A Timely Update
The recent 2013 update of the Internal Control Framework issued by the COSO was a major event followed by standard setters and publicly held companies. The original COSO framework published in 1992 became a widely accepted internal control framework standard for meeting the requirements of a number of US regulations led by the infamous Sarbanes-Oxley Act (SOX) of 2002, introducing a formal sign-off on the effectiveness of the system of Internal Controls over Financial Reporting (ICFR). Subsequently, the COSO framework has formed the basis of best practice for financial control & governance worldwide.
Although the original COSO framework from 20 years ago was conceptually sound and even a visionary approach in the area of internal controls, it couldn’t fully anticipate the evolution of technology and the changing demands of global business environments. As a result of this, we have also seen an increase in regulatory requirements prompting business leaders to reassess internal controls to determine whether risks are mitigated to an acceptable level.
This article will explore the latest changes brought to the 1992 COSO framework and how to get the best return on the investments involved in moving to the 2013 version.
Evolution, not Revolution
The core difference between the two models lies in widening the scope and applicability. However, the definitions of internal control, the three categories of objectives and the five components in the COSO cube (visible in the image to the left) remain unchanged, still focusing on effective, well-designed and implemented internal controls.
Further improvements have been made to accurately define each component and to link and correlate them with their associated objectives.
The enhanced applicability and ease of use of the 2013 COSO Framework is driven through the following aspects:
- Broadening the scope of the three business objective areas
- Operations – now also includes the operational and financial performance goals and is no longer limited to “effective and efficient use of entity’s resources”.
- Reporting – addresses not only financial but also non-financial reporting to various internal and external stakeholders. In the 1992 Framework, the objective scope was much narrower “relating to the preparation of reliable financial statements”.
- Compliance – considers increased demands in laws, regulations and accounting standards including SOX/ JSOX, Dodd-Frank Act, FCPA, Consumer Protection Act and Basel II.
- Clarifying requirements – 17 explicit Principles of effective internal control are articulated, each supported by optional Points of Focus that facilitate design, implementation and conduct of internal controls. These Principles are based on the 2006 Guidance for smaller public companies and represent fundamental concepts that need to be present, functioning and operating together in an integrated manner.
- Providing updated content – the new Framework is more usable for those people involved in internal control over external financial reporting (ICFR) and also addresses changes in business and operating environments. Moreover, it shares approaches and examples to illustrate how entities may apply the new Principles.
Adjusting the Sails
Since COSO is not a regulator and thus cannot mandate actions, the COSO board recommends that users transition to the 2013 framework as soon as it is feasible. Ideally the realignment should be completed in time for the ICFR assessment for the following fiscal year. The 1992 framework is declared valid until December 15, 2014, after which it will be deemed superseded. Those organisations that do not go ahead with the transition, will then find it difficult to qualify under the SEC’s criteria for a “suitable framework” when trying to meet the requirements of SOX Section 404.
Note that two other COSO guides, COSO’s Enterprise Risk Management—Integrated Framework and COSO’s Guidance on Monitoring Internal Control Systems, are considered complementary and will not be superseded by the 2013 Internal Control Framework.
The resulting relatively short transition period calls for the following immediate actions:
- Determine the impact on your organisation by assessing current coverage and application of the Principles and identification of gaps
- Develop and execute a transition plan to meet the December 15, 2014 deadline
- Communicate to internal and external stakeholders
Multiple challenges are likely to arise during the implementation of the new framework. Three key areas that will influence the transition project in this sense are:
Increased Role of Technology
Two of the new Principles require careful consideration: Principle #11, the sufficiency of scope and documentation to cover all relevant general technology controls and Principle # 13, the reliability and timeliness of reports and underlying data used in executing control respectively. Both of these Principles require discussions in the early stages of the transition process to ensure that the control documentation is completed appropriately during the controls mapping process. IT focused frameworks such as the recently published CobiT 5 from ISACA offer valuable guidance in this area.
Previously, when assuring that relevant financial reporting assertions were met, fraud risks were typically considered an integrated part of control activities and embedded in the overall assessment of financial reporting risk. In the 2013 Framework, additional emphasis comprised in the standalone Principle #8 suggests the need for a broader fraud risk assessment that can also address operational business objectives.
There are various initiatives that can be introduced to minimize and identify fraud, nonetheless the identification of business exceptions in standard transactional processes, is perhaps one of the most effective methodologies. Using data analytics to support Key Exceptions Indicators (KEI) provides adequate response to the need for a broader anti-fraud coverage.
More detailed emphasis on risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed and linkage between risk assessment and control activities will require better documentation of the risk assessment process. At the same time a need for a more formal way of designing and evaluating internal control in accordance with the Principles may lead to a control-centric approach rather than risk-centric approach, with an unwanted result to focus and effort around “covering” Principles rather than actual risks mitigation.
The 5 COSO Transition Opportunities
The amount of effort necessary to transition to the new 2013 framework can vary significantly, depending on a series of factors: size and complexity of organisation, state of control documentation and/or external auditor expectations. Having said this, the transition bears enough potential to create additional value to the organisation via refreshing and enhancing the internal control system. The five biggest opportunities in this respect are:
1. Utilize the Automation Potential of the Control Activities
Most business processes have a mix of manual, IT dependent and automated controls that varies depending on the penetration of technology in the organisation. The 2013 Framework emphasizes in the Points of Focus for Principle #10, that automated controls tend to be more reliable since they are less susceptible to human judgment and error, and thus are typically more efficient (this given the assumption that technology general controls are implemented and operating). In the transition to the new framework, key financial and operational control activities will need to be reviewed and assessed for efficiency and effectiveness. This provides an excellent opportunity to enhance controls both in depth and relevance by using available tools already in the organization or industry standard solutions such that:
- Eliminate ad-hoc data analysis
- Move from samples based control activity to 100% control coverage
- Improve control frequency and implement automatic real-time report distribution
- Embed audit trails safeguarding all relevant information
Suggested focus: review the key control objectives and the potentiality of automating the associated control activities. This will enable you to assess the opportunity to improve the control design and resource efficiency, thus decreasing the associated risk automation potential. From our experience up to 75% of key financial controls can be automated
2. Assess the fundamentals of effective risk monitoring and attestation
Controls built into routine transactions, execute on a real-time basis to form a first line of defence in risk assurance. To augment this, a separate evaluation needs to be conducted by (independent) management, internal audit and/or external parties on a regular basis and attest whether these embedded controls are present and “continue to operate effectively” as described in each of the five COSO components. Since un-monitored controls tend to deteriorate over time, the benefits of using technology in this context are imperative. Using as a guide, the detail descriptions in the above mentioned Guidance on Monitoring Internal Control System, the COSO transition phase is a good time to revisit the fundamentals of effective risk monitoring and attestation by tapping the automation potential to:
- Identify and maximize the effectiveness of monitoring activities
- Review the opportunities to automate attestation workflows
- Identify and improve ineffective, obsolete or inefficient monitoring
- Apply 80/20 rule to automated monitoring versus manual monitoring
Suggested focus: if you are doing control monitoring and attestation manually, do not start with an implementation of a risk monitoring tool. First look at the continuous monitoring process objectives and define the business requirements. If you already have a risk monitoring tool, evaluate the changes in the control activities and adapt the monitoring and attestation to those.
3. Improve Operations
The expanded operational objectives in the new 2013 COSO framework broaden the application scope of the assessment concepts and monitoring methodologies. Potential synergies and simplifications might be available by looking at similar programmes covering broader financial and non-financial compliance and business process operational objectives such as BI and KPI dashboard projects. For example, by monitoring transactions and identifying exceptions in accounts payable processes you can turn a detective control into a preventive control and, at the same time, contribute to better cash flow management. Furthermore,
- Identifying and following leading rather than lagging performance and risk indicators
- Focusing on the (standard) business process rather than the standard data input process
- Evaluate the business benefit of linking KPIs to Key Exception Indicators (KEIs) to deliver true business insight
- Maximizing process improvement drive and at the same time limiting process risk potential
Suggested focus: do not reinvent the wheel and create new silos. Identify and align with other current process improvement, risk and compliance initiatives in terms of semantics and common objectives.
4. Improve Anti-Fraud Measures
According to the association of Certified Fraud Examiners (ACFE), organizations lose up to 5% of their revenues to fraud, waste & error each year. A recent study points to failing internal controls as the primary weakness leading to fraud. The explicit focus the new COSO framework is placing on fraud measures is another reason to revisit this area and re-visit the most successful measures in reducing fraud like:
- Establish or Update the Code of Conduct & Anti-Fraud policies
- Review or Implement Hotline & Whistleblower programs
- Conduct fraud training sessions for Management & Employees
Suggested focus: many times the simple review of the current state and reestablishment of partnership with responsible stakeholders via workshops (e.g. Risk Managers, Audit, Security and Audit committee) can generate positive effects in fraud prevention.
5. Enhance Risk & Assurance Coverage
New governance concepts, such as dealing with increasing business complexity as a result of globalization, outsourcing trends and 24/7 operations, are addressed explicitly in the 2013 Framework’s Principles and Points of Focus. Therefore the adaptation process will possibly highlight new risk areas related to externally sourced services in need of a more formal evaluation such as:
- Increase the role of board oversight and enhance management override measures
- Extend the coverage of Outsourced Service Providers (OSPs) monitoring
- Alignment of the IT solutions in place to enhance risk management and assurance capabilities
Suggested focus: if your organisation is already a SOX filer, review the service management documentation in the form of SAS70 Type II, ISO 27000 or SSAE 16 reports. If not under the SOX umbrella, you can also use these formats to assess the service risk separate from the new COSO Framework.
Summary & Conclusion
The New 2013 COSO framework is an evolution rather than revolution. Stemming from 20 years of intensive use, it aims to broaden its application to more areas and sizes of business. It introduces a new set of 17 core Principles, encompassing wider organizational objectives and providing illustrative examples.
Depending on the readiness and condition of the internal controls function in your company, challenges might arise during the relatively short transition period especially with organizations that have been devoting limited attention to internal and external fraud risk, and risk assessment methodology in general. The enhanced focus placed on the use of automation and technology might represent another possible skeleton in the closet which may be resolved through the elements of the 2013 Framework. With every changed initiative, new risks emerge but also opportunities for improvement, if the sails are adjusted accordingly.
We advise to use the COSO transition as an opportunity to look at automation initiatives which can trigger untapped process efficiencies, as well as, the identification of unknown business exceptions. The outcome can be a streamlined operation showing marginal performance gains in the various business processes leading to an aggregated, improved business results and far better managed risks.
Use the newly incorporated or emphasized Framework elements such as anti-fraud, Information Technology and outsourced service providers to unlock the potential for automation in financial operations.
In applying the COSO 2013 Framework, there lies a tremendous chance to bring both control and monitoring of financial processes to a next level, moving from a necessary administrative burden towards a proactive, guidance of business operations.