COSO 2013: mapping your controls to the updated framework

Background:
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released on May 14, 2013, an updated version of its Internal Control—Integrated Framework (the “2013 Framework”). In addition, COSO released two illustrative documents: Illustrative Tools for Assessing Effectiveness of a System of Internal Control (the “Illustrative Tools”) and Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples (the “ICEFR Compendium”) as well as an executive summary of the 2013 Framework.


Originally issued in 1992, COSO’s Internal Control—Integrated Framework (the “1992 Framework”) became one of the most widely accepted internal control frameworks in the world. COSO’s primary objective in updating and enhancing the framework is to address the significant changes to business and operating environments that have taken place over the past 20 years.
The 2013 Framework contains 17 principles that explain the concepts associated with the five components of the COSO Framework (control environment, risk assessment, control activities, information and communication, and monitoring activities). In developing the 17 principles, COSO focused on concepts from the 1992 Framework; considered the principles that were developed and articulated in COSO’s 2006 Internal Control Over Financial Reporting—Guidance for Smaller Public Companies (“Small Business Guidance”); and considered the significant changes in business, operating environments, and governance since 1992. COSO intends the principles to help companies design effective systems of internal control and evaluate whether those systems are functioning effectively. The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities. Consequently, if a principle is not present and functioning, the associated component is not present and functioning. In rare circumstances, because of industry, regulatory or operating matters, management may determine that a principle is not relevant to a component.

To further describe the principles, the 2013 Framework uses points of focus, which typically are important characteristics of the principles. While the points of focus may help management design, implement, and evaluate internal control and assess whether relevant principles are present and functioning, they are not required for assessing the effectiveness of internal control. Each principle generally has 4-6 points of focus. Management may determine that some of the points of focus are not suitable or relevant and may identify and consider others which may be relevant. However, documentation should be retained as part of the evaluation which supports management conclusion that a particular point of focus is not relevant. It should be noted that while a particular point of focus may not be relevant, excluding more than half the points of focus under one principle is not considered accepted practice.

Although the 2013 framework is similar in many respects to the 1992 framework, there are several concepts in the 2013 framework that may not have been historically addressed. For example,
• The 5 principles under Control Environment have historically been addressed internally (i.e., within the Company’s 4 walls), but may not have extended to outsourced service providers (OSPs). We will evaluate the points of focus under these 5 principles and determine whether new control activities should be implemented relative to OSPs.
• Unlike the 1992 Framework, the 2013 Framework explicitly includes the concept of considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives (see Principle 8). The 2013 Framework explains that “as part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering:
• Management bias, for instance in selecting accounting principles
• Degree of estimates and judgments in external reporting
• Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates
• Geographic regions where the entity does business
• Incentives that may motivate fraudulent behavior
• Nature of technology and management’s ability to manipulate information
• Unusual or complex transactions subject to significant management influence
• Vulnerability to management override and potential schemes to circumvent existing control activities”

Principle 8 also discusses considerations relating to management override, safeguarding of assets, incentives and pressures, opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify inappropriate actions. We will evaluate the points of focus under Principal #8 and may recommend that the Company implement a formal fraud risk assessment process in addition to the historical financial statement risk assessment (FSRA). The fraud risk assessment could be in the form of a memo outlining “what could go wrong” relative to fraud and the steps the Company has taken to mitigate fraud risks. The contents for the memo would come from interviews with key employees in which questions would be asked such as “If someone were to commit fraud, how would they do it?”
• There may be an additional control or documentation required for Principle 9, “Identifies and analyzes significant change”. This principle is addressed to an extent in the FSRA, but additional points of focus may need to be considered. For example, a living / evolving document could be prepared and maintained outlining changes in the business and operating environment and how the Company addresses them.

• Principle 12 relates to formal policies and procedures. We will need to assess whether the appropriate level of policy documentation exists and whether it has been reviewed and updated in a timely fashion. A formal risk assessment and fraud risk assessment policy may need to be developed. (Lack of a risk assessment policy and procedure document is considered one of the top issues related to the 2013 Framework.)

• Principle 13 relates to the quality of information that is used to support the functioning of internal control. We will evaluate the points of focus under principle 13 to determine if the Company has sufficient controls to evaluate the completeness and accuracy of data and reports that they use in the performance of key controls (for example, controls over spreadsheets). This is particularly relevant for management review controls and the reports that are relied upon for the performance of the controls.

• Principle 16 relates to ongoing and separate evaluations of internal control. Primarily, these evaluations are performed by internal audit. We will evaluate the points of focus under principle 16 to determine if the documentation of internal audit’s independence, objectivity and competence is sufficient. To maintain objectivity, it is considered a best practice for internal audit to report directly to the Audit Committee. Internal audit has historically had a dotted line to the Audit Committee, but reports operationally to the CFO. We will evaluate this reporting relationship and determine if documentation is required of why the reporting relationship is appropriate.

• Principle 17 relates to the evaluation of deficiencies. This is something that internal audit has done in the past. However, there needs to be an increased focus on evaluating the potential magnitude of deficiencies and documenting the root cause of control failures. There needs to be a thorough consideration of all relevant risk factors in determining whether there was a reasonable possibility that a deficiency, or a combination of deficiencies, could result in a material misstatement.

• Overall, the documentation of the Company’s entity level controls will be updated to specifically include / address the 17 principles. Currently it is organized in line with the 1992 Framework.

Conclusion and Action Plan
The impact of the 2013 Framework on management’s assessment of the effectiveness of ICEFR (i.e., to comply with SOX Section 404) will depend on how a company applied and interpreted the concepts in the 1992 Framework. For example, an existing system of internal control may not clearly demonstrate or document that all the relevant principles are present and functioning. COSO developed the ICEFR Compendium to help companies apply the 2013 Framework. The approaches discussed in the document describe how organizations may apply the principles in their system of ICEFR, and its examples illustrate the application of each principle. Our action plan to adopting the 2013 Framework will include use of the ICEFR Compendium and the following key steps:
1. Reading the 2013 Framework and identifying new concepts and changes.
2. Assessing training and education needs. (K Financial management team, including Lonny Leinweber, Daniel Kugel and Jamie Kilcoyne, attended a 16 hour “SOX and Internal Controls Update Conference” on June 24-25 which included a heavy focus on the 2013 COSO Framework.)
3. Determining how the 2013 Framework affects the design and evaluation of ICEFR by:
a. Assessing coverage of the principles by existing processes and related controls and considering the points of focus.
b. Assessing current processes, activities, and available documentation related to applying the principles.
c. Identifying any gaps in the above.
4. Identifying the steps, if any, to be performed in making the transition to the 2013 Framework, and:
a. Formulating a plan to complete the transition by December 15, 2014.
b. Considering using activities performed in 2013 (e.g., walkthroughs, testing of relevant controls, evaluation of deficiencies) to identify necessary changes and pilot or field test the application of the 2013 Framework.
c. Confirming proper disclosure of the framework used during the transition period and at the time the 2013 Framework is adopted.
5. Coordinating and communicating internally with all groups that are responsible for implementing, monitoring, and reporting on the organization’s ICEFR.
6. Developing new entity level controls to address any gaps identified in step 3c above.
7. Discussing and coordinating activities with the external auditor.
8. Testing entity level controls under the new framework in Q4 2014.