Transcription
The 2013COSO Framework &SOX ComplianceONE APPROACH TO AN EFFECTIVE TRANSITIONBy J. Stephen McNally, CPA
C OSOThe 2013COSO Framework &SOX ComplianceONE APPROACH TOAN EFFECTIVE TRANSITIONBy J. Stephen McNally, CPADo you work for a publicly traded company that’s subjectto Sarbanes-Oxley Act (SOX) Section 404 compliancerequirements? If so, odds are high that you’re familiarwith the Internal Control—Integrated Framework that waspublished in 1992 by the Committee of SponsoringOrganizations of the Treadway Commission (COSO). Asyou know, SOX 404 requires management at public companies like Campbell Soup to select an internal controlframework and then assess and report on the design andoperating effectiveness of their internal controls annually.The majority of U.S. publicly traded companies haveadopted COSO’s 1992 Framework to do this.June 2013IS T R AT E G I C F I N A N C E1
C OSOAs a quick reminder, COSO is a voluntary privatesector initiative dedicated to improving organizationalperformance and governance through effective internalcontrol, enterprise risk management, and fraud deterrence. Five nonprofits are its sponsoring organizations:AAA (American Accounting Association), AICPA (American Institute of Certified Public Accountants), FEI(Financial Executives International), IIA (Institute ofInternal Auditors), and IMA (Institute of ManagementAccountants).On May 14, 2013, COSO released an updated versionof its Internal Control—Integrated Framework. Why wasthe Framework updated and to what end? Is adoption ofthe 2013 Framework required for SOX 404 compliance?How can you make an efficient and effective transitionfrom the original 1992 Framework? How soon do youneed to complete your transition? This article providesanswers to these questions; an overview of COSO’s 2013Framework, authored by PwC; and one approach, including specific steps, on how to transition an entity’s SOXcompliance program to the updated Framework.OverviewCOSO’s new Framework is the result of a significant multiyear project—including two rounds of public exposure—to review, refresh, and modernize the original Framework, ensuring it remains relevant. As we all know, theworld has undergone a seismic shift since 1992 that hasled to dramatic business and operating environmentchanges. Markets continue to globalize. Business modelshave changed significantly, including greater use ofshared services and outsourced service providers. Thecomplexity and pace of change in rules, regulations, andstandards have intensified demands on companies.Reliance on evolving technology—increasingly importantin improving business performance, business processes,and decision making—continues to grow. Finally, regulators and other stakeholders have higher expectationsregarding governance oversight, risk management, andthe detection and prevention of fraud. While advanceshave been made in better connecting risk managementand internal control practices in pursuit of organizationalstrategic goals, the many changes since 1992 have significantly increased business risk, resulting in a much greaterneed for competence and accountability than ever before.In addition, collectively we have learned lessons inapplying the 1992 Framework. First, the original Framework included lengthy discussions of internal controlconcepts that are now institutional knowledge. Second,2S T R AT E G I C F I N A N C EIJune 2013although the concept of internal control principles mayhave been embedded in the original Framework, theprinciples themselves were “hidden” within the details.Third, practitioners have used the Framework primarilyfor internal control over external financial reporting, yetthe Framework encompasses three major categories ofobjectives, including operations, overall reporting, andcompliance objectives. Thus, streamlining the originalFramework; codifying the underlying principles; increasing focus on operations, nonexternal financial reportingand compliance objectives; and enhancing usability wereadditional drivers behind COSO’s Internal Control—Integrated Framework (ICIF) Refresh Project.The Case for TransitionThroughout this multiyear project, the COSO Board hasemphasized that the key concepts and principles embedded in the original Framework remain fundamentallysound for designing, implementing, and maintaining systems of internal control and assessing their effectiveness.Therefore, COSO will continue to make the originalFramework available through December 15, 2014, atwhich time the 1992 Framework will be consideredsuperseded. During this transition period—todaythrough December 15, 2014—COSO believes continueduse of the 1992 Framework is acceptable. Entities leveraging COSO’s Internal Control—Integrated Framework forexternal reporting purposes during the transition period,however, should clearly disclose whether they used the1992 or 2013 version.In the spirit of continuous improvement, companiesshould periodically reassess their system of internal control over external financial reporting to identify opportunities to improve its efficiency and/or effectiveness.Leveraging COSO’s 2013 Framework, which formalizesthe principles embedded in the original more explicitly,incorporates business and operating environmentchanges over the past two decades, and improves theFramework’s ease of use and application, is an effectiveway to do this.The 2013 Framework also makes it easier for management to see what’s covered and where gaps may exist intheir current SOX 404 compliance program. For example,some companies may not have fully documented theirinternal control application in line with COSO’s 1992Framework. Others may have misinterpreted or misapplied the narrative in the original, thus falling short of anadequate assessment process with respect to one or moreprinciples, or may have missed a principle outright. The
C OSOupdated Framework develops principles and supportingpoints of focus within each of the five foundational components of internal control—control environment, riskassessment, control activities, information and communication, and monitoring activities. With it, managementcan more successfully diagnose issues and assert effectiveness regarding their internal controls and, for externalfinancial reporting, help avoid material weaknesses or significant deficiencies. For all these reasons, I agree with theCOSO Board’s recommendation that users complete theirtransition “as soon as is feasible under their particularcircumstances.”Appendices. This volume, approximately 175 pages,One Transition Approachtrol, describing the components of internal control andTable 1: Newly ReleasedCOSO DocumentsInternal Control—Integrated FrameworkExecutive Summary. Represents a high-leveloverview of the 2013 Framework and is intended forthe CEO and other senior management, boards ofdirectors, and regulators.Internal Control—Integrated Framework andsets out the Framework in detail, defining internal con-Considering that COSO’s newly released Framework represents an update of the 1992 version and that the principles and requirements of effective internal controlarticulated in it were encompassed in the original, weexpect a relatively smooth transition at Campbell Soup.Assuming we interpreted the original Framework properly in developing our current SOX compliance program,transitioning to the 2013 Framework by December 2014may be limited to updating the format of several summary SOX reports. We don’t expect a significant impacton our underlying SOX compliance methodology,approach, and/or key controls.As co-lead of Campbell Soup Company’s originalglobal SOX team in 2003 and 2004, I played a key role indefining Campbell’s SOX compliance methodology andapproach. Like many companies, we selected the COSOInternal Control—Integrated Framework and then used itto assess the design and operating effectiveness of ourinternal controls over external financial reporting. Wetrained more than 300 cross-functional associates globally; designated operational and functional subteams toidentify, document, and test Campbell’s controls; andaddressed deficiencies as needed.Historically, Campbell Soup has consistently embracedthe importance of maintaining a solid system of internalcontrol. Thus, our primary challenge in 2003-2004 was toeffectively document and test the controls already inplace, including Campbell’s control activities related tofinancial reporting as well as Campbell’s company-levelcontrols overall. To address company-level controls, wesifted through COSO’s Framework and other guidanceand then developed a customized template for CampbellSoup that consisted of key considerations or attributesfor each of the five internal control components. Leveraging interviews with senior management and cross-underlying principles, and providing direction for alllevels of management in designing and implementinginternal control and assessing its effectiveness. Theappendices to this volume, including a glossary, specific considerations for smaller entities, summary ofchanges vs. the 1992 version, etc., provide additionalreference but aren’t considered part of the Framework.Internal Control—Integrated FrameworkIllustrative Tools for Assessing Effectiveness of aSystem of Internal Control. This volume providestemplates and scenarios to support management inapplying the Framework, specifically in terms ofassessing effectiveness.Internal Control over External FinancialReporting: A Compendium of Approaches andExamples. This compendium provides practicalapproaches and examples illustrating how the components and principles set forth in the Frameworkcan be applied in preparing external financial statements. It is intended to be used as a resource forquestions and research on specific principles andcomponents rather than being read from cover tocover.functional experts as well as other evidence we collected,we documented the design and implementation and thenassessed the operating effectiveness of these controls.Even though we expect the transition from COSO’s1992 Framework to its 2013 Framework to result in few,if any, changes, we still need to work through it. The following five-step process represents one way to navigatethe transition.June 2013IS T R AT E G I C F I N A N C E3
C OSOSTEP ONE: Develop Awareness, Expertise,Figure 1: The COSO Cube4S T R AT E G I C F I N A N C EIJune 2013Control EnvironmentRisk AssessmentControl ActivitiesEntity LevelDivisionOperating UnitFunctionComplianceReportingIn addition to gaining senior leadership alignment andsupport, the first step in transitioning to COSO’s 2013Framework is to build internal awareness and, ultimately,expertise among the resident COSO/SOX subject matterexperts in your company. To do so, you and your teamshould obtain and review COSO’s newly released publications, including the Internal Control—Integrated Framework Executive Summary, Framework and Appendices,Illustrative Tools for Assessing Effectiveness of a System ofInternal Control, and the Internal Control over ExternalFinancial Reporting (ICEFR): A Compendium ofApproaches and Examples. See Table 1 for a brief overviewof each of these documents.Combined, these COSO publications represent nearly500 pages of guidance, so you may want to leverage othertools and resources as well. Here are some documentsand other resources that will help you navigate thechanges introduced in the 2013 Framework and itsaccompanying guidance. First, in addition to the Executive Summary, recent COSO press releases, a COSO presentation deck, “Frequently Asked Questions” document,and other materials are available on COSO’s website(www.coso.org). They will provide an effective overviewof COSO’s Refresh Project in general and the 2013Framework in particular.Likewise, the five sponsoring organizations have beensupporting COSO in building awareness of the updatedFramework, so a review of their respective websites mayprovide additional insight and perspective. Several ofthem, as well as other parties, will be hosting a series ofwebinars and/or in-person seminars, forums, and/ortraining sessions, many of which will be available free tothe public. Also, I’m sure numerous articles and editorialsover the next year or so will offer various perspectives onapplying the Framework, understanding key concepts inthe Framework, and transitioning to it. Your externalauditor, other public companies, regulatory authorities,and other relevant parties also can be great resources.Finally, networking and building connections with peersat similar companies can benefit you and your team.As you begin developing your awareness, the followingconcepts and insights may be of particular interest:Timeless Concepts. As noted earlier, COSO’s keyconcepts regarding internal control are timeless. According to COSO, “Internal control is a process effected by anentity’s board of directors, management, and other personnel, designed to provide reasonable assurance regard-Operationsand AlignmentInformation & CommunicationMonitoring Activitiesing the achievement of objectives relating to operations,reporting, and compliance.” The 2013 Framework stillprovides for three categories of objectives—operations,reporting, and compliance—and still consists of five integrated components of internal control—control environment, risk assessment, control activities, information andcommunication, and monitoring activities. The Framework continues to be adaptable to a given organization’sstructure, allowing you to consider internal controls froman entity, divisional, operating unit, and/or functionallevel, such as for a shared services center. Finally, theimportant role of management judgment in designing,implementing, and maintaining internal control, as wellas assessing its effectiveness, is retained. See Figure 1 for avisual representation of COSO’s Internal Control—Integrated Framework (i.e., the updated COSO Cube).Expanded Reporting Category. Whereas thereporting category of objectives was leveraged primarilyfor external financial reporting in the past, this categorynow explicitly and more clearly encompasses both internal and external financial and nonfinancial reportingobjectives. COSO’s Framework was always intended toaddress a broader spectrum of business activity, but thepassage of SOX Section 404 resulted in a public perception that COSO could support external financial reporting only. The 2013 Framework now explicitly permits usein these other reporting situations, even though theyaren’t directly relevant from a SOX perspective.Codified Principles. The 1992 Framework conceptually introduced 17 relevant principles associated with the
C OSOTable 2: 17 PrinciplesTable 3: Example Points of FocusHere are the titles of the 17 internal control principlesPrinciple 1. The organization demonstrates aby internal control component as presented incommitment to integrity and ethical values.COSO’s 2013 Framework:CONTROL ENVIRONMENT1. Demonstrates commitment to integrity and ethicalvalues2. Exercises oversight responsibilitySupporting Points of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner3. Establishes structure, authority, and responsibility4. Demonstrates commitment to competence5. Enforces accountabilityRISK ASSESSMENT6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant changeCONTROL ACTIVITIES10. Selects and develops control activities11. Selects and develops general controls overtechnology12. Deploys through policies and proceduresINFORMATION & COMMUNICATION13. Uses relevant information14. Communicates internally15. Communicates externallyMONITORING16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficienciesPlease see the Framework for the actual principlesand related descriptions.five components of internal control. But these conceptswere implicit in the narrative. Because they are essential inassessing that the five components are present and functioning, these concepts are now explicitly articulated inthe 17 principles. The COSO Board believes each principleadds value, is suitable to all entities, and, therefore, is presumed relevant. If management determines that a givenprinciple isn’t relevant to the organization, it should document the rationalization. See Table 2 for a list of the principles and the associated components of internal control.Requirements of Effective Internal Control. Formanagement to conclude that its system of internal control is effective, all five components of internal controland all relevant principles must be present and functioning. Being “present” implies a given component or principle exists within the design and implementation of anentity’s system of internal control. “Functioning” impliesthe component or principle continues to exist in theoperation and conduct of the control system. Effectiveinternal control also requires that all five componentsoperate together in an integrated manner. Managementcan conclude they do if each component is present andfunctioning and the aggregation of internal control deficiencies across the components doesn’t result in one ormore major deficiencies.Internal Control Deficiencies. According to the2013 Framework, a major deficiency exists if an internalcontrol deficiency or combination thereof severelyreduces the likelihood of an entity achieving its objectives. In other words, if management used its professionaljudgment to determine that a control objective isn’t beingmet because a relevant principle or associated componentisn’t present and functioning, or the five componentsaren’t operating together, the entity has a major deficiency. Though the 2013 Framework uses and definesthe terms deficiency and major deficiency, managementshould use relevant criteria as established by regulators,standards-setting bodies, and other relevant third partiesfor defining the severity of, evaluating, and reportinginternal control deficiencies when reporting under thoseregulations or standards.Points of Focus. COSO’s updated Frameworkdescribes points of focus to assist management in designing, implementing, and maintaining internal control andin assessing whether the 17 principles are present andfunctioning. Points of focus represent important characteristics of the respective principles. (See Table 3 forJune 2013IS T R AT E G I C F I N A N C E5
C OSOexamples.) Points of focus deemed relevant and suitablefor a given entity, whether described in the Framework oruniquely identified by management, can help you understand the respective principles. But management isn’trequired to separately assess whether they are in place.Points of focus are simply enablers; they aren’t requiredin order to have an effective system of internal control.STEP TWO: Conduct Preliminary ImpactThe Five-Step TransitionSTEP 1DEVELOP AWARENESS, EXPERTISE, AND ALIGNMENTSTEP 2CONDUCT PRELIMINARY IMPACT ASSESSMENTAssessmentOnce you understand COSO’s 2013 Framework, you needto assess how transitioning to it will impact your currentSOX compliance program. Perhaps the most significantfactor affecting your transition from the 1992 version tothe 2013 version is how well management implementedthe original one.To conduct a preliminary impact assessment, youshould map your existing system of internal controlagainst the updated COSO Framework. This will helpyou determine the degree of work required to completethe transition.While developing your current methodology andapproach for SOX compliance, you likely invested significant time up front to define your entity’s internal controlframework, starting with COSO’s 1992 Framework andthen customizing it based on your company’s specificprocesses, financial disclosures, and risk history. Does thefollowing scenario sound familiar?First, management probably specified a high-levelfinancial reporting objective and subobjectives related topre
mary SOX reports. We don’t expect a significant impact on our underlying SOX compliance methodology, approach, and/or key controls. As co-lead of Campbell Soup Company’s original global SOX team in 2003 and 2004, I played a key role in defining Campbell’s SOX compliance methodolog
