Talking Sense about COSO 2013 and SOX

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


Congratulations to Financial Executives International (FEI, one of the sponsoring organizations behind COSO) and its Accounting Policy Analysis and Communications Director, Edith Orenstein.

They commemorated the one year anniversary of the release of the COSO Internal Control–Integrated Framework update by collecting comments from several of the key players involved in its production.

I celebrate some of these comments, while others I prefer to overlook.

Keeping Your Controls Under Control: COSO Turns One starts well. The title points to one of the areas where COSO provides little guidance: how to ensure you don’t have an inefficient internal control system. COSO focuses on effective internal control, but many organizations have redundant and duplicative controls — they lack efficiency. COSO does not provide guidance on how to select the most appropriate combination of controls for your organization, only how internal controls operate effectively. So, I like the title — keeping the number of controls under control.

If you have been reading my comments on the COSO update, you will know that I am concerned that people will leap to including controls in their SOX scope that are not necessary because they are not relied upon to either prevent or detect a material error or omission in the financial statements filed with the SEC. That is the almost inevitable result of including in scope all the controls they map to the 17 COSO Principles. Consultants are guiding people to do this, using the 17 Principles (and often the Points of Focus) as a checklist, on the mistaken assumption that perfect assurance is needed on all 17 Principles — when, in fact, the Principles can be assessed as present and functioning for SOX purposes as long as any related defects do not represent a “major” weakness (in SOX language, a material weakness) in achieving the external reporting objective.

I should point out that FEI, with leadership from Ms. Orenstein, joined the IIA and others (including me) in pressing COSO to ensure that the 17 Principles are not used as a checklist, and in asking for a continuing emphasis on the assertion that internal control is effective when it manages risk at acceptable levels. Congratulations again, FEI!

Now the comments I liked:

From Marie Hollein, President and CEO of FEI: “COSO’s updated internal control framework, like the original framework, will continue to rely on the strength of its being a principles-based framework. COSO’s intent is NOT for its framework to become a checklist, and while there are many avenues for implementation, including mapping from the ’92 to the 2013 versions of the framework, the facts and circumstances at each company will vary. COSO did not prescribe, and is not in the business of prescribing, any minimal ‘mandatory’ documentation or evidentiary requirements.”

Ray Purcell of Pfizer:  “Take a reasonable approach — don’t overdo this. This shouldn’t be a complete overhaul of the system of internal controls – no major projects, consultants, or mountains of documents are required. COSO 2013 is an opportunity to review your controls and make some enhancements, but this is more of a continuous improvement initiative than reengineering.”

Jim DeLoach of Protiviti had wise words to contribute: “Regarding the implementation of the new framework, the most important thing I can think of is the need to apply it with a top-down, risk-based focus and approach.  Applying the framework as a checklist is not what COSO intended.”

If you are looking to improve both the efficiency and effectiveness of your SOX program, meeting both the regulatory requirement for a top-down and risk-based approach and the new COSO expectation that all the principles are present and functioning, please check out my book for management on SOX, published by the IIA and available on their site and on Amazon.

I welcome your comments, especially any stories you can share about what your external auditors are telling you.

Posted on May 16, 2014 by Norman Marks

Share This Article:    

  1. Norman,

    Thanks for citing the column and sharing the "comments you liked." I was waiting for the "other shoe to drop" at the end of your column, (things you "didn't like"), but perhaps the first shoe was your general comments further above about the updated COSO framework potentially being (mis) used as a newfangled SOX checklist.

    Thanks again for reflecting on our column and moreover for sharing your reflections actively not only on COSO but the fields of internal control, GRC and risk management generally. As I say to other writers, particularly those who are 'opinionated' - I may not always agree with individual opinions but I greatly respect that there are writers who share their valuable experience and move the dialogue forward in the public domain where it is accessible to so many.

    Reading all the opinions and deciding where one stands requires readers to apply their own professional judgment, but 'pundits' definitely provide a valuable public service, and you are among the most qualified of all.

Leave a Reply