130516 bas corporategovernor newsletter 130523 final
TRANSCRIPT
-
7/25/2019 130516 BAS CorporateGovernor Newsletter 130523 FINAL
1/4
CorporateGovernorProviding vision and advice for management, boards of directors and audit committees Spring 2013 Vol. 1
The updated COSO framework:A principles-based approachThe Committee of Sponsoring
Organizations of the Treadway
Commission (COSO), a joint initiative
of private-sector organizations dedicatedto providing thought leadership on
enterprise risk management, internal
control and fraud deterrence, has
issued its updated Internal Control
Integrated Framework (2013). While
the updated framework may be used to
evaluate an entitys internal control over
operations and compliance, its principal
application is expected to be a way for
management and auditors to evaluate
internal control over financial reporting
for inclusion of such evaluations inSEC filings. COSO also simultaneously
released illustrative tools and a
compendium of examples to assist users
in applying the framework.
The new guidance is the culmination
of a two-and-a-half year development
process that began with a survey of
some 700 stakeholders, 85% of whompreferred an updating of the original
1992 framework to a major overhaul.1
That sentiment has been ratified in
the final version. Fundamentally, the
framework and the five components that
comprise an effective system of internal
control havent changed, says Maria
Rojas, Grant Thornton senior manager
and West Region Governance, Risk and
Compliance leader. The new guidance
does, however, clarify elements of internal
controls that have been open to varyinginterpretations and eliminates ambiguity.
Although the update doesnt
recast the internal control framework,
it does revitalize the guidance and
make it pertinent to the current
business landscape. The business
environment prevailing in 1992 was
obviously much different than it is
today. Globalization, governance and
information technology have all made
enormous advances. Outsourcing and
joint ventures are far more common
than they were 20 years ago.
continued>
1 McNally, J. Stephen. COSO Framework Holding Strong and Getting a Polish, Pennsylvania CPA Journal, Summer 2012.
-
7/25/2019 130516 BAS CorporateGovernor Newsletter 130523 FINAL
2/4
2 CorporateGovernor Spring 2013 Vol. 1
Whats new in the 2013 framework?
One of the most significant changes in
the new framework is setting forth 17
principles, each of which is specificallyassigned to one of the five components
(see Figure 1). Each principle must be
present and functioning in an organization
for it to have effective internal control.
The 1992 framework did not contain
such principles or a requirement that
any factors beyond the five components
of internal controls be considered. Each
principle in the 2013 framework is
further explained by points of focus
that describe its characteristics and assist
users in evaluating whether a principle
is present and functioning, though
the points of focus do not constitute
explicit requirements.
If we take, for example, the control
environment component, the 1992
guidance wasnt principles-based, and it
wasnt sufficiently detailed, says Michael
Rose, partner and Northeast Region
practice leader of Grant Thorntons
Business Advisory Services group. With
the new framework, judgment will still
The updated COSO framework: A principles-based approach (continued)
play a critical role; but the principles
and their related points of focus now
give companies more guidelines they can
follow to ensure the requisite controlenvironment controls are in place.
Developments in the business
environment are also evident in the
modifications to the COSO cube
model (see Figure 2). As noted, the five
components of internal control remain
in place. Further, the COSO Guidance
on Monitoring Internal Control Systems,
issued in 2009, is still applicable and
assists entities in implementing and
evaluating the monitoring component of
internal control.
The objectives, however, have been
slightly modified: compliance and
operations are the same, but financial
reporting (i.e., external financial
reporting) is now simply reporting, thus
encompassing nonfinancial reporting
made in accordance with various
regulations, standards and frameworks;
this objective also now includes
internal reporting, both financial
and nonfinancial.
Moreover, the entity structure has been
revamped to include the overall entity,
divisions, subsidiaries, operating units and
functions, including business processeslike sales, purchasing, production and
marketing. The changes reflect an increased
emphasis on governance, business
processes and the organizational structure
in a globalized business environment.
Additional upgrades and changes
from the 1992 framework include:
more guidance that ties control
objectives to the risks related to a
specific area;
much more relevant guidance on
information technology, and how it
affects processes and reporting;
enhancement of governance concepts;
an increased emphasis on
globalization of markets and
operations, as well as changes in
business models and organizations;
use and reliance on evolving
technology, as well as the explosive
expansion of information; and
a substantially increased discussion of
fraud as it relates to internal control.continued>
Figure 2: Updated COSO cubeFigure 1: Principles of effective internal control
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Operatio
ns
Ent
ityLevel
Division
OperatingUnit
Function
Rep
orting
Com
plianc
eControl Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Source: COSOSource: COSO
-
7/25/2019 130516 BAS CorporateGovernor Newsletter 130523 FINAL
3/4
Summarizing the differences between
the old and new frameworks, George
Chiu, Grant Thornton manager inBusiness Advisory Services, recalls
his college years. On the first day
of classes, youd have one instructor
whod tell you that to get an A you need
to work hard, study hard, take your
exams. Another professor will go into a
lot more detail and tell you the chapters
you need to study, the dates of the exam
and the kinds of questions that may
come up. Thats the difference between
the 1992 and 2013 guidance.
What is the time frame for transitioning
to the new guidance?
While only the SEC can provide
definitive guidance regarding the
application of the new framework to
the Section 404 requirements of the
Sarbanes-Oxley Act of 2002 (SOX),
COSO believes that users should
transition their applications and
related documentation to the updated
Framework as soon as is feasible under
their particular circumstances and will
continue to make available its original
Framework during the transition period
extending to Dec. 15, 2014, after which
time COSO will consider it as superseded
by the 2013Framework.2 Further,
COSO believes that entities reporting
externally on internal controls should
clearly disclose whether the original
framework or the 2013 framework was
utilized when reporting until the original
framework is considered superseded.Whatever the timetable for adopting
the updated framework for SEC filings,
companies need to get to work now
if they have not already. Regardless
of how the transition rolls out, its
our recommendation that companies
immediately assess the impact on
their internal control over financial
reporting, says Jason Plourde, audit
partner at Grant Thornton. They need
to map their current internal controls to
the new framework, paying particular
attention to the required principles,
identify any gaps and determine how
they will address them.
The task of transitioning to the new
framework will of course be unique to
each company. In general, however,
smaller and newly public entities face the
greater challenge. Larger companies tend
to have more sophisticated systems and
controls in place that continuously track
and adapt to changes in the business
environment, such as those resulting
from globalization and technology.
In fact, companies that have been
consistently updating their internal
controls to meet SOX requirements and
changes in the business environmentmay find conforming to the new
framework requires little adjustment.
Smaller companies, with fewer resources,
may have more work to do on filling in
any gaps. In that respect, the templates
provided in the Illustrative Tools for
Assessing Effectiveness of a System of
Internal Control (see the sidebar on
3 CorporateGovernor Spring 2013 Vol. 1
The COSO framework and related illustrative documents
In updating the 1992 framework, COSO has released three documents:(1) Framework and Appendices, i.e., the actual framework. Among the useful appendices are Appendix G,
which details the changes made from the 1992 guidance.
(2) Internal Control Over External Financial Reporting: Compendium of Approaches and Examples, which
discusses how the framework applies to external financial reporting.
(3) Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which offers a series of
templates for applying the framework to determine whether controls are effective.
Regarding the creation of three documents (plus an executive summary), COSO Chairman David Landsittel
has commented, We thought it was important to provide a clear path as to how the framework can be
applied to external financial reporting circumstances. The Compendiumdoes not alter or modify the
framework itself. It just focuses on how its applied. TheIllustrative Tools also do not change the framework
at all. We thought it would be helpful to provide additional information to bring to life the discussion of
effectiveness of controls. *
* Whitehouse, Tammy. COSO Releases Revised Framework, New Guidance, Compliance Week, Sept. 19, 2012.
the updates documents) could prove
relevant and useful to smaller entities as
they try to navigate implementation.
Whether an entity is large or small,
the new framework will mean at least
some additional work for the full cast of
actors on the internal control stage not
in the least the external auditors of the
larger public companies that must comply
with SOX 404 (b) requiring attestation of
managements assessment of its internal
control over financial reporting. Audit
committee chairpersons and members will
also have an important role to play, helping
their companies integrate the new guidance
into existing internal control regimes.3
How should companies proceed
on implementation?
Obviously, a plan to implement the new
internal control guidance for a companyof any size and complexity cannot be
set out with a few bullet points, but
implementation may involve the following:
1. Fully understanding the new guidance,
specifically the 17 principles and the
related points of focus.
continued>
The updated COSO framework: A principles-based approach (continued)
2 Press release: COSO Issues Updated Internal Control-Integrated Frameworkand Related Illustrative Documents, May 14, 2013, www.coso.org/documents/COSO%20Framework%20Release%20
PR%20May%2014%202013%20Final%20PDF.pdf.3 Austin, Stephen. Updated COSO Framework Will Help Audit Committees Comply with SOX, Journal of Accountancy, July 2012.
-
7/25/2019 130516 BAS CorporateGovernor Newsletter 130523 FINAL
4/4
2. Determining where the entity is strong
and where it has weaknesses, based on
the 17 principles.
3. Implementing change in areas of
weakness.
With a view toward assuring that all
17 principles exist within the companys
internal control structure and are
currently being applied, here are several
key questions to ask:
1. Do I fully understand the principle
and its intent?
2. Does the principle exist in our
company today? If so, how is it
being applied?
3. Are the principles being applied
consistently throughout the
organization?
4. Do the individuals responsible for
applying the principle understand
it? Are they applying the principle
correctly? Are they doing so
consistently throughout the
organization?
5. If a principle does not exist in theorganization, does it represent a gap
in the internal control structure? Or is
there another control or set of controls
that can mitigate its absence?
Conclusion
For companies that are already adept at
adopting the COSO framework, the new
framework provides a baseline to validate
the strengths of their internal control
environment. For companies that are new
to the COSO framework or are struggling
with adopting the COSO framework,
the new framework allows them to assess
weaknesses in their internal control
environment and provides guidance to
mitigate these weaknesses.
Some observers have voiced concern
that the new guidance will produce a
checklist mentality for implementing
internal control. But the update doesnt
relieve companies from using their best
judgment; instead, it offers them support
so that better judgments can be made.
According to Warren Stippich, partner
and National Governance, Risk and
Compliance leader, It is our experience
that with an organized approach to
the new guidance, a fresh look will be
undertaken and will foster even more
robust dialogue about the control
environment, including the tone at thetop. The release of the new COSO
framework provides companies with an
opportunity to holistically reassess their
internal control in all its phases, which
should yield not only improvements in
efficiency, but reduced costs as well.
4 CorporateGovernor Spring 2013 Vol. 1
About the newsletterCorporateGovernor is published by
Grant Thornton LLP. The people in the
independent firms of Grant Thornton
International Ltd provide personalized
attention and the highest-quality service to
public and private clients in more than 100
countries. Grant Thornton LLP is the U.S.
member firm of Grant Thornton International
Ltd, one of the six global audit, tax and
advisory organizations. Grant Thornton
International Ltd and its member firms are not
a worldwide partnership, as each member firm
is a separate and distinct legal entity.
For additional information on the issues
discussed in this newsletter, consult your
Grant Thornton client services partner.
Contact information
For more information, contact a member
of the Governance, Risk and Compliance
Solution Group:
Michael Rose
Partner, Business Advisory Services
T 215.376.6020
Jason Plourde
Partner, Audit
T 312.602.8328
Maria Rojas
Senior Manager, Business Advisory Services
T 408.346.4325E [email protected]
George Chiu
Manager, Business Advisory Services
T 408.346.4343
Warren Stippich
Partner and National Governance, Risk and
Compliance Leader
T 312.602.8499
Visit our website at
www.GrantThornton.com.
Editor: Evangeline Umali Hannum,
Content in this publication is not intended
to answer specific questions or suggest
suitability of action in a particular case. For
additional information on the issues discussed,
consult a Grant Thornton LLP client service
partner or another qualified professional.
2013 Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton
International Ltd
The updated COSO framework: A principles-based approach (continued)