COSO Does Not Provide Quality Guidance for SOX
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
As part of a new set of draft guidance, including an update to the Internal Controls Framework that I will review later, COSO has published (also in draft, for comment) Internal Control over External Financial Reporting: A Compendium of Approaches and Examples.
I was hoping that this document would show how the COSO Internal Controls Framework can be applied in an organization’s Sarbanes-Oxley program to identify financial reporting risks and the combination of controls to rely on to prevent or detect material misstatements.
The problem is that while it provides some useful language and examples of controls that might be identified as providing assurance on the integrity of financial statements, it fails the test of helping management identify the right controls to rely upon.
It’s one thing to identify a laundry list of controls that fit the profile of COSO’s Principles and Points of Focus.
It’s an entirely different challenge to identify an efficient set of controls that can be relied upon to provide reasonable assurance that the filed financial statements are free of material error.
While the COSO guide talks about risk assessment and the need to identify sources of material error, it fails to flow that down into the identification of key controls in each component. In the process, it makes mistakes that experienced SOX practitioners will recognize:
- The examples include the use of ‘risk ratings’ where even low risks require some level of work. However, the first test must be whether there is a reasonable likelihood of a material error; it that test is met, the account is in scope. If it is not met, it is not in scope and no work needs to be done for SOX purposes. As simple as that! Only for in-scope accounts is it useful to assess the relative likelihood of a material error or of a controls failure to (a) assist in control identification and (b) influence the testing that will be performed.
- The discussion of fraud risk is broad and management should, as part of running the business, have an appropriate set of controls to prevent or detect fraud. However, for SOX purposes, the only consideration should be fraud that might result in a material misstatement of the financials! The new COSO guidance fails to point this out.
- The COSO document ranges far and wide, including many matters hardly likely to be relevant to the material integrity of the financial statements (such as potential changes in senior executives, or the audit committee reviewing the internal audit plan).
The SEC has shared SOX guidance for management (PDF) that can be used as a safe harbor. Any COSO guidance has to be consistent with the SEC’s product, which demonstrates a true top-down and risk-based approach.
The ingredients are present. If COSO (via PwC, the author of the guidance) can reorder the flow to start with Risk Assessment and demonstrate how the SEC guidance can be followed with the assistance of the updated COSO Internal Controls Framework, they will have made a positive contribution.
As it is, if management follows the COSO guidance in defining internal controls over financial reporting for SOX instead of a top-down approach, they will add controls and cost without necessarily improving the quality of controls.
Why? Because this COSO guidance doesn’t help identify the right controls to include in scope. In fact, it suggests controls that are important for the business but irrelevant to preventing or detecting material misstatements.
I welcome your views and comments (I have shared this post with COSO leaders).
Posted on Oct 15, 2012 by Norman Marks
Share This Article: