Companies are preparing for the year-end audit and are still putting the finishing touches on their adoption of a new framework for internal controls over financial reporting. That work could have benefits elsewhere, say audit experts who are already advising companies on other uses of the framework beyond external financial reporting.
The Internal Control — Integrated Framework issued by the Committee of Sponsoring Organizations in 2013 is about to replace COSO’s 1992 edition when the old one, officially at least, ceases to exist at the end of 2014. COSO updated the 1992 framework to bring it in line with current business practices, especially to reflect the modern uses of technology in business. COSO also wanted to state more explicitly that all 17 principles of control described in the framework must be present and functioning for an entity to assert its controls are operating effectively.
Many public companies are in the process of adapting their control structures to the new framework in time for year-end audits, although the Securities and Exchange Commission has not definitively said it requires companies to adopt the updated version this year. That has led some auditors and companies to conclude they can spend another year studying it and its implications for the company’s control environment before updating controls to reflect it.
Kenneth Blomster, a risk assurance partner with PwC, said at the Compliance Week West conference in San Francisco last week that companies on the early end of adopting the framework are giving thought to what else they might be able to do with it beyond using it to update their financial reporting controls. “As risks, regulations, and controls have become more and more complex, the expectations of others have become greater,” he said. “How do you maintain and control against other risks the company faces?” COSO 2013 can help, he said.
“Organizations can take advantage of the framework to drive a common language. It’s about getting to the right people, identifying risks, specifying the objectives, and responding to those. A lot of that process has been outlined in the framework.”
Aaron Garcia, Director in Risk Assurance, PwC
The COSO framework is not specific to financial reporting, although the greatest focus now is on financial reporting because it has become the de facto path to achieve compliance with the Sarbanes-Oxley Act in the past decade. In its executive summary, COSO says the new framework provides management with “an opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives.”
Speaking at the same conference, COSO Chairman Bob Hirth pointed out that the framework applies to both external and internal financial reporting and to financial and non-financial reporting. That gives it applicability to instances where companies are reporting internally or reporting on non-financial issues as well, beyond the requirements of Sarbanes-Oxley.
Blomster and Aaron Garcia, director in risk assurance at PwC, pointed out a number of other areas where elements of COSO 2013 can apply, such as divisional financial reports, customer profitability analyses, bank covenant calculations, sustainability reports, supply chain or custody of asset reporting, staff or asset utilization reporting, customer satisfaction measures, or health and safety measures, even compliance with Foreign Corrupt Practices Act, sector-specific regulations, and employment or environmental laws. Such reporting and compliance efforts may be required internally for management purposes, and externally for other regulatory purposes beyond Sarbanes-Oxley, or by other contractual agreements.
“Compliance is the easiest area to apply this,” said Blomster. “There’s a level of rigor and specificity that is expected. But when you are applying the principles to other objectives, you can vary that. You have broader latitude in terms of the judgment to exercise.”
QUESTIONS FOR MANAGEMENT
Below, is an excerpt from the COSO presentation given by Kenneth Blomster, PwC partner in risk assurance, and Aaron Garcia, PwC director in risk assurance, at the recent CW West conference.
Expectations of internal control have been expanding, demanding that organizations design systems of internal controls responsive to an exceedingly complex universe of risks. Such a broader view underpins COSO’s revised Internal Control Framework. The updated Framework lays a foundation for organizations to integrate internal control systems throughout the organization. By aligning internal control with the organization’s most important operational, reporting and compliance objectives, companies can achieve numerous synergies and establish a common framework for evaluating internal controls throughout the organization.
Has your company historically used the COSO Internal Control Framework for purposes of reporting on Sarbanes Oxley (SOX)?
Is your monitoring of internal controls designed to achieve compliance, operations and internal reporting objectives aligned with your monitoring of internal controls over external financial reporting?
Is your organization subject to numerous regulations? Have you developed processes and controls to ensure compliance with those regulations?
Are your organization’s non-Internal Control Over Financial Reporting (ICFR) controls subject to regulatory criteria (e.g., Health Insurance Portability and Accountability Act (HIPAA), Basel)?
How effective are your organization’s IT governance processes at effectively producing strategic business value and meeting the needs of my business and my customers?
Does management employ disparate financial and planning systems (e.g., Financial Systems, Enterprise Resource Planning, Customer Relationship Management (CRM), multiple spreadsheets with multiple interfaces, etc.) in managing the business?
CHANGE-DRIVERS: Has Your Organization Experienced:
Major Business Changes - Growth, restructurings, new markets, products, and partners—which introduce new risks?
Increasing Regulatory Oversight and Scrutiny - Increasing regulator expectations as to the strength of operating effectiveness of Enterprise Risk Management (ERM) frameworks?
Greater Complexity in Operating Models and Structures - Taking on new service providers or other partners which change the company’s risk profile?
Increased Reliance on Technology - New uses of existing technology and new tech investments which may impact risks?
New and Evolving Expectations for Non-Financial Reporting - Stakeholders and regulators seek greater transparency and confidence in reporting processes?
Business Failures and Reputational Risk Events - Businesses in many industries need to rebuild trust with customers and stakeholders?
Source: CW West.
Garcia said the list of possible applications in some highly regulated sectors is extensive. In pharmaceuticals, for example, elements of the COSO cube might apply to physician transparency reporting, trade compliance, Medicaid rebate compliance, U.S. and international privacy laws, and other Food and Drug Administration regulations. In financial services, think of the fraud imperatives—such as anti-money laundering and know-your-customer requirements, or various Dodd-Frank Act initiatives, third-party risk management, and many others. “Organizations can take advantage of the framework to drive a common language,” he said. “It’s about getting to the right people, identifying risks, specifying the objectives, and responding to those. A lot of that process has been outlined in the framework.”
Garcia and Blomster acknowledged not many companies have gotten very far on applying the framework beyond internal control over financial reporting, but the wheels are spinning. “We hear a lot of companies asking, ‘Once we get this done, how can we leverage the framework further?’” said Blomster. Interest is greatest, he said, in those highly regulated industries where companies have numerous regulatory imperatives to manage. “About one-third to one-half of the companies I talk to say this does resonate with them.”
Tom Fox, a Houston-based attorney who focuses on FCPA compliance, said at the conference that companies would be wise to consider applying the COSO 2013 framework to their FCPA efforts. “We are moving toward a standard where if you don’t have internal controls in place for an anti-corruption policy, that’s an FCPA violation,” he said. “And the internal control standard the SEC is going to be most comfortable with is the COSO framework.”
The COSO framework could even be applied to elements of a company’s Enterprise Risk Management system, said Blomster, although the internal control framework does not address strategic objectives, so would fall short of fully addressing ERM. COSO has a separate ERM framework and is in the early stages of updating it as well, much like the process it followed to update the internal control framework. “The internal control framework is like a sub-component of the ERM framework” said Blomster. COSO launched a survey recently to start gathering input.
Originally issued in 2004, COSO’s ERM framework predates 2009 rules from the SEC for companies to enhance proxy disclosures on risk, compensation, and corporate governance. Hirth acknowledged the drive to update the ERM framework stems in part from increased regulatory focus both in the United States and abroad on risk disclosures. “We know around the world there is a lot more focus on ERM, so we need to challenge the status quo,” he said. “So are we taking advantage of what’s happening? Yes. We need to assure the framework is updated, and there’s some modernization we can do.”