A panel at FEI’s Current Financial Reporting Issues conference described by moderator John Neuman, global financial accounting director, Dow Chemical Company, as a ‘dream team’ of COSO 2013 implementation, reviewed key topics including the impact of the updated internal control framework on Sarbanes-Section 404 assertions, such as the determination of material weaknesses, common implementation ‘gaps’ identified by auditors, and implications for outsourced service providers.
Panelists Ray Purcell, director financial controls, Pfizer and Steve Forrest, assistant controller, Raytheon Company, shared key learnings from their companies’ respective COSO implementation.
Purcell, who chaired FEI’s Working Group on COSO and served on COSO’s advisory task force that oversaw development of the updated framework, said, “I think COSO largely achieved their goal,” with the update to the 1992 framework being an opportunity to review controls and make improvements.
Purcell said COSO sought feedback from constituents and decided an update to the original framework was warranted, rather than starting with a blank page. “The important thing is, throughout, the PwC team [that drafted the new guidance, under the oversight of the COSO board and advisory task force], along with the advisory team and board, focused on maintaining management’s role in the process of selecting controls and evaluating deficiencies.”
What’s changed?
“In order to have an effective system of internal control,” emphasized Purcell, “you have to have all [17] principles – that is one very important ramification of the change to a principles-based model.”
Areas that received additional emphasis in COSO 2013, said Purcell, included:
- Outsourcing
- The role of the corporate board
- Control environment
- Element of fraud as an express component of risk assessment
- Updated discussion of I.T. and Information/Communication
Sarbanes-Oxley Reporting
COSO’s definition for effective internal control, according to the updated framework, requires that each of the five components of internal control (carried forward from the 1992 framework) are present and functioning, as well as the 17 principles articulated in the 2013 framework.
Even if none of the principles, in isolation, have a major deficiency, said Purcell, it is important to consider if in the aggregate, there is any pervasive issue or theme that raises a concern relating back to one of the principles or components. In that case, consideration should be given to whether there is a significant issue.
Another member of the ‘dream team’ panel, Jennifer Burns, partner, Regulatory and Professional Matters, Deloitte, who served on COSO’s Advisory Task force with Purcell, had a lively interchange with Purcell on consideration of the 17 principles in identifying any major deficiencies or material weaknesses while evaluating the effectiveness of internal controls.
“The transition to COSO 2013 doesn’t change a conclusion of a material weakness” for Sarbanes-Oxley reporting, said Purcell, noting that COSO was explicit in directing companies to use regulatory guidance (e.g., the SEC definition of material weakness) in issuing regulatory reports on internal control.
However, from an auditor’s perspective, Burns noted, “Even if we use definitions from the SEC, what is different (in COSO 2013) is the use of the principles. COSO says if a principle is not met, you have a major deficiency; we would say you have a material weakness.”
Purcell stated, “I don’t believe you can get to a ‘major deficiency’ and a COSO definition of ‘ineffective internal controls,’ without a material weakness being present,” as measured using the SEC’s definition of material weakness.” He also repeated that, “All principles must be present and functioning.”
“We are saying the same thing,” observed Burns, noting, “You said the 17 principles need to be present and functioning. We also believe you have to follow the SEC’s definition of material weakness; it’s a matter of doing both of those things at the same time.”
Raytheon’s Forrest described his company’s approach to managing implementation of the updated COSO framework, starting with an initial education and communication phase with senior management and the audit committee.
“In late 2013-early ‘14, we did a high-level assessment of the principles, to make sure nothing large was missing,” noted Forrest. “In the first half of 2014, we did quite a detailed ‘mapping’ “of existing controls to the 2013 COSO framework, with an emphasis on effectiveness and efficiency. We looked at this as an end-to-end process from an efficiency standpoint, knowing we would have to hand it to our auditors as they look at our controls.”
COSO 2013 included not only 17 principles, but articulated over 70 additional ‘points of focus’ that further explain the principles. Forrest added, “As Ray mentioned, while the points of focus were not specifically required, we found them a great way to document compliance with the standards.”
“Ray mentioned and stressed the importance of judgment,” said Forrest, emphasizing, “This is a management process. You don’t want to approach it as a checklist; it’s more about understanding what this framework is trying to do, and [whether] the controls meet those objectives.“
“It’s a very judgmental process; we had regular dialogues/discussions with our auditors, to make sure we agreed, or at least didn’t disagree” on aspects of their COSO 2013 implementation and assessment.
All three panelists noted companies and auditors may have previously focused on the “control activities” component a great deal, and that under the 2013 COSO framework, there was increasing emphasis on the other components of internal control (control environment, risk assessment, information and communication, and monitoring).
Forrest added Raytheon decided to use the customizable templates that came with the COSO framework, which they modified to review key controls aligned with the 17 principles, points of focus, and related documentation.
“Don’t get overwhelmed by the 550 pages or so,” of COSO 2013, said Forrest; “Don’t plan to read it as a novel, read the Executive Summary… [then] you can jump around.”
PCAOB Messaging to Auditors
Forrest added, “One thing we found helpful – the document the PCAOB issued a little over a year ago: finding deficiencies by the auditors.”
He added Raytheon ‘elevated’ certain controls that demonstrate principles and points of focus in the updated COSO framework. Also, he noted the increased emphasis on qualitative as well as quantitative risk assessment in the updated framework.
All in all, said Forrest, “We really didn’t need to create much, just to document it.”
Burns noted that Deloitte has identified four categories that some common “gaps” fall into, once companies map their existing controls to COSO 2013: (1) ‘principle’ gap, e.g. some companies deciding they need to add a key control, (2) control attribute gap (relating to a point of focus), (3) control testing gap – e.g. if a company now needs to put testing of a particular control into scope for Sarbanes-Oxley purposes, and (4) control evidence gap.
Additionally, some particular areas of challenge, as noted in a Deloitte “Heads Up” summary published in September, include demonstrating an effective ethics program; risk assessment, Segregation of duties, design of management review controls, outsourced service providers, and other key controls.
As to remediating gaps, Burns advised:
- Have a remediation plan
- Prioritize the gaps
- Design and implement whatever controls you need in place
- Test operating effectiveness of those controls
How Big a Task?
As Neuman opened up Q&A with the audience, he asked: “Assume we had very good controls under the ‘92 framework and everything maps over, I am hearing there is still going to be a significant amount of audit effort – Jennifer, are you going to need to spend more effort to assess controls?”
Burns said, “I will give the typical answer from Washington D.C. —“It depends.” At a minimum for every engagement we’ll have to increase documentation because of the 17 principles – and evidence for all the components, not just control activities.”
Purcell noted, “We had a conversation with our audit firm about how much additional effort in year one around transition, we worked with them about creating documentation” that would address the auditor’s needs, as well. “We have 50 additional controls,” said Purcell, and, “the internal audit team audited that, to show they were present and functioning. I don’t think our auditors at KPMG will look at all 50 of them every year. Our expectation is there is not a very significant level of change in the fees.”
Forrest added, “Because we didn’t change much, it’s not a significant change, other than year-one effort.”
When COSO released its updated framework, the private sector group announced it would view the 2013 framework to “supersede” its original, 1992 framework, as of Dec. 15, 2014.
An audience member asked, “Our auditor indicated some companies might not be ready to move forward to COSO 2013 this year-end. Is it OK to say you are still using the 1992 framework?”
Burns replied that although the COSO board stated the 1992 framework would be superseded by the 2013 framework on December 15, 2014, “The SEC didn’t say through rulemaking whether they expected companies to adopt” the updated framework as of the December 15, 2014, date.
“What we’ve been hearing, though informal speeches, is that the SEC will accept 10-Ks filed under the 1992 framework.” She added, “You won’t find that on the SEC website, only in speeches... SEC rules say that a company has to use an acceptable, suitable framework.”
However, she added, “It’s hard in my view to say the 1992 framework is acceptable and suitable if COSO said it’s been superseded.”