Implementing COSO: Evolutionary, Not Revolutionary

by Edith Orenstein

FEI members leading implementation of COSO's updated internal control framework say the key to an efficient and effective implementation is recognizing changes are "evolutionary, not revolutionary."

Three financial executives, speaking on a webcast sponsored by FEI and BlackLine Systems, described their companies' implementation efforts of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2013.

Moving to adopt COSO 2013, which supersedes COSO’s 1992 framework forming the basis of Sarbanes-Oxley assertions on internal control, is a process of “evolution, not revolution,” emphasized Ray Purcell, director of financial control at Pfizer. Purcell chaired FEI’s Working Group on COSO, and served alongside FEI President and CEO Marie Hollein, FEI’s representative on the COSO board, as a member of the COSO Project Advisory Group.

Although the 17 principles of internal control “are probably the most remarkable aspect of the 2013 framework,” he said they “probably are not all that new,” since the beginnings of a principles-based listing started with COSO’s Small Business Guidance Purcell also advised that for purposes of the Sarbanes-Oxley effectiveness test:

  1. You need to have all the principles covered. All the components have to operate together (in the aggregate) and
  2. Your evaluation of deficiencies is same as before. You only have a significant deficiency if you have a material weakness under SEC/PCAOB definitions.
Some additional points Purcell noted about the implementation of COSO 2013:
  • You may not have as much documentation of the board’s role as you did of senior management’s role. Consider beefing up documentation here.
  • There may be a need for additional documentation of the principle regarding management’s commitment to attract, develop and hold individuals accountable.
  • Fraud risk assessment by management (Principle 8) has been elevated to a principle. Management needs to be sure there is a rigorous risk assessment process for thinking about potential fraud scenarios.
  • Under Principle 9, consider if you have documented consideration of changes impacting risk effectively
  • Under Principle 12, controls must be documented through policies and procedures
Interplay Between PCAOB and COSO

The webinar speakers noted there appears to be interplay between PCAOB inspection reports, a report PCAOB issued last year on internal control issues, and recent PCAOB speeches -- particularly one by PCAOB Board Member Jeanette Franzel -- and opportunities to use the updated COSO framework to address some of the PCAOB’s concerns.

“As to IT General Controls testing reports, that particular aspect of (COSO Principle 11) is certainly getting focus at Pfizer, and I assume [it's] similarly under scrutiny elsewhere,” said Purcell.

“Maybe the most problematic of the five COSO components is Information and Communication – how it is affected through policies and to support other components.  Do people have the info they need, and is it reliable? How does the company ensure that?”

Purcell continued, "To some extent, info and communication may be more readily evaluated by – do we have control failures in the system of internal controls?  If we have a control failure, we are doing root cause analysis. Insights from COSO 2013  are going to put to good use going forward.”

Points of Focus: What’s the Point?

Purcell explained that each of the principles is accompanied by a group of attributes or characteristics, called "points of focus," designed to offer additional implementation or compliance guidance.

"The 87 points of focus are not always going to be relevant in all situations, but they are certainly going to be useful," Purcell said.  "I think it is really useful in the mapping exercise to think about how your existing controls relate to the principles. I am not as sold in using them to assess the design or effectiveness of your controls.”

He emphasized that “There is no requirement to use  them to assess (principles, components, and the effectiveness of your controls), that is the key takeaway.

"In the mapping exercise, we have used the points of focus as a way to make a connection between our existing controls at a relatively high level.”

Purcell added that Pfizer is preparing a “pro forma” report to be presented to management and its auditors for review as they move forward with the COSO 2013 implementation.

Project Planning, Rolling Out to Other Departments Key

Martha Magurno, Director, Internal Control Compliance,  Dow Chemical said that at her company, the transition to COSO 2013 was led by the internal control compliance group, part of Corporate Controllers, due to the close relationship between COSO and the Sarbanes-Oxley 404 process.

She noted her group has formally engaged in COSO 2013 transition discussions with the I.T. groups as well as Human Resources, but further documentation may be needed to track to the specific principles in COSO 2013.

Additionally, Magurno noted that Principle 14 emphasizes communications, and that includes  interacting with the audit committee in its oversight role.

“We have engaged in a COSO 2013 readiness assessment with our auditor, and are conducting a joint dry run of evaluation of [our] design and operating effectiveness,” said Magurno.

After the webcast, Magurno explained the company is conducting an internal 'dry run’ during the 3rd quarter to fine-tune its process.

Magurno added during the webcast that Dow was very willing to understand its auditors challenges, and to incorporate “hot topics” identified by auditors and the PCAOB.

Approaches Will Vary

The basic internal controls that formed an effective system of internal control prior to COSO publishing its 2013 framework were largely in place, as many COSO board members and regulators have said. The ‘mapping’ exercise that companies are undertaking is largely designed to document that their existing systems of internal control, which satisfied the five core components of internal control under COSO 1992, also can be shown to satisfy the 17 Principles in COSO 2013.

Steve Forrest, Assistant Controller at Raytheon, led into his remarks by saying, “Internal control is not new, the five core components of internal control are not new, nor is complying with Sarbanes-Oxley Section 404. And, using professional judgment is not new. When we started our mapping exercise, we didn’t have an attitude the sky is falling, and run around and ring the fire alarm,” he noted.

Forrest said the documentation is not a "check the box" exercise, but a thorough mapping that also provides an opportunity for companies to take a fresh look at their control environment.

How companies approach mapping will differ greatly, said Forrest, depending on a company’s approach to COSO 92, and how frequently their controls were updated.

“Similar to what Martha mentioned,” he added, “from the beginning, we knew what we wanted to focus on, specifically ICER. We knew that piece needed to be specifically reported on and concluded on by our CEO and CFO, and audited by our external auditor, so we didn’t want to start too broad and then narrow in."

Forrest also said  Raytheon found the points of focus to be helpful. “We started at a high level, we started to do internal reviews, at first, it was hard to see that linkage. Throughout the process, the COSO material  was helpful, the templates, the compendium dealing specifically with Internal Control over Financial Reporting, as well as the illustrative tools.”

The COSO framework, including the separate volumes referenced by Forrest, can be ordered from COSO's website at , from the Guidance tab. FEI members can obtain a discount in ordering COSO books by using discount code FEIIC. Companies in need of additional tools for documentation can contact the webcast sponsor, BlackLine Systems.

'Novel' Approach Not Recommended

Forrest suggested that finance executives don't plan on reading the COSO documentation from beginning to end like a novel, but to instead look for easy wins or changes to implement.

“As we got into it a bit, we laid out a clear timeline to internal audit and external audit. We told the audit committee when we thought we’d be done. It took basic project management, making sure we didn’t catch internal or external audit off guard,” said Forrest.

"We did see some areas where we did see the documentation needed to be enhanced, echoing what Ray said, a great phrase,  COSO 2013 was an evolution change from the '92 framework, vs.  a revolutionary change.”

Keep up with COSO at