Whether or not a company adopted the new COSO framework last year, plenty of companies will be taking yet another look at internal controls this summer either to shore up gaps or finally to put the new framework into place.
The majority of public companies appear to have already implemented the 2013 Internal Control Integrated Framework, which superseded the original 1992 framework at the end of 2014. Based on the earliest adoption data from Audit Analytics and Protiviti, it looks like only 25 percent of publicly traded U.S. companies still used the 1992 framework through the end of last year.
Audit experts close to the implementation efforts say now is the time for non-adopters to get busy, but even those who did implement the new framework last year will have some review work to perform this year.
“We will see some people rethinking their controls,” says Sara Lord, a partner with McGladrey. Some companies scrambled near the finish last year, she says, and documentation may not have been as complete as one would normally like. “We’ll see companies revisiting some of those decisions,” she says.
Those revisions are likely to focus on some specific, vexing areas of internal control, such as management review controls. “We’re still evolving as a profession,” Lord says. “We’re still trying to find the right approach and the right implementation.” Where companies did move forward, the implementation process provided some intelligence on areas where companies found gaps in controls, especially around fraud risk and the use of outside service providers, experts say.
“Under the 1992 framework, the fraud risk assessment was more at the transactional level,” says Mike Rose, a partner at Grant Thornton. “Under the 2013 framework, this was the first time companies took an organization-wide look.” Principle 8 in the 2013 framework establishes a more explicit requirement to consider the risk of fraud at the entity level. “Companies have found there’s still a little more work to do there,” he says.
“Under the 1992 framework, the fraud risk assessment was more at the transactional level. Under the 2013 framework, this was the first time companies took an organization-wide look.”
Mike Rose, Partner, Grant Thornton
Some companies did find that entity-level fraud risk was an area where they did have adequate controls, but didn’t have those controls adequately documented and tied to the framework, Lord says.
Alisanne Gilmore-Allen, a consultant at RoseRyan, agrees that the fraud risk assessment at many companies may require more work. “Companies may find some gaps in identifying and assessing the risk around fraud,” she says. “Are those controls formalized and tested? And do they consider risks throughout the organization?”
The requirements around fraud risk are not new, says Jim DeLoach, managing director at consulting firm Protiviti, but the new framework states them more plainly; that has caught some companies off guard. “Ignoring longstanding requirements that have been made more explicit by the transition process—that’s one of the lessons learned,” he says.
Likewise, companies may have some work to do reviewing their controls around reliance on outside service providers. “We would see this at a lot of companies, where this was a big push at the end of the year,” Rose says.
Companies often rely on reports from third-party auditors on the controls at service organizations, often called “SOC” reports. Under the new framework, companies may need to dig into those reports more deeply rather than rely on them without further consideration.
“In the past, you might have said you have a SOC report, so you’re comfortable there,” Lord says. “Now there are more controls around it. Is someone reading it? Is everything we expect them to do covered by this? It’s a little more energetic, interactive process. There’s more dialogue with those service providers.”
10 LESSONS LEARNED
Below, Protiviti outlines 10 lessons learned from implementing COSO 2013.
Meet with your auditor early and often.
Establish an effective and relevant mapping approach.
Conduct a substantive fraud risk assessment.
Take a broader view of outsourced processes than just the service organization control (SOC) report.
Manage the level of depth when testing indirect controls.
Focus on understanding and documenting control precision.
Evaluate the adequacy of information produced by entity (IPE).
Expect an increase in deficiency evaluation efforts.
Adopt the updated 2013 Framework on time.
Ask yourself: Is limiting your focus on applying 2013 COSO to SOX compliance the answer?
Other areas of focus that cropped up as issues in COSO implementation also track closely to issues that have emerged from the Public Company Accounting Oversight Board’s inspection of audit firms. They include controls around technology, management review controls, documentation, and reliance on the work of internal audit. “How are we testing the completeness and accuracy of information?” Rose says.
Despite the focus on more documentation and more detail, some audit experts say companies failed to recognize that the entire exercise is meant to be top-down and risk-based.
“The top-down, risk-based approach has not changed at all by the update of the COSO framework, yet we are aware of companies that got lost in a sea of minutiae,” DeLoach says. Some companies ended up mapping their entire control population to the framework, he said. “People were asking: Do we have to apply this to operations or to all compliance domains? We had to educate some that the focus of this is reliable financial reporting, so all we’re concerned about is mapping financial reporting-related controls.”
Companies also chose different approaches for explicit mapping of controls to the 81 “points of focus” that the new framework lists as supporting the 17 required principles of sound internal control. “It depends on the level of detail they want,” says Pooja Mishra, senior manager for MorganFranklin Consulting.
Mapping to all the points of focus is not required, Lord says. “There’s nothing wrong with it,” she says. “It’s not prohibited, but it’s more work.”
Mishra says many companies underestimated the amount of time and effort that would be necessary to implement the new framework. “That’s the reason some missed the December 2014 deadline,” she says. Given work they may have begun last year mapping controls to the new framework, that gives them a basis for proceeding to a 2015-year-end implementation, she says.
And that should be the target completion date for any company that didn’t finish the update to the new framework in 2014, experts say. The Securities and Exchange Commission has not articulated a firm adoption deadline for an internal controls framework (the Sarbanes-Oxley Act requires that companies use one), but the SEC has deferred to COSO’s guidance that its old framework is obsolete.
Even KPMG—which focused its messaging in 2014 on encouraging companies to take time and pursue a quality implementation rather than a rapid one—says now is the time to adopt. “We are emphasizing to companies that have not already completed significant transition activities in fiscal 2014 that this year is the time to adopt,” David Middendorf, a partner with KPMG, said in a statement. “The ideal for those companies that delayed adoption is that they used the time for a thoughtful approach to assess changes and move forward.”