CFOs and their staffs who have put off on updating their internal controls until new guidelines are released may find out they have a lot more work to do. That’s especially so for finance folks who work for small and medium size entities (SMEs), which tend to have fewer resources than their peers at bigger companies do.
The Committee of Sponsoring Organizations for the Treadway Commission (COSO) is due to release its new framework, 2013 Internal Control – Integrated Framework, and its supplemental guidance on May 14. It should help corporate executives adopt better internal controls in operations, compliance and financial reporting.
Becoming familiar with the new framework and its optional, adaptable guidelines as early as possible is the first–and arguably the most important–step CFOs and their teams can take toward adopting more effective internal control systems by 2014. They also should include their auditors in the planning process.
The document itself, along with its companion guides, represents two-and-a-half years of effort to refresh the original 1992 internal-control framework and reflects changes in the business environment over the past 21 years. The transition period for the new framework is May 14, 2013 through December 15, 2014.
It’s important to remember that the COSO board continues to have confidence in the 1992 framework and allows companies to use it through the transition period, after which it is considered superseded by the new framework. During this period, COSO advises companies to disclose which framework they are using.
With a 19-month window for the transition to the new framework, CFOs thus need to develop a plan to map their current internal-control systems to it and ensure that the additions relevant to their companies are satisfied. Corporate execs need to become familiar with the 17 principles embedded in the original framework that take prominence in the new framework. The principles concern the control environment, risk assessment, control activities, information and communication and monitoring activities.
But for SMEs, the transition period could be even tighter. That’s because they typically would need a longer time to catch up. In evaluating the COSO components regarding monitoring internal controls, for example, this will require resources and expertise that might stretch SMEs budgets. Large-cap companies may be able to automate that evaluation, but SME’s may not have the information-system resources needed for automation and may have to rely on manual evaluations.
Determining Effectiveness
Although CFOs will also find the new COSO supplemental guidance useful, not all of the guidance is right for every size of business. Corporate executives need to determine the appropriate level of adherence for their business.
For example, COSO’s Illustrative Tools for Assessing Effectiveness of a System of Internal Controls supplement provides a method for companies to demonstrate that their internal-control systems are effective. But it’s not intended to evaluate transaction-level internal controls. It merely includes templates on how to organize the effectiveness assessment and scenarios showing how to apply the templates.
Though using the templates are often described as complicated, it’s important to remember that companies are not required to use it. Indeed, using this complex tool may be difficult to apply to one’s operations. But the CFO’s team still needs to evaluate if it will be helpful to their organizations, or, instead, if it’s necessary to develop a new approach for assessing the effectiveness of their systems of internal control.
Similarly, COSO’s compendium of examples that help corporate executives in the external financial reporting process, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, is still optional guidance–but it can help. One principle is that “the board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.”
That’s an important principle, and for some, one that is easily followed. How would a company’s internal control satisfy this principle? If a company has standards of conduct for the board and it addresses any deviations from those standards.
But again, this may be harder to apply for all companies, particularly when considering SMEs. For example, financial dashboards (which depict financial data online) could be used to satisfy COSO’s “Information and Communication” control component by automatically communicating financial results to the organization.
But Enterprise Resource Planning (ERP) systems of growing companies may not include this capability. If that’s the case, SMEs could develop periodic reports that communicate dashboard-type results to the organization.
As it stands, the compendium is expected to supersede COSO’s already existing 2006 Internal Control over Financial Reporting–Guidance for Smaller Companies.
For all sized companies, however, the new compendium also clarifies wording about what constitutes “material weaknesses/major deficiencies” in internal controls and aligns with what the Public Company Accounting Oversight Board (PCAOB) and the Security and Exchange Commission (SEC) agree on for a “top-down and risk-based approach” (where management focuses on risks that could end up having a material misstatement on the company’s financials) to internal controls. Both the SEC and PCAOB have said the COSO framework is appropriate.
Companies required to comply with the SEC’s classification of internal-control weaknesses can use the COSO guidance to classify internal-control deficiencies as a material weakness, significant deficiency or control weakness. The supplement says: “If an internal control deficiency is classified as a material weakness, the company’s system of internal control over financial reporting does not meet the framework’s requirements for effective internal control. However, if an internal control deficiency is not classified as a material weakness, the company’s system could still achieve effective internal control over external financial reporting.”
In addition, the COSO supplement added the following focus points that address risk when finance departments prepare financial statements: risk of material omission or misstatement; risk of material omission or misstatement due to fraud; risk of material omission due to illegal acts and corruption; and the need for risk response.
Recommendations have also been made to the COSO board to pursue follow-up projects that would include more detailed examples in the compendium.
Kristine Brands, CMA, is an assistant professor at Regis University in Colorado Springs, Colorado. She is also a member of the Institute of Management Accountants (IMA)’s Global Board of Directors and is a member of IMA’s COSO Advisory Panel.