Keith Kawashima, Managing Director
Internal Audit and Financial Advisory practice
Wrapping up our Internal Audit Awareness Month webinar Q&A series, Keith Kawashima, managing director in our Silicon Valley office, answers some of the questions we weren’t able to get to in our April 29th webinar, Top 10 Lessons Learned From Implementing COSO 2013.
In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive update to its original 1992 Internal Control — Integrated Framework. This COSO framework is the de facto framework used by more than 99 percent of the organizations required to comply with Section 404 — Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX). Based on financial filings reviewed through the end of May, 2015, approximately 83 percent of companies subject to the external auditor attestation requirement have transitioned from the 1992 version of COSO to the revised 2013 version.
The U.S. Congress enacted SOX, in 2002, in the wake of several high-profile public company financial frauds, to provide additional comfort to investors that public company financials were built on reasonable standards. Among other things, this legislation created the Public Company Accounting Oversight Board (PCAOB) and charged it with establishing auditing and related professional practice standards for registered public accounting firms to follow in the preparation and issuance of audit reports.
Below, Keith addresses some SOX-specific questions regarding the application of COSO 2013.
Q: Given the increased regulatory focus on internal control deficiencies, how does COSO connect the dots between deficiencies and the scope of potential misstatements they could create?
A: The PCAOB is telling external auditors that they need to further scrutinize both the design and operating effectiveness of a company’s internal controls over financial reporting, as well as to better support the conclusions they come to in their evaluation of ICFR. Both the old COSO framework and the revised framework have five components by which internal controls were evaluated. The new framework further expands and defines each of those five components through its 17 mandatory principles. These principles are broken down even further through the points of focus.
For a control environment to be deemed to be effective, the company needs to be able to demonstrate that all principles are present and functioning, as well as operating together. The application of the new framework has and will continue to help both the external auditors and management to identify control gaps and evaluate the potential exposure that these gaps create. This allows them to understand the potential for misstatement that exists and helps to size the gaps as deficiencies, significant deficiencies or material weaknesses.
Q: If there is a discrepancy between the COSO 2013 internal control framework and SOX, which takes precedence? And what part of SOX compliance, specifically, does COSO address?
A: The COSO internal controls framework was released 10 years before the Sarbanes – Oxley act was passed. As one can imagine, both the 1992 and 2013 version were designed for broader application than those required by the internal controls over financial reporting (ICFR) evaluation required to comply with SOX section 404. While the focus of SOX is limited to the controls in place to ensure material accuracy of the company’s outwardly facing financial reports, the COSO framework is intended to apply more broadly to the company’s overall internal control environment. This has led some companies to either intentionally or un-intentionally expand their control evaluation efforts beyond what is required for SOX purposes. As it pertains specifically to SOX, however, COSO has clearly communicated that it has provided a thorough and useful framework for evaluating internal controls, and continues to reiterate that it is not a legislative body. The SOX 404 requirement continues to focus on a top-down risk-based scoping approach. It also has defined the evaluation criteria and reporting requirements for control gaps or deficiencies. COSO has stated that in the instance where additional criteria is required, the framework is flexible enough to accommodate it. So for SOX, the focus will be on ICFR, and the evaluation and reporting requirements remain aligned to the SOX criteria of deficiency, significant deficiency and material weakness.
Q: The PCAOB, which was created by SOX, has said that not enough work is being done by external auditors to verify the presence and functioning of internal controls over outsourced processes and third-party vendors within the scope of ICFR. How can COSO 2013 be applied to address this concern?
A: I think it’s important to recognize that while a company can outsource a process, it can never outsource the responsibility for maintaining an appropriate control environment over that process, particularly when the outputs from that process have an impact on public financial statements.
External auditors and management both need to conclude that the overall control environment is adequate and that all 17 of the COSO principles are present and functioning, regardless of whether a process or a series of processes is performed by the company or by third-party providers. The additional granularity of the revised version – including additional emphasis for areas such as use and reliance on technology and an enhanced focus on fraud risks and other areas – helps us to understand the broad control environment, including areas where outsourcing in deployed.
For a more in-depth examination of COSO 2013 internal control framework and how to implement it, you might be interested in Protiviti’s Frequently Asked Questions (FAQ) COSO publication, as well as our 5-part webinar series covering COSO 2013. Follow the links below to register for one, or all, of the free archived sessions:
COSO 2013: What is New, What Has Changed, Why Does it Matter, and Other Frequently Asked Questions (May 28, 2014)
COSO 2013: Managing the Project for Success and IPO Readiness (June 4, 2014)
COSO 2013: Mapping Controls to Principles (June 11, 2014)
COSO 2013: The Implications to IT Controls (June 18, 2014)
COSO 2013: Assessing Fraud Risks in ICEFR and Implementation Insights Panel (June 25, 2014)
Protiviti is offering these webinar Q&As in May as part of Internal Audit Awareness Month. For additional information about the month-long initiative, spearheaded by the Institute of Internal Auditors, please visit The IIA’s website.