Support Learning and Insight

It’s more important than ever to understand the challenges facing financial executives. Support the Financial Education & Research Foundation today.


Keeping Your Controls Under Control: COSO Turns One

by Edith Orenstein

Companies are in the throes of implementing COSO’s updated internal control framework, relied upon for Sarbanes-Oxley assertions and more, by year-end, when the year-old framework supercedes the original version.

The updated framework contains 17 principles and additional points of focus further elucidating the original five-core components of COSO’s framework, and includes other updates to reflect changes in the business environment over the 20+ years since the original framework was released in 1992.

To mark the one-year anniversary of the release of COSO’s updated Internal Control-Integrated Framework, published on May 14, 2013, representing the first cover-to-cover update of the landmark internal control COSO framework, FEI Daily interviewed some leading financial executives and auditors for their top recommendations on implementing the new framework.

COSO, as it has continued to be known, continued with the support of its “sponsoring” organizations: the American Institute of CPAs, the American Accounting Association, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors.

FEI Daily: What’s the best advice you’d give financial executives right now, as they are in the midst of implementing COSO’s updated internal control framework

Marie N. Hollein, President and CEO of FEI, and FEI’s Representative on the COSO Board: I believe it’s a healthy exercise for our members to not only reframe their mindset from just the five core components of internal control, which have stood the test of time, to the 17 principles of internal control in COSO’s updated framework. They should roll up their sleeves, kick the tires, see what shakes loose, and leverage this opportunity to review and update their internal control systems with the 17 principles and additional guidance contained in COSO’s updated framework in mind.

FEI Daily: Can you comment on concerns by some financial executives and others that some auditors may be taking an overly granular approach to requiring documentation of ‘mapping’ and other evidence behind each of the 87 ‘points of focus’ supporting the 17 ‘principles’ in COSO’s updated framework?

Hollein: COSO’s updated internal control framework, like the original framework, will continue to rely on the strength of its being a principles-based framework. COSO’s intent is NOT for its framework to become a checklist, and while there are many avenues for implementation, including mapping from the ’92 to the 2013 versions of the framework, the facts and circumstances at each company will vary. COSO did not prescribe, and is not in the business of prescribing, any minimal ‘mandatory’ documentation or evidentiary requirements.

We respect that our auditors, who perform a vital function, have professional standards for gathering sufficient and competent evidence; however, I remind our members that COSO’s updated framework is in its first year of implementation , and it is reasonable to have conversations with auditors around what constitutes reasonable documentation of a company having the five core components of internal control, the 17 principles of internal control, and an effective system of internal control in place overall.


COSO’s Legacy Updated

In 2015, the Committee of Sponsoring Organizations of the Treadway Commission will celebrate the 30th anniversary of the founding of the Commission on Fraudulent Financial Reporting, chaired by former SEC Chairman James Treadway – which came to be known as the “Treadway Commission.”

We invited comment from the current and immediate past Chairmen of COSO, Bob Hirth, Dave Landsittel and Larry Rittenberg.

FEI Daily:  How do you believe the role of COSO’s Internal Control framework has evolved, in terms of its hierarchy within the landscape of internal control guidance, (as well as best practices or guidance in governance, risk and compliance) over the years since the 1992 internal control framework was first published?

Robert (Bob) Hirth, Chairman, COSO Board:  I think COSO should really be proud of the acceptance of its internal control framework around the world as evidenced by translation into seven languages in addition to English, and the adoption of it by essentially all U.S.-listed companies for section 404 of SOX. And then the reference to, and selected use of, the COSO ICF concepts in countries such as China, Japan and Korea in their own public company financial reporting regulations. The revised ICF has simply made a great piece of thought leadership even better.

Larry Rittenberg, PhD, Past Chairman of COSO: In 1992 my primary role was that of an educator.  The 1992 COSO ICIF changed the landscape from one based only on control activities and a yes/no checklist on controls, to one that considers all five components of effective internal control.  All major auditing and control textbooks were changed, as was the way we educate students.  The framework is very strong conceptually and, in my view, the concepts are the basis for the widespread global acceptance we have seen.  David Landsittel was masterful in getting global participation in the 2013 update of the framework.

FEI Daily:  As we approach the 30th anniversary of the founding of the Treadway Commission, how do you believe COSO as an organization has evolved, and what are your personal thoughts on its potential paths for the future?

Hirth: Well, since its formation in 1985 and release of the original internal control framework, COSO has evolved a lot in my view. This is evidenced by the development of the additional frameworks for smaller public companies, ERM and Monitoring, along with the many research papers on its mission topics which have been issued and widely used. The COSO board and its sponsoring organizations are totally committed to carrying on this tradition of excellence with its unique approach and many publication partners. Simply put, COSO has helped tens of thousands of organizations become more effective in the areas of governance, operations, reporting, risk, control and compliance.

David Landsittel, Immediate Past Chairman, COSO : With its first issuance in 1992, and with the very helpful subsequent input by our authors and  stakeholders, COSO's internal control framework guidance has moved the ball forward from a narrow thinking about internal controls focusing on accounting and financial reporting to a wider understanding that good controls -- broadly applied to operations, compliance and reporting -- are a necessary element in the success of all organizations.

I am very confident that our stakeholders and sponsoring organizations will help us continue to advance the state-of-the-art forward -- for example, providing thought leadership insights about some of the behavioral issues impacting the quality of internal control and risk management.

Larry Rittenberg, PhD, Past Chairman COSO:  I am very pleased you asked about the Treadway Commission report because we too often link it only to the development of the COSO Internal Control, Integrated Framework.  Two things are often overlooked.  First, it was a very well-done and comprehensive research report.  Second, it laid out significant recommendations for the profession (preparers and auditors) that unfortunately were not immediately acted on by the profession.  The many proactive recommendations included: strengthening the qualifications of audit committees, strengthening and reporting on internal control, strengthening internal and external audit, as well as standard setting. COSO has evolved to engage the world community with more than research reports and frameworks to various 'thought papers' designed to increase the dialogue around fundamental approaches.  I look forward to COSO continuing its global reach as a thought leader related to governance, risk management, fraud prevention/detection, and internal control.

Implementation: The Practitioner’s Perspective

We asked members of FEI’s Working Group on COSO who reviewed and commented on the exposure drafts of what became COSO’s updated framework to share some of their early reactions to the implementation efforts at their companies.

FEI Daily:  What is the one most crucial piece of advice you’d give to other financial executives as they move to implement COSO 2013?

Ray Purcell, Director, GRCC Financial Controls Center of Excellence, Pfizer Inc.; FEI Member Representative on COSO Project Task Force, and Chairman, FEI Working Group on COSO: My advice is: Take a reasonable approach – don’t overdo this. This shouldn’t be a complete overhaul of the system of internal controls – no major projects, consultants, or mountains of documents are required. COSO 2013 is an opportunity to review your controls and make some enhancements, but this is more of a continuous improvement initiative than reengineering.

Steve Forrest, Assistant Controller, Raytheon: The one most crucial piece of advice you’d give to other financial execs as they move to implement COSO 2013 is as follows: Since management's assertion in the internal control report required by Section 404 of Sarbanes-Oxley covers the effectiveness of internal control over external financial reporting, make sure you focus in on this objective when implementing COSO 2013.

Martha Magurno, Director of Internal Control Compliance, Dow Chemical:  As we applied the COSO 2013 Framework to Internal Control over External Financial Reporting (ICEFR) and began mapping existing internal controls to the new principles, we found that some of the existing controls, while important, did not specifically support external reporting objectives. By challenging our previous thinking and considering the concepts described in each of the points of focus, we have been able to reduce the number of documented controls in some areas, while strengthening the linkage of the remaining controls to our external financial reporting objectives.

Rick Brounstein, Managing Director, The CFO Network:  If this is your first time addressing SOX, which is true for many of the emerging growth companies here in Silicon Valley, my advice is to map first to the five  components and then explode that into the 17 principles.  The challenge now is meeting all 17 principles, even if one has no Sarbanes-Oxley Section 404(b) audit requirement.

Ron Kral, CPA, Managing Partner, Candela Solutions LLC: Do not procrastinate with implementation and take the 17 principles seriously.

FEI Daily: Can you explain more how COSO is relevant to private companies contemplating going public? 

Brounstein: I see this in IPOs, even though no SOX certification is included in the S-1, that very next 10-Q needs a 302 certification, and even though that is not the same thing as a Sarbanes-Oxley Section 404 assertion, it very much relies on COSO.

Sri Ramamoorti, PhD, Chair of FEI’s Committee on Governance, Risk and Compliance (CGRC): Look at both inputs and outputs/outcomes of systems of internal control: on the input side, people are an integral part of the control system; when competence goes down, risk goes up. On the output/outcomes side, (continuous) monitoring and adapting to change are extremely important to ensure that the system of internal control continues to remain effective over time.


Advice from Auditors, Consultants

FEI Daily: What is the one most crucial piece of advice you’d give to financial execs as they move to implement COSO’s updated internal control framework?

Jim DeLoach, Managing Director, Protiviti, Inc.: Regarding the implementation of the new framework, the most important thing I can think of is the need to apply it with a top-down, risk-based focus and approach.  Applying the framework as a checklist is not what COSO intended.

Trent Gazzaway, National Managing Partner of Audit Services, Grant Thornton LLP:  For companies that have high-quality and efficient internal control documentation and evaluation procedures, the updated COSO Framework provides an easy-to-adapt, clean and understandable structure that will help them maximize the value of good internal control. For other companies, the framework provides an excellent roadmap to both improve the internal control system and the efficiency of the evaluation process.

Sharon L. Todd, Principal, KPMG:  An SEC registrant's transition to the COSO 2013 Framework in connection with management's ICOFR assessment presents an opportunity for the entire business, not just the compliance group, to assess the efficiency and effectiveness of business processes and the design and implementation of controls to mitigate risks.  Benefit from the effort; do not treat this as a check-the-box compliance exercise.

Sandy Herrygers, Partner, Deloitte & Touche LLP: As you are implementing the new COSO framework for internal control over financial reporting, take a ‘fresh look’ at your risk assessment and internal controls, specifically considering areas where others have experienced material weaknesses, restatements and/or material fraud.  Further, considering the ever changing and expanding risk universe in today’s marketplace, I recommend companies expand their use of the new COSO framework into other operational and compliance areas, such as cyber, quality, and/or regulatory reporting, where an internal control failure can significantly affect business results, and then you can maximize your return on the new COSO framework.

Learn More

Check out the five-part weekly webcast series beginning Wednesday, May 28, taking place from 12:00 noon – 1:30 pm ET, 1.5 CPE each, no registration fee, sponsored by Protiviti and FEI, entitled:  COSO: Internal Control, Risk and Reward.