Speaking at an AICPA conference last week, PwC Partner Stephen Soske said that implementation of the updated internal control framework COSO 2013 would have "no significant impact" on external audits. However, he emphasized there could be a potential impact on the work that management and auditors may need to do around Entity Level Controls (ELCs), including Indirect ELCs. Other hot topics addressed included whether or not mapping to COSO’s dozens of “Points of Focus” are required, and internal control considerations for Outsourced Service Providers (OSPs)
Soske, who served as project lead on the PwC team that undertook a multi-year project to update COSO’s 1992 internal control framework said that “Companies are thinking about how to demonstrate” that the 17 principles articulated in the 2013 framework are “present and functioning.”
Under the 1992 COSO framework, companies needed to demonstrate that their system of internal control was effective based on five broad "core components" of internal control: control environment, risk assessment, control activities, information and communication, and monitoring. The 2013 update adds 17 newly articulated ‘principles’ which further describe the five core components, and as described by COSO, were ‘embedded’ in the 1992 framework, but now called out explicitly.
“Companies are clarifying how their controls demonstrate the principles,” Soske told the group, adding that there needs to be good communication between management and internal and external audiors in regards to what level of evidence to demonstrate ELCs. As to how much work may be entailed, Soske said, “It depends how clear they were defined originally in using the ’92 framework. If management thoroughly considered that in designing the ELC, it’s not taking a lot of [time, effort]; if not, [companies are] addressing gaps."
Take a Hard Look at ‘Softer’ Areas
Soske noted that there could be challenges in demonstrating the effectiveness of indirect ELCs in particular, adding that transition to the 2013 framework provided "opportunities to fine tune indirect ELCs,” especially in some of the "softer" areas, such as those that relate to HR policies, hiring competent resources, etc.
Another panelist, William (Bill) Schneider, Director of Accounting at AT&T, concurred with Soske that more work may be necessary around some of the softer areas, citing Principle No. 4 "Commitment to Competence." Under the 1992 framework, Schneider said, “Most people looked around and said 'I have competent people' and moved on. But the real issues is, what’s your process/procedure to make sure you maintain competent people over time.”
Stepped up Requirements for Fraud Risk; Changes in Environment
“Fraud risk is a separate principle in the updated framework,” noted Soske, and as a result of COSO’s explicit requirement that management conduct a fraud risk assessment. He said companies are taking a ‘fresh look’ at how they identify potential fraud scenarios, including who is involved in assessing those risks, and whether those activities are integrated into other risk assessment activities.
“Smaller enterprises may require documentation not done before,” said Soske, adding it was important that “companies document their assessment of changes in the environment.” He described implementation of COSO 2013 as, “an opportunity to formalize and clarify controls that identify changes in the business, think about what financial reporting risks relate to them, the likelihood those risks can manifest in the financial statements, and [how] management insures those risks are identified and addressed.
Soske also emphasized Principle 13 in the 2013 updated framework, which relates to the use of relevant, quality information. “I would suggest COSO 2013 doesn’t introduce anything new here in the context of a PCAOB engagement,” he said, adding that under the ’92 framework, ‘management had to think about this.’ In regards to transitioning to the 2013 framework, the PwC Partner said, “It’s about how to demonstrate” management is using relevant, quality information, including the need to “evaluate sources of information for completeness and accuracy.”
OSPs
In transitioning to COSO 2013, some companies have undertaken separate implementation projects. AT&T’s Schneider suggested that transition to the updated framework should be treated “As part of SOX, you should be doing an annual review, top-down, that’s the perfect opportunity to intersperse this transition to the 2013 framework, particularly the principles and mapping.” He said it could be, “a little heavier process than the typical annual project, but it doesn’t have to be a separate project.”
One area of great interest since the 2013 framework was issued, said Schneider, is Outsourced Service Providers (OSP). “You can outsource an activity,” said Schneider, “but you can’t outsource responsibility,” he added.
“Typically, an OSP won’t sign your code of conduct,” noted Schneider, “but you can include certain things in the contract.” There is a need to think about issues like whether the OSP has a code of conduct and what’s contained in it, how you interact with the OSP, and what the process should be going forward, he said.
Scott Bourgeois, vice president and Chief Audit Executive at Coca-Cola Enterprises, said, “It’s about monitoring, if you’re outsourcing an area and meeting with them m once every 2 yrs, that may be a problem, but if you go thru KPIs and stay on top of it, it provides a great deal of evidence you are monitoring that activity.”
PwC’s Soske added that when companies perform the risk assessment relating to financial reporting (Principle No. 8 in COSO 2013), “I encourage management to think about what the appropriate control response would be, how do you engage and monitor the outsourcer… Is it through a SOC 1 report, user controls , audit rights?”
Points of Focus Not Required, COSO Board Member Says
One of the most talked-about topics among COSO 2013 implementers is how granular companies’ "mapping" exercise must be.
Specifically, some debate has arisen in the audit and preparer community over whether companies have to not only map their systems of internal control to COSO’s 17 "principles" but whether companies are also required to map their controls to over 70 "points of focus" (POF) outlined by COSO.
The AICPA’s Chuck Landes, who serves on the COSO Board, responded to this point in no uncertain terms: Points of focus are not required.
Specifically, he said, “With respect to points of focus, what I have been hearing is there is some confusion … some have felt POF are a requirement; I want to be perfect clear that under the COSO framework, POF’s are not requirements.”
“I have heard anecdotally auditors trying to impose on management a requirement to document each and every POF, and if not documented somehow, that’s a control deficiency,” observed Landes, adding, “Certainly from my perspective, that is not the case.”
Landes explained the purpose of the POFs, and the more general requirement that should prevail.
“The whole point of POF was to provide suggestions how an entity might want to look at their particular principles… these are not requirements, in fact, from the Exposure Draft to the final (published framework), we moved POF from Chapter 3 to Chapter 4,” he said. “Having said that, do I think POF provide useful information? Of course I do; its well worth it for any organization to consider POF and think about how they might use POF to support the principles, but are they required? The answer is no.”
COSO Chairman Robert (Bob) Hirth is speaking on a webcast on Dec. 16, 2014, sponsored by FEI and BlackLine Systems. Hear an update from the COSO Chairman on this day after COSO 2013 supersedes the ’92 framework; with additional highlights from Grant Thornton’s Mike Rose and BlackLine Systems’ Susan Parcells.