The highly respected periodical Compliance Week just published an article that appears to reflect misunderstanding if not panic in some quarters over the updated COSO Internal Control – Integrated Framework.
Written by Tammy Whitehouse with a title of COSO Framework Update Introduces New Measure of Deficiency , the piece includes quotes from interviews with a number of consultants and other experts, including the new chairman of COSO and me.
I was struck by a number of apparent inferences:
There is confusion over the use by COSO of the term “major deficiency” when for SOX purposes we have been using the terms deficiency, significant deficiency, and material weakness.
People are worried because they are unsure how the updated framework will affect their SOX program.
Some seem to believe that if they have a deficiency related to one risk area that will affect their assessment for SOX.
Let’s take each of these in turn.
By the way, Tammy was unable to include in the article my comments on these points, presumably for lack of space.
1. When it comes to SOX, we continue to use the same terms as before. As Bob Hirth pointed out, COSO recognizes that when there are regulations in an area, as there are for SOX with SEC and PCAOB guidance, that takes precedence.
We should also recognize that the term in COSO is not new. Organizations and their internal auditors have been using it for decades.
2. If an organization was truly basing their SOX assessment on the prior version of the COSO framework, they are already “compliant” with the updated version. The only issue is that they have to be able to show how they achieve the principles. This can be done with minimal effort through a management self-assessment. Where the level of risk justifies, consistent with current practice, related key controls are identified and tested. (I expect the IIA will publish an update to my SOX book in a few months that guides this process.)
3. If you have a deficiency in a different risk area, such as in compliance with safety regulations or the delivery of revenue growth, that will not prevent you from assessing your internal control over financial reporting as effective.
I believe the only implementation issue will be on how much evidence you need to support management’s assertion that all the principles are present and functioning. I believe, and have many experts supporting me on this, that you need to consider the risk to the financial statements if there is a defect in a principle. That risk is indirect; please refer to the discussion in AS5 on entity-level controls that have an indirect effect. The greater the risk, the greater the need for key controls to support and augment management’s self-assessment.
As for those who are concerned because they haven’t read this long document. Let me reassure you. If you read and understood COSO 1992 you will not find anything different in 2013, at least anything substantial. The 17 principles were there before; they now have been emphasized. Some discussions, such as on monitoring, are improved.
This is NOT a radical new document that should cause concern.
But that doesn’t mean you should leave implementation for SOX to 2014! Do your self-assessment now and start any remediation now, because it will take time to upgrade issues like the composition and practices of the audit committee, or the training of staff.
I welcome your comments.