Accounting & Auditing Update

Public company auditors are suggesting that companies voluntarily submit to an independent cyber-security examination separate from the existing financial statement audit. Tammy Whitehouse explores a new process for examining and reporting on a company’s cyber-security risk management.

At Compliance Week’s annual conference this week, Jose Tabuena, chief compliance officer for NextHealth, advocated for the three lines of defense model. “I’ve worked with the accounting firms and those working with the COSO framework, and I find three lines of defense easier to explain,” he said. “The board may have limited time, and you have to explain a lot in that limited time. I don’t think the COSO cube does it.” More inside.

As new leadership takes the helm at COSO, the board is considering whether it can help sort out ongoing tension over public company internal control reporting.

When COSO unveils the draft update to its Enterprise Risk Management framework (possibly by late April), it will propose companies take risk considerations to the highest level in an entity’s strategy-setting and decision-making processes. The framework update exercise is expected to advance the idea, says COSO Chairman Robert Hirth, that risk should be governed and controlled within companies much the way internal controls are governed under COSO’s Internal Control – Integrated Framework.

COSO expects to publish a draft of its Enterprise Risk Management Integrated Framework in the first quarter of 2016. First released more than a decade ago, COSO opted to make updates in light of modern business conventions and practices. COSO Chairman Bob Hirth says, “It will be a more structured document, much like the updated internal control framework.” Details inside.

COSO, author of the most widely accepted internal control framework in the United States has released a new guide meant to help companies beef up their fraud risk management. More from Tammy Whitehouse.

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, has unveiled a proposed redraft of its 2004 ERM framework. “We wanted to create a more robust focus on risk in the strategic planning process,” says PwC Partner Dennis Chesley, a lead partner for the revision project. Tammy Whitehouse reports.

COSO has published an addendum to its ERM framework to illustrate examples of how to apply the framework to real situations.

COSO has released its newly revised enterprise risk management framework, giving companies a new tool to consider in building out their ERM approaches.

COSO is urging companies to look at its framework with not just financial controls in mind, but cyber-security as well. A paper from the Committee details how the five components of internal control apply to the assessment of cyber-risks, with discussion on how the principles underlying the risk assessment, control activities, and information and communication components can be leveraged.

Sustainability reporting is breaking new ground in attaching itself to traditional financial reporting after an advocate has formed some new relationships.

COSO is looking for feedback on draft guidance regarding how its ERM framework can be used to manage risks in environment, social, and governance areas.

Companies struggling with information technology controls may gain tips from ISACA’s new guidance on scoping and assessment ideas for IT-related aspects of the COSO framework. “This latest guide will help professionals align with these changes in the industry,” said Ken Vander Wal, former ISACA president.

Formalized, comprehensive approaches to ERM are not terribly baked into corporate practices, according to a recent study by the accounting profession.

Up to one-third of companies may not be implementing the new COSO framework for their 2014 financial reporting, and one-fourth don’t know when they will implement the framework.

With more than 3,000 filings collected through early April, three-fourths of publicly traded companies have disclosed that they have adopted the 2013 COSO internal control framework, with the rest either remaining on the 1992 framework or not disclosing what framework they followed, according to a study published by Protiviti.

Apparently thumbing their noses at internal control requirements, four public companies have now settled charges with the SEC over prolonged failures to maintain ICFR.

A handful of holdouts are still disclosing they comply with SOX internal control reporting requirements by following a defunct COSO framework.

The accounting profession is getting some new tools to deploy in their growing involvement with addressing cyber-risk.