130516 bas corporategovernor newsletter 130523 final

7/25/2019 130516 BAS CorporateGovernor Newsletter 130523 FINAL

1/4

CorporateGovernorProviding vision and advice for management, boards of directors and audit committees Spring 2013 Vol. 1

The updated COSO framework:A principles-based approachThe Committee of Sponsoring

Organizations of the Treadway

Commission (COSO), a joint initiative

of private-sector organizations dedicatedto providing thought leadership on

enterprise risk management, internal

control and fraud deterrence, has

issued its updated Internal Control

Integrated Framework (2013). While

the updated framework may be used to

evaluate an entitys internal control over

operations and compliance, its principal

application is expected to be a way for

management and auditors to evaluate

internal control over financial reporting

for inclusion of such evaluations inSEC filings. COSO also simultaneously

released illustrative tools and a

compendium of examples to assist users

in applying the framework.

The new guidance is the culmination

of a two-and-a-half year development

process that began with a survey of

some 700 stakeholders, 85% of whompreferred an updating of the original

1992 framework to a major overhaul.1

That sentiment has been ratified in

the final version. Fundamentally, the

framework and the five components that

comprise an effective system of internal

control havent changed, says Maria

Rojas, Grant Thornton senior manager

and West Region Governance, Risk and

Compliance leader. The new guidance

does, however, clarify elements of internal

controls that have been open to varyinginterpretations and eliminates ambiguity.

Although the update doesnt

recast the internal control framework,

it does revitalize the guidance and

make it pertinent to the current

business landscape. The business

environment prevailing in 1992 was

obviously much different than it is

today. Globalization, governance and

information technology have all made

enormous advances. Outsourcing and

joint ventures are far more common

than they were 20 years ago.

continued>

1 McNally, J. Stephen. COSO Framework Holding Strong and Getting a Polish, Pennsylvania CPA Journal, Summer 2012.


2/4

2 CorporateGovernor Spring 2013 Vol. 1

Whats new in the 2013 framework?

One of the most significant changes in

the new framework is setting forth 17

principles, each of which is specificallyassigned to one of the five components

(see Figure 1). Each principle must be

present and functioning in an organization

for it to have effective internal control.

The 1992 framework did not contain

such principles or a requirement that

any factors beyond the five components

of internal controls be considered. Each

principle in the 2013 framework is

further explained by points of focus

that describe its characteristics and assist

users in evaluating whether a principle

is present and functioning, though

the points of focus do not constitute

explicit requirements.

If we take, for example, the control

environment component, the 1992

guidance wasnt principles-based, and it

wasnt sufficiently detailed, says Michael

Rose, partner and Northeast Region

practice leader of Grant Thorntons

Business Advisory Services group. With

the new framework, judgment will still

The updated COSO framework: A principles-based approach (continued)

play a critical role; but the principles

and their related points of focus now

give companies more guidelines they can

follow to ensure the requisite controlenvironment controls are in place.

Developments in the business

environment are also evident in the

modifications to the COSO cube

model (see Figure 2). As noted, the five

components of internal control remain

in place. Further, the COSO Guidance

on Monitoring Internal Control Systems,

issued in 2009, is still applicable and

assists entities in implementing and

evaluating the monitoring component of

internal control.

The objectives, however, have been

slightly modified: compliance and

operations are the same, but financial

reporting (i.e., external financial

reporting) is now simply reporting, thus

encompassing nonfinancial reporting

made in accordance with various

regulations, standards and frameworks;

this objective also now includes

internal reporting, both financial

and nonfinancial.

Moreover, the entity structure has been

revamped to include the overall entity,

divisions, subsidiaries, operating units and

functions, including business processeslike sales, purchasing, production and

marketing. The changes reflect an increased

emphasis on governance, business

processes and the organizational structure

in a globalized business environment.

Additional upgrades and changes

from the 1992 framework include:

more guidance that ties control

objectives to the risks related to a

specific area;

much more relevant guidance on

information technology, and how it

affects processes and reporting;

enhancement of governance concepts;

an increased emphasis on

globalization of markets and

operations, as well as changes in

business models and organizations;

use and reliance on evolving

technology, as well as the explosive

expansion of information; and

a substantially increased discussion of

fraud as it relates to internal control.continued>

Figure 2: Updated COSO cubeFigure 1: Principles of effective internal control

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Operatio

ns

Ent

ityLevel

Division

OperatingUnit

Function

Rep

orting

Com

plianc

eControl Environment

Risk Assessment

Control Activities

Information &

Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

Source: COSOSource: COSO


3/4

Summarizing the differences between

the old and new frameworks, George

Chiu, Grant Thornton manager inBusiness Advisory Services, recalls

his college years. On the first day

of classes, youd have one instructor

whod tell you that to get an A you need

to work hard, study hard, take your

exams. Another professor will go into a

lot more detail and tell you the chapters

you need to study, the dates of the exam

and the kinds of questions that may

come up. Thats the difference between

the 1992 and 2013 guidance.

What is the time frame for transitioning

to the new guidance?

While only the SEC can provide

definitive guidance regarding the

application of the new framework to

the Section 404 requirements of the

Sarbanes-Oxley Act of 2002 (SOX),

COSO believes that users should

transition their applications and

related documentation to the updated

Framework as soon as is feasible under

their particular circumstances and will

continue to make available its original

Framework during the transition period

extending to Dec. 15, 2014, after which

time COSO will consider it as superseded

by the 2013Framework.2 Further,

COSO believes that entities reporting

externally on internal controls should

clearly disclose whether the original

framework or the 2013 framework was

utilized when reporting until the original

framework is considered superseded.Whatever the timetable for adopting

the updated framework for SEC filings,

companies need to get to work now

if they have not already. Regardless

of how the transition rolls out, its

our recommendation that companies

immediately assess the impact on

their internal control over financial

reporting, says Jason Plourde, audit

partner at Grant Thornton. They need

to map their current internal controls to

the new framework, paying particular

attention to the required principles,

identify any gaps and determine how

they will address them.

The task of transitioning to the new

framework will of course be unique to

each company. In general, however,

smaller and newly public entities face the

greater challenge. Larger companies tend

to have more sophisticated systems and

controls in place that continuously track

and adapt to changes in the business

environment, such as those resulting

from globalization and technology.

In fact, companies that have been

consistently updating their internal

controls to meet SOX requirements and

changes in the business environmentmay find conforming to the new

framework requires little adjustment.

Smaller companies, with fewer resources,

may have more work to do on filling in

any gaps. In that respect, the templates

provided in the Illustrative Tools for

Assessing Effectiveness of a System of

Internal Control (see the sidebar on


The COSO framework and related illustrative documents

In updating the 1992 framework, COSO has released three documents:(1) Framework and Appendices, i.e., the actual framework. Among the useful appendices are Appendix G,

which details the changes made from the 1992 guidance.

(2) Internal Control Over External Financial Reporting: Compendium of Approaches and Examples, which

discusses how the framework applies to external financial reporting.

(3) Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which offers a series of

templates for applying the framework to determine whether controls are effective.

Regarding the creation of three documents (plus an executive summary), COSO Chairman David Landsittel

has commented, We thought it was important to provide a clear path as to how the framework can be

applied to external financial reporting circumstances. The Compendiumdoes not alter or modify the

framework itself. It just focuses on how its applied. TheIllustrative Tools also do not change the framework

at all. We thought it would be helpful to provide additional information to bring to life the discussion of

effectiveness of controls. *

* Whitehouse, Tammy. COSO Releases Revised Framework, New Guidance, Compliance Week, Sept. 19, 2012.

the updates documents) could prove

relevant and useful to smaller entities as

they try to navigate implementation.

Whether an entity is large or small,

the new framework will mean at least

some additional work for the full cast of

actors on the internal control stage not

in the least the external auditors of the

larger public companies that must comply

with SOX 404 (b) requiring attestation of

managements assessment of its internal

control over financial reporting. Audit

committee chairpersons and members will

also have an important role to play, helping

their companies integrate the new guidance

into existing internal control regimes.3

How should companies proceed

on implementation?

Obviously, a plan to implement the new

internal control guidance for a companyof any size and complexity cannot be

set out with a few bullet points, but

implementation may involve the following:

1. Fully understanding the new guidance,

specifically the 17 principles and the

related points of focus.

continued>


2 Press release: COSO Issues Updated Internal Control-Integrated Frameworkand Related Illustrative Documents, May 14, 2013, www.coso.org/documents/COSO%20Framework%20Release%20

PR%20May%2014%202013%20Final%20PDF.pdf.3 Austin, Stephen. Updated COSO Framework Will Help Audit Committees Comply with SOX, Journal of Accountancy, July 2012.


4/4

2. Determining where the entity is strong

and where it has weaknesses, based on

the 17 principles.

3. Implementing change in areas of

weakness.

With a view toward assuring that all

17 principles exist within the companys

internal control structure and are

currently being applied, here are several

key questions to ask:

1. Do I fully understand the principle

and its intent?

2. Does the principle exist in our

company today? If so, how is it

being applied?

3. Are the principles being applied

consistently throughout the

organization?

4. Do the individuals responsible for

applying the principle understand

it? Are they applying the principle

correctly? Are they doing so

consistently throughout the

organization?

5. If a principle does not exist in theorganization, does it represent a gap

in the internal control structure? Or is

there another control or set of controls

that can mitigate its absence?

Conclusion

For companies that are already adept at

adopting the COSO framework, the new

framework provides a baseline to validate

the strengths of their internal control

environment. For companies that are new

to the COSO framework or are struggling

with adopting the COSO framework,

the new framework allows them to assess

weaknesses in their internal control

environment and provides guidance to

mitigate these weaknesses.

Some observers have voiced concern

that the new guidance will produce a

checklist mentality for implementing

internal control. But the update doesnt

relieve companies from using their best

judgment; instead, it offers them support

so that better judgments can be made.

According to Warren Stippich, partner

and National Governance, Risk and

Compliance leader, It is our experience

that with an organized approach to

the new guidance, a fresh look will be

undertaken and will foster even more

robust dialogue about the control

environment, including the tone at thetop. The release of the new COSO

framework provides companies with an

opportunity to holistically reassess their

internal control in all its phases, which

should yield not only improvements in

efficiency, but reduced costs as well.


About the newsletterCorporateGovernor is published by

Grant Thornton LLP. The people in the

independent firms of Grant Thornton

International Ltd provide personalized

attention and the highest-quality service to

public and private clients in more than 100

countries. Grant Thornton LLP is the U.S.

member firm of Grant Thornton International

Ltd, one of the six global audit, tax and

advisory organizations. Grant Thornton

International Ltd and its member firms are not

a worldwide partnership, as each member firm

is a separate and distinct legal entity.

For additional information on the issues

discussed in this newsletter, consult your

Grant Thornton client services partner.

Contact information

For more information, contact a member

of the Governance, Risk and Compliance

Solution Group:

Michael Rose

Partner, Business Advisory Services

T 215.376.6020

E [email protected]

Jason Plourde

Partner, Audit

T 312.602.8328

E [email protected]

Maria Rojas

Senior Manager, Business Advisory Services

T 408.346.4325E [email protected]

George Chiu

Manager, Business Advisory Services

T 408.346.4343

E [email protected]

Warren Stippich

Partner and National Governance, Risk and

Compliance Leader

T 312.602.8499

E [email protected]

Visit our website at

www.GrantThornton.com.

Editor: Evangeline Umali Hannum,

[email protected]

Content in this publication is not intended

to answer specific questions or suggest

suitability of action in a particular case. For

additional information on the issues discussed,

consult a Grant Thornton LLP client service

partner or another qualified professional.

2013 Grant Thornton LLP

All rights reserved

U.S. member firm of Grant Thornton

International Ltd
