking into account risks related to financial reporting and ICFR. In addition, with respect to fraud risk assessments, an entity may:
|
Risk assessment:
Control activities:
|
Identifying Changes and Appropriately Factoring Them Into the Risk-Assessment Process (Principle 9)
Change creates risk; therefore, management should implement processes that enable it to identify and evaluate changes affecting the organization on a timely basis. While companies typically have robust change processes for IT systems, they often lack a defined process for managing other changes that could affect financial reporting, which may originate externally (e.g., new accounting requirements) or internally (e.g., accounting for nonroutine or complex transactions, business process redesign or centralization, or outsourcing to service providers). Sometimes the roles and responsibilities associated with these changes and the related controls are spread across multiple parties and are not effectively monitored. In addition, many companies underemphasize the importance of providing employee training on these new roles and responsibilities during the transition period, thereby creating a risk of ineffective internal control.
In practice, material weaknesses are frequently related to these changes and result in part from both an inadequate assessment of the related risks and insufficient deployment and monitoring of the controls that directly address the risks.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
|
Control environment:
Risk assessment:
Control activities:
Information and communication:
Monitoring activities:
|
Segregation of Duties (Principles 10, 11)
Many management teams and boards rightly worry about the risk that employees will collude to commit fraud. However, management’s failure to segregate duties appropriately across multiple systems or manual processes poses the unique risk that employees will be able to commit fraud or conceal fraudulent activity without collusion. The opportunity to commit fraud and the likelihood of its occurrence are much greater when collusion is not necessary, as when duties are not appropriately segregated. This is particularly true in the era of large enterprise resource planning (ERP) systems, which individually process a substantial number of financial transactions. Detective controls alone, which may be imprecise and more operationally focused, are, by their nature, often ineffective in preventing or detecting fraud, especially since many material acts of fraud are not the result of a single material transaction and only become material in the aggregate over time.
Deficiencies in segregation of duties have been a common root cause of material weaknesses and material acts of fraud. The following are a few examples of the numerous public-company internal control disclosures reported over the past 10 years about material weaknesses involving such deficiencies:
- “Specifically, the company identified deficiencies with respect to controls over segregation of duties, restricted access, changes to vendor and customer master data, transaction level and financial close which aggregated to a material weakness in internal control over financial reporting.”
- “[There are] material weaknesses related to ineffective segregation of duties and general information technology controls to restrict user access and to review the development, change management, and maintenance of system applications.”
- “[The failure to perform adequate user acceptance testing before implementing an ERP application] resulted in an inadequate segregation of duties and inadequate controls over approval of certain journal entries based on the roles assigned to users of the ERP.”
- “[Material weaknesses identified in management’s assessment include the] absence of proper segregation of duties within significant accounts and processes and ineffective controls over management oversight, including antifraud programs and controls.”
- “Material weaknesses in internal control over financial reporting [were] related to . . . lack of segregation of duties and weakness around timely and consistent management review of financial statements.”
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
|
Control environment:
Risk assessment:
Control activities:
Monitoring activities:
|
Effective Design of Management Review Controls (Principles 10, 12, 13, 16)
Management’s design of processes and controls typically consists of both preventive and detective controls (e.g., management review controls). However, management may be overrelying on such controls for SOX 404 purposes since they are often not precise enough on their own to detect material misstatements, particularly smaller or systemic errors that could aggregate into a material amount. Sometimes there is an operational bias in these controls (e.g., controls comparing actual to budget); while a control may identify a potential error when a variance occurs, it may not be designed to identify errors when a variance does not exist. For this reason, the design of management review controls and evidence of their operational effectiveness have been a significant area of focus for management, auditors, and regulators, particularly with respect to management review controls related to estimates and the application of U.S. GAAP to new or infrequent transactions or events.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
Management may overrely on a management review control that is not sufficiently precise, as in the following examples:
|
Control environment:
Control activities:
Information and communication:
Monitoring activities:
|
Outsourced Service Providers (Multiple Principles)
Given the significant increase in outsourcing relationships for information, business processes, and IT, internal controls related to outsourced service providers (OSPs) have become critical. While most companies have processes in place for evaluating SSAE 168 reports obtained from service organizations to address the control activities component of the 2013 Framework, most user organizations lack formal and auditable controls to address the OSP considerations related to the other four components of the framework (e.g., controls over the communication of expectations regarding the code of conduct, responsibilities, and authority; and controls for monitoring service-level agreements and communications). In addition, companies may directly record significant journal entries based on reports from OSPs without appropriate monitoring mechanisms to determine whether those reports are materially accurate and complete. It is important for management to establish robust monitoring controls over OSPs. Without such controls, there could be unfortunate surprises late in the year when SSAE 16 reports are delivered, such as unexpected report qualifications.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
|
Control environment:
Risk assessment:
Control activities:
Information and communication:
Monitoring activities:
|
Information Quality (Principle 13)
Financial reporting misstatements may result from inappropriate reliance on erroneous data or reports, which could be triggered by failures in design or operational effectiveness related to any of the following:
- Controls over source data (i.e., manual or automated controls).
- Controls over interfaces and data transfers.
- Indirect general IT controls (GITCs) that support the reliability and integrity of system-generated information.
Sometimes, companies either lack appropriate controls for addressing the risks associated with important information on which they depend for SOX 404 purposes or fail to identify and test the controls over such information. A solution to this problem is ensuring that management has specific controls in place over data, including non-system-generated reports and data to and from OSPs. In addition, companies need to look beyond basic GITCs and also focus on the process-level controls over financial reporting information and data.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
|
Control activities:
Information and communication:
Monitoring activities:
|
Internal Control Design Evaluation (Multiple Principles)
If the design of entity-level controls is not fully evaluated, deficiencies in such controls may be overlooked. Given the requirement to separately determine whether each of the 17 principles in the 2013 Framework is present and functioning, entity-level controls are important foundational controls. In our experience, the majority of gaps are identified as a result of evaluating the design of controls and the ability of management, internal auditors, and external auditors to test those controls rather than as a result of performing a mapping exercise (i.e., mapping current controls to the 2013 Framework). It is important that management conduct a robust design evaluation to improve its internal controls and support its ICFR attestation.
Common Implementation Challenges | Leading Internal Control Practices |
---|---|
|
|
Using the 2013 Framework for Operational and Regulatory Compliance
Use of the 2013 Framework for operational and compliance purposes (in addition to ICFR) is a growing trend among companies. Implementing the updated framework provides a good opportunity, regardless of how mature a company’s system of internal control may be, to take a fresh look at internal controls with the potential for creating value for the organization. Improvements in the effectiveness of a company’s system of internal control can lead to more efficient operations, greater compliance rates, and more effective internal management reporting. Examples of voluntary uses of the 2013 Framework include the following:
- Banking regulatory compliance — While most banking and capital markets firms have used the COSO internal controls framework to design their SOX 404 ICFR compliance system, many are now taking a broader view of the updated framework. Many banking and capital markets firms are applying the principles of the COSO framework to design quality-assurance review functions over other areas, including operational and regulatory reporting. For more information about compliance trends in the financial services industry, see Deloitte’s In Focus: Compliance Trends Survey 2014.
- Cybersecurity— Every organization faces a variety of cyber risks from external and internal sources. Cyber risks are evaluated against the possibility that an event will occur and adversely affect the achievement of the organization’s objectives.
Principle 6 in the 2013 Framework provides several points of focus that give organizations perspective on how to evaluate their objectives in a manner that could influence the cyber risk-assessment process.
Because a cyber risk assessment informs decisions about control activities that are deployed against information systems and assets that support an entity’s objectives, it is important that senior management and other critical stakeholders drive the risk-assessment process to identify what must be protected in alignment with the entity’s objectives. For additional information, see Deloitte’s Changing the Game on Cyber Risk.
- Supply-chain risk management — As a result of certain regulatory and operational risks such as food and product safety, conflict minerals, and consumer discontent with product performance, companies have increased their focus on proactively identifying and managing risks in the supply chain. Supply-chain risks are becoming board-level strategic risks for many companies. Accordingly, many companies are assessing their current risk exposure, implementing more formal governance structures, and designing more disciplined approaches to managing risks in the supply chain. These activities can help companies position their supply chain as a competitive advantage, manage regulatory risk, reduce or eliminate operational surprises, reduce the cost of doing business, and make informed capital allocation decisions. For more information, see Deloitte’s From Risk to Resilience: Using Analytics and Visualization to Reduce Supply Chain Vulnerability.
- Vendor management— The application of the 2013 Framework to vendor management programs for OSPs to support their operations and compliance objectives (in addition to financial reporting objectives) can provide the necessary discipline to address an increasingly complex array of operational and compliance risks. Further, this discipline can enable organizations to control or reduce costs, mitigate risks, and drive service excellence. As a result, companies are using the 2013 Framework’s concepts to establish new programs or enhance existing ones. Such enhancements include but are not limited to:
- Ensuring that the OSPs understand management’s commitment to integrity and ethical values.
- Incorporating risks originating in the OSPs in the company’s risk assessment process.
- Developing monitoring procedures for key performance indicators related to service-level agreements as a means of identifying issues.
- Change management — Principle 9 of the 2013 Framework can broadly help a company effectively manage internal controls related to operational or regulatory changes. Companies may want to consider developing a process to apply Principle 9 and related concepts when major changes are identified to sustain and continuously improve internal controls related to operational or regulatory compliance.
Editor’s Note: For additional examples of applying the 2013 Framework for operational and compliance purposes, see Deloitte’s March 2014 Audit Committee Brief. |
Use of the 2013 Framework outside the financial reporting context can provide helpful and necessary discipline to boards and audit committees as they address the increasingly complex array of risks they oversee. It can also provide management with a consistent and efficient framework to define, implement, and monitor its control structure and help it continually improve its overall risk management processes.
1 COSO is the Committee of Sponsoring Organizations of the Treadway Commission. In May 2013, COSO updated its Internal Control — Integrated Framework, which was originally issued in 1992.
2 The 2013 Framework and Illustrative Tools can be purchased from the AICPA Store. An executive summary of the 2013 Framework is available for free on COSO’s Web site.
3 The 2013 Framework contains the following new guidance on a major deficiency in internal control:
“When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. A major deficiency exists in the system of internal control when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.
A major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable level by the presence and functioning of other principles.”
4 SEC Exchange Act Rule 13a-15(c).
5 PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements.
6 See Deloitte’s Ten Things About Financial Statement Fraud.
7 Information produced by the entity.
8 AICPA Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.