Speaking at an AICPA conference last week, PwC Partner Stephen Soske said that implementation of the updated internal control framework COSO 2013 would have "no significant impact" on external audits. Â However, he emphasized there could be a potential impact on the work that management and auditors may need to do around Entity Level Controls (ELCs), including Indirect ELCs. Other hot topics addressed included whether or not mapping to COSOâs dozens of âPoints of Focusâ are required, and internal control considerations for Outsourced Service Providers (OSPs)
Soske, who served as project lead on the PwC team that undertook a multi-year project to update COSOâs 1992 internal control framework said that âCompanies are thinking about how to demonstrateâ that the 17 principles articulated in the 2013Â framework are âpresent and functioning.â
Under the 1992 COSO framework, companies needed to demonstrate that their system of internal control was effective based on five broad "core components" of internal control: control environment, risk assessment, control activities, information and communication, and monitoring. The 2013 update adds 17 newly articulated âprinciplesâ which further describe the five core components, and as described by COSO, were âembeddedâ in the 1992 framework, but now called out explicitly.
âCompanies are clarifying how their controls demonstrate the principles,â Soske told the group, adding that there needs to be good communication between management and internal and external audiors in regards to what level of evidence to demonstrate ELCs.  As to how much work may be entailed, Soske said, âIt depends how clear they were defined originally in using the â92 framework. If management thoroughly considered that in designing the ELC, itâs not taking a lot of [time, effort]; if not, [companies are] addressing gaps."
Take a Hard Look at âSofterâ Areas
Soske noted that there could be challenges in demonstrating the effectiveness of indirect ELCs in particular, adding that transition to the 2013 framework provided "opportunities to fine tune indirect ELCs,â especially in some of the "softer" areas, such as those that relate to HR policies, hiring competent resources, etc.
Another panelist, William (Bill) Schneider, Director of Accounting at AT&T, concurred with Soske that more work may be necessary around some of the softer areas, citing Principle No. 4 Â "Commitment to Competence." Under the 1992 framework, Schneider said, âMost people looked around and said 'I have competent people' and moved on. But the real issues is, whatâs your process/procedure to make sure you maintain competent people over time.â
Stepped up Requirements for Fraud Risk; Changes in Environment
âFraud risk is a separate principle in the updated framework,â noted Soske, and as a result of COSOâs explicit requirement that management conduct a fraud risk assessment. He said companies are taking a âfresh lookâ at how they identify potential fraud scenarios, including who is involved in assessing those risks, and whether those activities are integrated into other risk assessment activities.
âSmaller enterprises may require documentation not done before,â said Soske, adding it was important that âcompanies document their assessment of changes in the environment.â He described implementation of COSO 2013 as, âan opportunity to formalize and clarify controls that identify changes in the business, think about what financial reporting risks relate to them, the likelihood those risks can manifest in the financial statements, and [how] management  insures those risks are identified and addressed.
Soske also emphasized Principle 13 in the 2013 updated framework, which relates to the use of relevant, quality information. âI would suggest COSO 2013 doesnât introduce anything new here in the context of a PCAOB engagement,â he said, adding that under the â92 framework, âmanagement had to think about this.â In regards to transitioning to the 2013 framework, the PwC Partner said, âItâs about how to demonstrateâ management is using relevant, quality information, including the need to âevaluate sources of information for completeness and accuracy.â
OSPs
In transitioning to COSO 2013, some companies have undertaken separate implementation projects. AT&Tâs Schneider suggested that transition to the updated framework should be treated âAs part of SOX, you should be doing an annual review, top-down, thatâs the perfect opportunity to intersperse this transition to the 2013 framework, particularly the principles and mapping.â He said it could be, âa little heavier process than the typical annual project, but it doesnât have to be a separate project.â
One area of great interest since the 2013 framework was issued, said Schneider, is Outsourced Service Providers (OSP). âYou can outsource an activity,â said Schneider, âbut you canât outsource responsibility,â he added.
âTypically, an OSP wonât sign your code of conduct,â noted Schneider, âbut you can include certain things in the contract.â There is a need to think about issues like whether the OSP has a code of conduct and whatâs contained in it, how you interact with the OSP, and what the process should be going forward, he said.
Scott Bourgeois, vice president and Chief Audit Executive at Coca-Cola Enterprises, said, âItâs about monitoring, if youâre outsourcing an area and meeting with them m once every 2 yrs, that may be a problem, but if you go thru KPIs and stay on top of it, it provides  a great deal of evidence you are monitoring that activity.â
PwCâs Soske added that when companies perform the risk assessment relating to financial reporting (Principle No. 8 in COSO 2013), âI encourage management to think about what the appropriate control response would be, how do you engage and monitor the outsourcer⌠Is it through a SOC 1 report, user controls , audit rights?â
Points of Focus Not Required, COSO Board Member Says
One of the most talked-about topics among COSO 2013 implementers is how granular companiesâ "mapping" exercise must be.
Specifically, some debate has arisen in the audit and preparer community over whether companies have to not only map their systems of internal control to COSOâs 17 "principles" but whether companies are also required to map their controls to over 70 "points of focus" (POF) outlined by COSO.
The AICPAâs Chuck Landes, who serves on the COSO Board, responded to this point in no uncertain terms: Points of focus are not required.
Specifically, he said, âWith respect to points of focus, what I have been hearing is there is some confusion ⌠some have felt POF are a requirement;  I want to be perfect clear that under the COSO framework, POFâs are not requirements.â
âI have heard anecdotally auditors trying to impose on management a requirement to document each and every POF, and if not documented somehow, thatâs a control deficiency,â observed Landes, adding, âCertainly from my perspective, that is not the case.â
Landes explained the purpose of the POFs, and the more general requirement that should prevail.
âThe whole point of POF was to provide suggestions how an entity might want to look at their particular principles⌠ these are not requirements, in fact, from the Exposure Draft to the final (published framework), we moved POF from Chapter 3 to Chapter 4,â he said. âHaving said that, do I think POF provide useful information? Of course I do; its well worth it for any organization to consider POF and think about how they might use POF to support the principles, but are they required? The answer is no.â
COSO Chairman Robert (Bob) Hirth is speaking on a webcast on Dec. 16, 2014, sponsored by FEI and BlackLine Systems. Hear an update from the COSO Chairman on this day after COSO 2013 supersedes the â92 framework; with additional highlights from Grant Thorntonâs Mike Rose and BlackLine Systemsâ Susan Parcells.