Keeping Up with COSO
The Committee of Sponsoring Organizations of the Treadway Commission—known as COSO—has issued an updated Internal Control–Integrated Framework and related illustrative documents. COSO noted that the framework, which is used by a variety of organizations to design, implement and conduct internal control and assess its effectiveness, was last updated in 1992. Since that time, mounting complexity, new technologies and an increasingly global marketplace have caused marked changes in the business environment.
The core definition of internal control and the five components of internal control—control environment, risk assessment, information and communication, control activities and monitoring activities—are the same in the updated document but, according to COSO, new enhancements and clarifications make the guidance easier to use and apply. Fundamental concepts in the original framework were formalized and the formalized concepts are now principles in the updated framework. There are 17 principles altogether and they are supported by 81 points of focus that can be considered important characteristics of the principles.
PCPS is developing a toolkit that will be available by September 1 and will help members understand and implement the updated framework. It will provide clarification on the changes and will include a plain English introduction to the framework, staff training tools, an implementation checklist, client communication tools and a review of service opportunities for smaller firms. At the same time, the AICPA has created a resource page that features a wealth of background information. In this issue of PCPS News & Views, two CPAs offer insights on how they have prepared their staff to use the updated framework and how they’re making the most of the new service opportunities it offers.
By Sara Lord, CPA
In approaching the updated COSO framework, we believe that timing is critical. We feel it is important to get out of the starting gate early because we want to help our auditors understand the value of evaluating their control structure now so they can identify and address any issues before adoption of the updated framework in 2014. Within the firm, we started our preparation in April with webcasts that provided a high-level overview of the updated framework to our auditors and consultants. In addition, we are planning to provide our SEC auditors with two hours of live training this fall.
In May, we introduced the updated framework to our clients and other interested parties with a webcast tailored to their needs. We also issued a white paper and an internal client briefing document for our auditors to use in discussing the updated framework with clients. We have recommended that clients start now and perform an analysis of the gaps they find between their current control structure and the updated framework. This is also a good time for organizations to consider and readjust their related best practices as necessary. The earlier that auditors initiate client discussions about the updated framework and what it means, the more smoothly implementation will go.
The updated framework will also force auditors and organizations to make a real shift in mindset. In the past, 95% of our efforts were focused on control activities, because they’re tangible and understandable, while the other components really shared the remaining 5%. The new framework encourages giving 20% of your focus to each component and requires organizations to consider the interplay among all of the components. This update will require auditors and organizations to better analyze and consider all interconnected information within the control system.
The updated framework opens up a host of service opportunities. Of course, there are limitations on additional service opportunities with attest clients, but we can work with them to educate their staff, share best practices we’re seeing in other companies and provide a sounding board for their questions and ideas. Among large nonattest clients, we can assist them as an outsource partner when performing their gap analysis, designing process changes, or updating process documentation. Smaller companies won’t have as many documentation requirements, but we can show them how to use the updated framework to enhance their risk assessment process and we could also take on an advisory role with their boards, if they have them. In addition, we can assist in their strategic planning and can help them weave in the framework’s concepts regarding control issues and the impact they have throughout the organization.
Whether you’re considering training and preparation options or positioning your firm for better client opportunities, now’s the time to get started with your plan and begin understanding and implementing the updated framework.
Sara Lord, CPA, is Partner, National Professional Standards Group, McGladrey LLP and a member of the PCPS Technical Issues Committee.
By Dustin Verity, CPA
The updated COSO framework offers our firm an excellent opportunity to work with clients to update their policies and refresh their best practices. We are a very small firm made up of myself, a senior and a manager. Our clients are mainly single member LLCs with no employees that are member managed. For companies of this size, it can be difficult to find guidance on how to implement risk assessment standards, but the updated framework provides additional useful guidance. One of the notable changes in the framework is the inclusion of 17 principles associated with the components. Principles were actually initially introduced in 2006 in COSO Internal Control over Financial Reporting—Guidance for Smaller Public Companies, so their recent addition to the overall framework will be valuable to clients like ours. Another significant change is that we may now be able to lower the level of control risk assessment in an audit if some of the risk management work is performed by an outside party, such as an attorney or consultant. These are important changes included in the updated framework that will directly benefit our clients.
To get started in implementation, we are contacting clients and opening a dialogue on what the updated framework may mean to them and their business. Many of our clients have the impression that the original framework, a 400-page document on internal controls, really was meant for larger companies. While the new document may still be weighty, its issuance gives us a great chance to reintroduce them to the framework and the many ways it can help them in their businesses. One of our clients has a one-person shop and uses several service providers to enhance his risk management. This updated framework will have a significant impact on the complexity and cost of his audit as we could lower his control risk assessment from the maximum by giving him credit for those service providers. Smaller firms can really demonstrate their value by being proactive and talking to those clients who can specifically benefit from the updated framework.
There’s a lot to learn about the framework, but small firms can find updates through the state CPA societies or the PCPS toolkit, which is expected to be available next month. In addition, we are looking to team up with other firms and schedule training, such as a lunch and learn series. Getting up to speed on the changes will certainly be worth it for our firms and our clients and it offers us an excellent chance to add real value by helping clients refresh their best practices.
Dustin Verity, CPA, is Principal of Verity Accountancy Corp, Honolulu, Hawaii and a member of the PCPS Technical Issues Committee.