More Hints on Putting New COSO to Work

The good news: Companies that have chosen to continue using the old COSO framework in their year-end 2014 internal control reporting will not get a nasty-gram from the Securities and Exchange Commission next spring.

The bad news: Don’t hold your breath for much more than that.

At the annual national conference of the American Institute of Certified Public Accountants, SEC Deputy Chief Accountant Nili Shah definitively said that SEC staff will not give companies grief in 2015 if they don’t use the updated COSO Internal Control — Integrated Framework released in 2013, intended to wean companies off the woefully outdated original COSO framework from 1992.

“At least for the 2014 reporting season, we will not object to companies that continue to use the 1992 framework,” Shah said. “But as we move further from the end of COSO’s transition period, both investors and we may continue to question continued use of the 1992 framework.”

The SEC and other audit and internal control experts speaking at the conference cautioned companies not to rest easy if they choose not to adopt the new COSO framework for their 2014 year-end reporting. Chuck Landes, a member of the COSO board representing the AICPA, said auditors should look carefully at the reasons why companies might choose not to use the framework this year.

“Anecdotally, we’re hearing some say they’re not sure they can pass under the new framework,” Landes said. “If you can’t pass under the ’13 framework, I’m not sure how you can pass under the old framework.” He cautioned auditors to look for sound business reasons why companies do not adopt and consider whether the company has a problem with tone at the top if it can’t show good reasons for not adopting.

“If someone is, in my words, blowing it off because they’re just too busy to make that transition—to me that is evidence that the tone at the top is not where it should be,” he said.

Stephen Soske, a PwC partner who helped update the new framework, said auditors will accept sound business decisions for companies that have decided (or are still deciding) whether to follow the new framework in 2015. “We would respect that, and we would be following the client’s lead,” he said.

“Anecdotally, we’re hearing some say they’re not sure they can pass under the new framework. If you can’t pass under the ’13 framework, I’m not sure how you can pass under the old framework.”
Chuck Landes, Member, COSO Board, AICPA

Auditors and companies have reported some noise in the transition process as companies attempt to adopt the framework following SEC internal control guidance targeted to management, while auditors are following guidance issued by the Public Company Accounting Oversight Board. Tension has surfaced in some specific areas of the COSO requirements, especially IT controls, entity-level controls, and management review controls.

Soske said he sees consistency in the PCAOB and SEC guidance. He sees much of the focus in adopting the new framework targeted at the “softer” components of the framework, namely the control environment, risk assessment, information and communications, and monitoring activities. Control activities represent as much as 85 to 95 percent of a company’s internal controls over financial reporting, he said, and they have already been subject to rigorous evaluation and testing in prior years.

CONTROL DEFICIENCIES

Below is an excerpt from SEC Senior Associate Chief Accountant Kevin Stout’s speech before the 2014 AICPA Conference on Current SEC and PCAOB Developments.
Understanding the Cause of the Control Deficiency
…much of the dialogue we have with companies relates to deficiencies within the Control Activities component. For material weaknesses, as part of the disclosure, Commission Guidance states that
“companies should also consider providing disclosure that allows investors to understand the cause of the control deficiency.”
This is important information because, among other things, it can aid investors in assessing the potential impact to the financial statements of a material weakness.  I believe, however, that management needs to understand the cause of all control deficiencies.  Otherwise, management is more likely to overlook the possibility that there is a deficiency in another COSO component that may already represent, or could otherwise be developing into, a material weakness. 
While it is possible that some transaction-level control failures are isolated within the Control Activities component, the cause may often stem from a broader breakdown, and the nature of the deficiency will provide clues as to what that cause may be.  For example, a company that describes a deficiency in the design of one or more Control Activities controls may receive a follow up request from the staff for information about how management considered the effectiveness of the Risk Assessment component.  Likewise, a company that describes a deficiency in the operating effectiveness of one or more Control Activities controls may receive a follow up request from the staff for information about how management considered the effectiveness of the Monitoring Activities component. 
Such determinations are, of course, fact- and circumstance-based and likely to vary from company to company based on the number of transaction-level deficiencies that exist, the nature of each deficiency, and the financial statement amounts or disclosures affected, among other factors.  However, without understanding the cause of each identified deficiency, management may not be in a position to appropriately evaluate the effectiveness of each of the components of internal control.  More broadly in this regard, I am hopeful that the improved organization and structure of COSO 2013 versus the 1992 version, through the use of principles and points of focus, leads to improved evaluations of the components outside of Control Activities.   
Identifying Financial Reporting Risks
Having just mentioned the relationship of the effective design of Control Activities controls to the Risk Assessment component, it might be helpful now to provide a reminder about a key point for identifying financial reporting risks. 
As part of its ongoing assessment of “what could go wrong” within a financial reporting element, it is critical that management consider the nature and extent of any changes in the risks to reliable financial reporting.  Such changes can result from a variety of sources, including company reorganization, nature of transactions entered into, overall business environment, and accounting requirements.  A few recent examples of such events discussed with registrants in the comment process include:

Expansion into a new foreign location;

Growth in operations through the use of variable interest entities (VIEs);

Reaching a sales agreement with a new customer under terms different from those with any existing customer; and

Increases in expenditures for environmental clean-up of existing remediation sites.
Let me now move on to two important points that have come up in many of the recent ICFR comment processes stemming from immaterial error corrections: a fully and accurately defined control deficiency, and the potential misstatement resulting from the deficiency, which is sometimes referred to as “the could factor.”
Fully and Accurately Defined Control Deficiency
First, to be clear, an explanation of the accounting error that resulted from, or could result from, the deficiency, is important to understanding the nature of the deficiency.  However, describing the accounting error is not the same as describing the control deficiency.  Unfortunately, in initial responses to staff comments, and even in material weakness disclosures, we sometimes see statements that focus only on the error.  Such statements may raise questions about management’s understanding of the implications of the deficiency and whether its severity was appropriately evaluated.  Furthermore, investors might reasonably question how a company could remediate a control deficiency that it has failed to describe appropriately. 
Factors that I have found helpful to consider in understanding and describing a deficiency include, but may not be limited to, the following:

Nature of the control deficiency – For example, is it a design or operating effectiveness

issue?   Is the issue narrow or could the deficiency be broader than what has been observed?

Impact – What is its impact on financial reporting and ICFR?

Cause – As I discussed earlier, what is its cause?

Identification – How was it discovered?  For example, by management or the auditor?  If by management, was it identified “accidentally” or as part of the normal operation of controls?

Remediation – What measures are likely necessary to rectify the deficiency?
Notably, in some instances, the company’s thought process evolves over the comment process and it appears that management may be properly evaluating the deficiencies for the first time during this process, as we see changes in conclusions regarding nature, component, impact, and cause of identified deficiencies.  Undoubtedly, these types of determinations require judgment.  However, to ensure that investors receive timely information about management’s assessment of ICFR, these determinations need to be contemporaneous. 
Source: SEC.

With a more explicit articulation of principles in the new framework, companies are now focusing on those “softer components,” Soske said. “It is causing management to take a fresh look at the design and operation of entity-level controls that support the principles in those components.” He sees companies using the transition process to fine-tune the design and documentation around indirect entity-level controls, especially around principles on demonstrating a commitment to competence, assessing fraud risk, identifying and analyzing significant change, and using relevant information.

Bill Schneider, director of accounting at AT&T, said his mapping and control update exercise led to the discovery that many of the controls necessary to meet the new framework requirements were present, but not documented. “There really were no new requirements that came out of 2013,” he said. He suggests companies that haven’t already mapped controls to the new framework do so in the context of their annual Sarbanes-Oxley review to minimize the extra effort.

Easing Transition Pains

Shah also reminded companies to remember to disclose what framework they are following to comply with internal control reporting requirements. She said the staff is already seeing situations where companies have failed to disclose which framework they are relying on in their reporting of internal control over financial reporting. “If you’re using the 1992 or the updated framework, state that,” she said.

SEC staffers—who so far have said little publicly about adoption of the new COSO framework—said they spent a great deal of 2014 studying internal control issues, especially in supporting other SEC efforts to reconsider disclosures broadly. They called on companies to consider more carefully where they may have undisclosed deficiencies, and to spend more time identifying the root causes of control deficiencies.

“Based upon our cumulative efforts this year, I continue to question whether material weaknesses are being properly identified, evaluated, and disclosed,” said Brian Croteau, deputy chief accountant at the SEC. Research firm Audit Analytics founds that the SEC issued more than 100 comment letters on internal control in 2014, mostly requests to clarify the effect of previously identified errors on the company’s internal control evaluation and to determine which framework was used in the evaluation of controls.

Kevin Stout, a senior associate chief accountant at the SEC, reminded companies to review SEC guidance to management that tells them to understand and explain to investors the reasons for control deficiencies. This is important information because, among other things, it can aid investors in assessing the potential impact to the financial statements of a material weakness,” he said.

“Management needs to understand the cause of all control deficiencies,” he said. “Otherwise, management is more likely to overlook the possibility that there is a deficiency in another COSO component that may already represent, or could otherwise be developing into, a material weakness.” He is hopeful the improved organization and structure of the new COSO framework will lead to improved evaluations of the components of internal control outside of control activities specifically.

Stout said companies need to be careful to understand the difference between accounting errors and control deficiencies that lead to errors. Too often, he said, SEC inquiries into control problems that lead to accounting errors are answered only with explanations of the error itself. “Such statements may raise questions about management’s understanding of the implications of the deficiency and whether its severity was appropriately evaluated,” he said. “Investors might reasonably question how a company could remediate a control deficiency that it has failed to describe appropriately.”

Stout also advised companies to remember to consider the magnitude of possible mis-statements that could result from control deficiencies. “As with many aspects of the ICFR evaluation, careful consideration is required when evaluating the ‘could’ factor,” he said. “In spite of this, some companies we have discussions with initially appear to equate the actual error identified with the reasonably possible potential mis-statement. They do so despite the fact that the control did not ultimately detect the error.”

Croteau reminded companies the SEC is watching controls closely. “Our efforts throughout the SEC pertaining to the ICFR requirements are ongoing, coordinated, and increasingly integrated into our routine consultation, disclosure review, and enforcement efforts.”