COSO’s internal control framework - the most widely used framework in the U.S. – is the defacto “standard” by which companies and audit firms measure and attest to the effectiveness of their company’s (or audit client, respectively) system of internal controls over financial reporting, as required under Sarbanes-Oxley Section 404, and cited in related rulemaking of the SEC and PCAOB.
The updated COSO framework, while retaining the original five ‘core components’ of internal control (control environment, risk assessment, control activities, information & communication, and monitoring), adds seventeen newly articulated principles which companies need to demonstrate are in place and operating effectively in order to opine that the system of internal control is "effective." Deficiencies are to be assessed for their impact, with major deficiencies in internal control over financial reporting, for purposes of Sarbanes-Oxley reporting, measured using the SEC’s criteria for ‘material weakness.’
Is implementation of ‘COSO 2013,’ as some refer to the updated version published by the private sector organization in May of 2013, a trip to a strange new land?
Not according to John Neuman, Global Financial Accounting Director at Dow Chemical, who describes the implementation of COSO 2013 as more of a “journey.” Indeed, many people have turned to a ‘mapping’ process to document how their existing systems of internal control over financial reporting fulfill the 17 principles of internal control established in COSO 2013, rather than having to build a new system of internal control from the ground up.
Tales of the ‘Journey to COSO implementation’ will be presented during a panel session that Neuman is moderating at FEI’s annual Current Financial Reporting Issues (CFRI) Conference in New York City next week.
Panelists sharing their COSO Journey on along with Neuman on the CFRI panel include Jennifer M. Burns, Partner, Regulatory and Professional Matters, Deloitte LLP, Ray Purcell, Director – Financial Controls, Pfizer Inc., and Steve Forrest, Assistant Controller, Raytheon Company.
According to Neuman, some of the issues likely to be discussed by the CFRI COSO panel include:
- 2014 was an implementation year and many companies managed the transition to COSO 2013 as a project. Do you anticipate making any changes in 2015 to support ongoing compliance with COSO 2013 (organization or process changes)?
- The Journey - Tell us about how this effort was organized at your company. Who does what; how much time does it take; where are you now and what’s left to be done at this point?
- Has the transition to COSO 2013 led your organization to add new, or enhance existing, controls? Can you give us some ideas about the process areas and controls that needed enhancement? Do you see other opportunities?
- Are you considering the adoption of COSO 2013 for any other areas beyond SOX – such as internal financial reporting, legal compliance or operational efficiency?
- Surprises / Lessons learned - What didn’t go as expected? Where are the challenges? What have you learned from this work?
- Auditor Concerns - Have there been any difficulties navigating the transition with your auditors? How have you involved them in your planning, and along the way?
- Auditor Perspective: COSO Implementation – Common areas of challenge
Learn from others' journey to COSO implementation by attending FEI's CFRI conference:
online registration for CFRI is still available. Other featured panels include an SEC/PCAOB update, FASB update, an Audit Committee Roundtable, panels on FASB’s new Revenue Recognition standard, the SEC’s Disclosure Effectiveness initiative, and much more.
And, Save-the-Date for an important webcast on COSO brought to you by FEI and BlackLine Systems on December 16, 2014; information will be posted soon at www.financialexecutives.org/coso.