Since the Committee of Sponsoring Organizations (COSO) issued its Internal Control — Integrated Framework (2013 Framework) in May 2013, many organizations have implemented the new framework to comply with the initial December 15, 2014 transition deadline. The 2013 Framework’s internal control components (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities) have not changed since the 1992 Framework was published. However, the 2013 Framework requires management to assess whether 17 principles are present and functioning, which is a change from the previous framework. Further, the 2013 Framework includes points of focus, which are important characteristics of the 17 principles and assist management with determining whether controls are properly present and functioning.
The COSO internal control framework is used widely by many public and private organizations. For public companies, the transition to the new 2013 Framework has impacted their compliance with the Sarbanes-Oxley Act (SOX). Public organizations are required to disclose which framework they are adhering to (whether 1992 or 2013), as some public organizations delayed implementing the new 2013 Framework. For other organizations, the transition to the 2013 Framework is recommended as the 1992 Framework is superseded.
The new 2013 Framework has given both public and private organizations an opportunity to re-evaluate their controls. Implementing the 2013 Framework requires stakeholders to evaluate the new framework and determine whether any gaps exist.
Mapping to the 2013 framework
Public or private organizations that have not made the transition to the 2013 Framework should familiarize themselves with the changes to the 2013 Framework. Although not required, it is recommended that organizations formally map their existing controls to the 17 principles and the applicable points of focus. The mapping should help evaluate the impact of implementing the 2013 Framework and identify any resulting control changes that would be necessary to their existing control environment. Completing the mapping process early in the internal control risk assessment process is critical and should lead to timely identification of gaps and allow for sufficient time for remediation. As part of the mapping exercise, key internal audit stakeholders and control owners should be involved in order to ensure all relevant controls are captured and the mapping is complete and accurate.
The most direct way to determine control gaps is by utilizing a robust mapping tool. A good mapping tool will include the points of focus and control examples from the COSO Compendium of Examples. The tool should also account for the fact that some controls can cover multiple principles and points of focus, but attention should be given in documenting how the control activity addresses the points of focus and related principles. Once all of the relevant points of focus are addressed by a control activity, organizations need to evaluate whether the controls are present and functioning. Present and functioning refers to evaluating the controls for design and operating effectiveness. The evaluation is a key factor when determining whether or not a deficiency exists.
For public companies some organizations have found it beneficial to coordinate activities with the external auditors: share the completed mapping, review existing documentation for precision of control performance, and agree upon the test plans. Coordinating these efforts often reduces the risk of deficiencies arising later in the process.
Challenges of implementing 2013 framework
The impact of the new framework is dependent on how well an adopting company originally understood and applied the 1992 Framework. Therefore, management and key stakeholders (including internal audit, legal, finance, risk management, and human resources) have faced challenges in implementing the new framework and have identified deficiencies and gaps as a result. Many organizations delayed implementing the 2013 Framework due to these challenges.
The following are some of the common challenges that were faced by organizations that have implemented the 2013 Framework over the past two years:
- Auditability of entity-level controls (more common for public companies)
- Succession planning
- Consideration of fraud and fraud risk assessment
Entity level controls
Entity level controls commonly have an indirect relationship to the financial statements. However, with the 2013 Framework, additional emphasis has been placed on how entity level controls directly impact the control environment. This emphasis has resulted in internal control testing that requires the precision of these controls to be evaluated, requiring additional documentation on the thresholds, metrics, and outliers evaluated in the performance of these controls. Since entity level controls are more difficult to evaluate and quantitatively assess than direct controls, organizations have struggled to provide documentation to auditors to support management’s conclusions around the operating effectiveness of the controls.
Management and/or internal audit should spend additional time evaluating entity level controls through the mapping process, and focus on ensuring that the entity level controls are robust and documentation exists to support the precision of control performance. Along with the precision of control performance, the competency of individuals performing the controls and the individual’s impact of the performance of these controls must be evaluated.
Fraud risk assessment
A formalized and documented fraud risk assessment is an area where many organizations have noted gaps in their existing internal control structure. To adequately address fraud considerations within the 2013 Framework, management from all functional areas should assist in formally documenting potential fraud risk scenarios in a formal fraud risk assessment. The fraud risk scenarios should be evaluated for both impact to the organization and likelihood of occurrence. Existing anti-fraud controls should be identified and evaluated to determine the risk mitigation for each of the documented fraud scenarios. At a minimum, the fraud risk assessment should cover scenarios around corruption, asset misappropriation, and fraudulent financial reporting.
The 2013 Framework also focuses on how organizations maintain a commitment to attract, retain, and replace key leadership positions. Additional focus is placed on human resource policies and procedures, and the existence of plans for succession and transition of key leadership. For many organizations, these controls have not been identified or tested.
What to do now
While many organizations may have a robust system of internal control, transitioning to the 2013 Framework provides a good opportunity for organizations (public or private) refresh their existing internal control structure and take a step back to view their overall governance landscape. Doing so, could lead to opportunities for improvement in the context of communication, risk management, management reporting and overall compliance activities.
For organizations that have adopted the 2013 Framework, controls should be continuously reassessed and refreshed as processes, people, and technology change within the business. For organizations that have not adopted the new 2013 Framework, consider performing the mapping process early to identify any potential gaps early in the process in order to remediate the gaps in a timely manner.