As companies work to implement the updated COSO internal controls framework, they are hearing a common refrain: “mind the gap.”

That would be the gap between internal controls under the old framework and the added elements of the new one. Companies aren’t just closing that gap, though; they are also using the opportunity to take a fresh look at their entire systems of internal control. Working through the implementation of the new framework, companies are spending a lot of time talking about risk assessments, tone at the top, outside service providers, and technology, according to internal control experts who are observing and assisting with the process.

“We’re seeing a lot of companies having really robust discussion and dialogue around entity-level controls,” says Brent Olson, a director at McGladrey who has helped a number of companies map their controls to the 2013 COSO Internal Control—Integrated Framework. “The enhanced guidance in the 2013 framework, particularly around entity level controls, has provided a lot of companies a point of reference to benchmark their existing controls.”

COSO, or the Committee of Sponsoring Organizations, updated its 20-year-old framework—which nearly all U.S. public companies rely on to comply with internal control reporting requirements under the Sarbanes-Oxley Act—with the expectation that companies would transition to the new version by the end of 2014, when the old framework will be put out to pasture. The Securities and Exchange Commission hasn’t explicitly said it will require companies to adopt the updated framework, but staff members have said they defer to COSO on its time line and would expect companies to clearly disclose which framework they’re following.

The 2013 framework doesn’t drastically change the principles that must be in place to assert effective internal control as required under Sarbanes-Oxley, but it does more explicitly require all 17 articulated principles to be present and functioning in concert, says Kevin Hyams, a partner in charge at audit firm Friedman. “COSO 2013 gives equal billing to all five components and 17 principles working together,” he says.

“The enhanced guidance in the 2013 framework, particularly around entity level controls, has provided a lot of companies a point of reference to benchmark their existing controls.”
Brent Olson, Director, McGladrey

That’s perhaps more emphasis than companies and auditors historically have placed on some aspects of the framework, says Hyams, especially with respect to the control environment and control activities. “That’s not to say people didn’t have an effective control environment. Maybe they just didn’t have the evidentiary documentation, or there might have been documentation but the strong oversight by the board might not have been emphasized previously.”

Filling in the Cracks

Sandy Herrygers, a partner with Deloitte, says she sees gaps in some specific areas. “We have not seen many companies identifying principle gaps, which would be indicative of a material weakness in internal control,” she says. Instead, companies are identifying missing controls, controls that are missing specific attributes, or controls that exist but aren’t tested for design or operating effectiveness. Companies also are finding evidence gaps, or instances where controls exist but aren’t adequately documented.

The gaps are most common, Herrygers says, in controls over risk assessments, including fraud risk and change management, controls over outsource service providers, and controls over information quality. With the fresh look at internal controls, companies also are shoring up areas where there’s been some history of restatement, material weakness, or fraud, she says, such as controls around technical accounting skills, complex and non-routine transactions, and segregation of duties.


Below is an excerpt from the COSO Framework Transition Guidance.
Codified Principles. The 1992 Framework conceptually introduced 17 relevant principles associated with the five components of internal control. But these concepts were implicit in the narrative. Because they are essential in assessing that the five components are present and functioning, these concepts are now explicitly articulated in the 17 principles. The COSO board believes each principle adds value, is suitable to all entities, and therefore, is presumed relevant. If management determines that a given principle isn't relevant to the organization, it should document the rationalization.
Requirements of Effective Internal Controls. For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning. Being “present” implies a given component or principle exists within the design and implementation of an entity’s system of internal control. “Functioning” implies the component or principle continues to exist in the operation and conduct of the control system. Effective internal control also requires that all five components operate together in an integrated manner. Management can conclude they do if each component is present and functioning and the aggregation of internal control deficiencies across the components doesn’t result in one or more major deficiencies.
Source: COSO.

Mike Rose, a partner at Grant Thornton, says mapping and implementation in the past few months has led to greater focus on principles six through nine in the new framework, all supporting the risk assessment component of the framework. “Under the old framework, we had the risk assessment component, but we focused a lot on transactional level risks,” he says. “Now it’s expanded to cover risks at the entity level.”

Especially with respect to fraud risk, emphasis in the past has focused on transaction-level risks, but the framework update has driven greater attention to entity-level fraud risks, says Rose. As a result, companies are talking a lot about incentives and pressures on people within the organization, as well as the risk of misappropriation of assets or other illegal acts, he says. “The fraud risk assessment is the biggest area we’re seeing,” he says. “It’s almost across the board.”

With respect to governance or tone-at-the-top, companies are looking closely at the extent to which board oversight is emphasized and documented, says Tracy Thames, senior consultant at consulting firm RoseRyan. “We’re seeing companies that may not have called it out as an internal control, but they were still performing the exercise,” she says. As an example, boards may not have documented in meeting minutes that they have addressed certain issues within their oversight responsibility, she says, or they may need to reword control documentation to assure existing controls adequately cover points of focus highlighted in the framework.

Controls over outsource service providers also are getting a fresh look, says Olson. Many companies have relied on “service organization control” reports, or reports provided to them by outside service providers asserting their control status, as evidence of control. “Now they’re taking a more in-depth look at the controls and the monitoring of third parties,” he says.

Bill Watts, a partner at Crowe Horwath, says companies are taking a fresh look at the controls over information that goes out to third-party service providers and the information that comes back from them. “Those controls probably weren’t as formalized as they could have been,” he says.

Technology controls in general are getting a fresh look with the framework implementation, says Rose. “Where management has information coming into the financial reporting process that could be from other systems, we’re seeing more rigor around those interfaces—how we test those reports for accuracy and completeness and how those reports are utilized,” he says.

Brian Christensen, executive vice president at consulting firm Protiviti, says the biggest dialogue he hears around the new framework now centers on whether companies can get it implemented in time to rely on it for 2014 year-end reporting. “Most companies have found the effort wasn’t as onerous as they originally thought,” he says. “But some are finding the mapping of controls to the framework is taking more time or effort than they have runway or resources to complete. What are the implications if you have elected not to do it or have not completed the exercise?” Some auditors have said they will be prepared to audit under either the old or new framework to accommodate companies in both camps at year-end.

Hyams says larger accelerated filers subject to the Sarbanes-Oxley audit of internal controls had less of a leap to make from the old framework to the new one. “For non-accelerated filers with less resources, it’s quite a burden,” he says. “I’d be surprised if any accelerated filers don’t assess themselves under the 2013 framework, but it’s going to be a sliding scale from accelerated filers to smaller reporting companies, and understandably so.”