COSO Transition Still on "To-Do" Lists

by Edith Orenstein

Over 36 percent of companies have not started to ensure their existing system of internal controls under the Sarbanes Oxley Act are effective when measured against the updated guidance released by COSO last year, according to results of a study released on Wednesday.

The study, Keeping Pace with SOX Compliance: COSO, Costs and the PCAOB, published by Protiviti, highlights the firm’s 2014 Sarbanes-Oxley Compliance Survey, conducted with over 600 professionals.

Similarly, 42 percent of the attendees on an FEI-Protiviti webcast on Wednesday responding to a polling question said they had not yet read the "Executive Summary" of Committee of Sponsoring Organizations of the Treadway Commission's (COSO) updated internal control framework. Another 12 percent of the webcast attendees responded they did not where to find/how to access the document. (NOTE: The Executive Summary of the updated COSO framework is available for download from COSO’s website, at no charge.)

These numbers indicate that, although over 60 percent of Protiviti’s survey respondents intended to transition to COSO’s updated framework this year, take-up is slow. This is particularly true for the ‘mapping’ process to demonstrate that the company’s current state of controls and documentation support a conclusion that the company’s internal control is effective based on an evaluation of the 17 principles that are newly articulated in the 2013 COSO framework.

Importantly, COSO did not require a particular documentation process, but rather emphasized the 17 principles and 5 components of internal control. As a practical matter, companies engaged in transition are 'mapping' from the current state, to the COSO 2013 framework, and identifying any gaps where either controls could be improved, or documentation of controls needs to be updated to reflect that the current system of internal control satisfies the 17 principles of internal control, in addition to the 5 core components.

As announced by COSO last year, the 2013 (updated) version of COSO's internal control framework will be considered by COSO to supersede COSO's 1992 (original) version of the organization's landmark internal control framework - followed as the 'de facto' internal control standard in the U.S. and referenced in many countries around the world - as of Dec. 15, 2014.

In remarks at USC's SEC and Financial Reporting Conference last year, SEC Chief Accountant Paul Beswick noted, "SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future."

Additionally, as noted in the minutes of a September 25, 2013 meeting of SEC staff with the Center for Audit Quality's SEC Regulations Committee, "The [SEC]staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC's requirement to use a suitable, recognized framework (particularly after December 15, 2014 when COSO will consider the 1992 framework to have been superseded by the 2013 framework)."

COSO Costs and Audit Fees

Auditors as well as management are in their first year of implementing the updated COSO framework.

Keith Kawashima, managing director in Protiviti’s Silicon Valley office, said that he has heard of companies spending time mapping their existing control framework to the COSO 2013 framework, in the neighborhood of “100, 250, 300 hours.”

The net impact this year on external auditor’s fees, according to Kawashima, may be “negligible,” after taking into account “there may be a little bit of offset” from the fact that auditors have already implemented changes that many ascribed to the PCAOB’s inspection process, which were believed to have increased audit fees last year, including as relate to “the level of precision of controls.”

COSO's Role

Among the highlights during yesterday’s FEI-Protiviti webcast, the first in a 5-part weekly webcast series on COSO: Internal Control, Risk and Reward, were remarks from Bob Hirth, Chairman of the COSO Board, and former senior managing director and executive vice president at Protiviti.

Providing a synopsis of COSO’s history as a private sector group brought together in June, 1985 to form the Commission on Fraudulent Financial Reporting -- aka the Treadway Commission, chaired by former SEC Commissioner James Treadway -- Hirth noted that COSO’s sponsoring organizations have continued as COSO to develop guidance and issue thought papers. He also cited COSO’s due process in issuing Exposure Drafts for public comment as being a hallmark of the U.S. Securities and Exchange Commission's recognition of the COSO framework as a suitable, recognized control framework for purposes of Sarbanes-Oxley assertions.

Hirth added that all principles in COSO’s updated framework were "non-negotiable" in that "all 17 principles must be present and functioning." As detailed during the webcast, there is language in the COSO framework that considers it is possible for a principle to not be “relevant” but that is more of a rebuttable presumption.

At the same time, Hirth noted COSO’s updated framework was flexible and could be applied to internal reporting, external reporting, financial and non-financial reporting.

Top-Down, Not Bottoms Up

Jim DeLoach, a managing director in Protiviti’s Houston office, emphasized that the 17 principles need to be present and functioning, and that the 5 components of internal control must operate together. To evidence the latter, DeLoach explained, “Management can demonstrate the components operate together when internal control deficiencies across the components do not result in a determination that a major deficiency exists.” He also noted that in practice, the term ‘major deficiency’ as used by COSO is largely viewed as being the same thing as “material weakness” when applied to internal control over external financial reporting.

“I know there’s a lot of angst out there about the Points of Focus,” DeLoach commented, referencing the 87 points of focus identified by COSO in support of the 17 principles in the updated control framework. “The question is,when business people get out there, they don’t want to start with a blank sheet of paper. COSO was very careful to point out the points of focus are not required, and it’s the five components that have to be present, functioning and operating together,” for internal control to be effective.

Responding to a question from a webcast listener as to whether the COSO framework was meant to be applied ‘bottoms up’ vs. ‘top’down,’ DeLoach emphasized it was absolutely not to be applied bottoms-up, but rather, consistent with the SEC’s guidance issued in 2005, and the The Public Company Accounting Oversight Board ’s AS5, COSO’s updated framework was to be applied as a top-down, risk based framework.

You Gotta Have a Plan Kawashima emphasized that in transitioning from the COSO 1992 to COSO 2013 framework, what’s important is “Having a plan, and somebody owns execution of that plan.”

He added, “We’ve found that entity-level controls, even at well-managed, well-controlled organizations, those companies may not have done a good job of documenting those controls or control activities in a way that helps document the principle (among the 17 principles in COSO’s updated framework) is being met."

Tune into the next four webcasts in the FEI-Protiviti COSO webcast series, to learn from Protiviti’s experts – and on the fifth webcast, FEI member Ray Purcell of Pfizer, Chair of FEI’s Working Group on COSO: Managing the Project for Success, Mapping Controls to Principles, Implications to IT Controls, and Assessing Fraud Risk and Overall Implementation Insights Panel.