|Timing Is Everything
By Sara Lord, CPA
In approaching the updated COSO framework, we believe that timing is critical. We feel it is important to get out of the starting gate early because we want to help our auditors understand the value of evaluating their control structure now so they can identify and address any issues before adoption of the updated framework in 2014. Within the firm, we started our preparation in April with webcasts that provided a high-level overview of the updated framework to our auditors and consultants. In addition, we are planning to provide our SEC auditors with two hours of live training this fall.
In May, we introduced the updated framework to our clients and other interested parties with a webcast tailored to their needs. We also issued a white paper and an internal client briefing document for our auditors to use in discussing the updated framework with clients. We have recommended that clients start now and perform an analysis of the gaps they find between their current control structure and the updated framework. This is also a good time for organizations to consider and readjust their related best practices as necessary. The earlier that auditors initiate client discussions about the updated framework and what it means, the more smoothly implementation will go.
The updated framework will also force auditors and organizations to make a real shift in mindset. In the past, 95% of our efforts were focused on control activities, because they’re tangible and understandable, while the other components really shared the remaining 5%. The new framework encourages giving 20% of your focus to each component and requires organizations to consider the interplay among all of the components. This update will require auditors and organizations to better analyze and consider all interconnected information within the control system.
The updated framework opens up a host of service opportunities. Of course, there are limitations on additional service opportunities with attest clients, but we can work with them to educate their staff, share best practices we’re seeing in other companies and provide a sounding board for their questions and ideas. Among large nonattest clients, we can assist them as an outsource partner when performing their gap analysis, designing process changes, or updating process documentation. Smaller companies won’t have as many documentation requirements, but we can show them how to use the updated framework to enhance their risk assessment process and we could also take on an advisory role with their boards, if they have them. In addition, we can assist in their strategic planning and can help them weave in the framework’s concepts regarding control issues and the impact they have throughout the organization.
Whether you’re considering training and preparation options or positioning your firm for better client opportunities, now’s the time to get started with your plan and begin understanding and implementing the updated framework.
Sara Lord, CPA, is Partner, National Professional Standards Group, McGladrey LLP and a member of the PCPS Technical Issues Committee.
Use COSO to Refresh Best Practices
By Dustin Verity, CPA
The updated COSO framework offers our firm an excellent opportunity to work with clients to update their policies and refresh their best practices. We are a very small firm made up of myself, a senior and a manager. Our clients are mainly single member LLCs with no employees that are member managed. For companies of this size, it can be difficult to find guidance on how to implement risk assessment standards, but the updated framework provides additional useful guidance. One of the notable changes in the framework is the inclusion of 17 principles associated with the components. Principles were actually initially introduced in 2006 in COSO Internal Control over Financial Reporting—Guidance for Smaller Public Companies, so their recent addition to the overall framework will be valuable to clients like ours. Another significant change is that we may now be able to lower the level of control risk assessment in an audit if some of the risk management work is performed by an outside party, such as an attorney or consultant. These are important changes included in the updated framework that will directly benefit our clients.
To get started in implementation, we are contacting clients and opening a dialogue on what the updated framework may mean to them and their business. Many of our clients have the impression that the original framework, a 400-page document on internal controls, really was meant for larger companies. While the new document may still be weighty, its issuance gives us a great chance to reintroduce them to the framework and the many ways it can help them in their businesses. One of our clients has a one-person shop and uses several service providers to enhance his risk management. This updated framework will have a significant impact on the complexity and cost of his audit as we could lower his control risk assessment from the maximum by giving him credit for those service providers. Smaller firms can really demonstrate their value by being proactive and talking to those clients who can specifically benefit from the updated framework.
There’s a lot to learn about the framework, but small firms can find updates through the state CPA societies or the PCPS toolkit, which is expected to be available next month. In addition, we are looking to team up with other firms and schedule training, such as a lunch and learn series. Getting up to speed on the changes will certainly be worth it for our firms and our clients and it offers us an excellent chance to add real value by helping clients refresh their best practices.
Dustin Verity, CPA, is Principal of Verity Accountancy Corp, Honolulu, Hawaii and a member of the PCPS Technical Issues Committee.