Lots of people say the new COSO framework for internal control isn’t substantively different than the old COSO framework we’ve all been using for 10 years to push our way through the annual financial audit and compliance with the Sarbanes-Oxley Act. And to a certain extent, I agree with those voices.
The COSO cube looks the same. The five elements of effective internal control are the same. The people who put their brainpower to work drafting the new COSO framework remember the howls of frustration when companies adopted the old framework circa 2004, and those people took great pain to ensure this new framework is both useful and relatively easy to implement. Nobody wanted another debacle like compliance officers of a certain age will remember from those first days of SOX.
So I get it, when the wise people say COSO 2.0 really isn’t any different than COSO 1.0, and it doesn’t ask you to do anything you shouldn’t already be doing.
And yet, it does.
That thought keeps returning to me as I listen to compliance officers, external auditors, regulators, and others ushering us into this new era of COSO implementation. In the Thai language, the expression used for the word “similar” translates back into English as “same same but different”—almost identical, but not quite. That fits here.
The new COSO framework gives you the ability to put more emphasis on entity level controls, and clearly the Securities and Exchange Commission and the Public Company Accounting Oversight Board want companies to put more emphasis on those controls. Where in years past we saw huge amounts of time and effort piled into control activities, now the 17 principles underlying COSO 2.0 allow you to put more focus on other elements of effective internal control—namely, the control environment, and information & communication. That’s new. That is what’s going to drive compliance officers and internal auditors nuts.
The easy example here is first element of effective internal control, the control environment. The five principles behind the control environment are these:
Demonstrate commitment to integrity and ethical values;
Ensure the board exercises oversight responsibility;
Establish structures, reporting lines, authorities, and responsibilities;
Demonstrate commitment to a competent workforce;
Hold people accountable.
I’ve asked multiple people how a company demonstrates commitment to integrity and ethical values; what’s the evidence and documentation you should show your audit firm to prove that? One stock answer is to look at the Code of Conduct, and I see why people would suggest the Code as one piece of evidence.
Except, of course, Enron had a great looking Code of Conduct too, and look what good that did the company. (And its external audit firm, the now extinct Arthur Andersen.) You will need to do better than that, and so far I haven’t heard many other compelling examples. So would you show completion rates for training? Because that strikes me as a rather routine, check-the-box type of evidence too.
Or should you be bold and submit evidence of business deals you canceled when someone asked for a bribe? How about minutes from a board meeting where the CEO argued for slowing expansion into overseas markets to ensure good business practices? That’s the sort of action that demonstrates a commitment to the spirit of ethical culture, and the sort of evidence that regulators at the SEC or Justice Department want to see.
It is also very, very different than the type of evidence most compliance or internal audit departments collect on a regular basis. (I won’t even get into evidence for the principle of “demonstrates commitment to a competent workforce.” The cynics will have a field day with that one.)
My other question about the new COSO framework is buried in the Information & Communication element, where several needs converge into one messy challenge. Start with the premise that the new framework puts more emphasis on entity-level controls. That means the compliance (or internal audit) team will be dealing with more people outside the traditional finance function: marketing, finance, sales, legal, IT.
Dealing with many more people, however, means a greater emphasis on version control for all the policies, procedures, testing, and documentation you do to prove your internal control is effective. And also remember that if we’re following the party line for systems of effective internal control, those folks in the business units are responsible for proper execution of those controls; compliance and internal audit only ensure those controls exist and operate as intended. It’s still Frank in sales, or Jane in the Latin America division, who actually operate them.
All that sounds like a meltdown in information and communication just waiting to happen. I don’t know that auditing this element of the COSO framework will be as elusive as auditing the control environment—rather, it might become as painstaking and complicated as auditing segregation of duties in the Control Activities element.
Same same, but different. Let us know how your journey goes.