A Practical Approach to Adopting the New COSO Framework for Your Sarbanes-Oxley Program

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


I have been spending a good amount of time thinking about how a company’s Sarbanes-Oxley program should be affected by the updated COSO internal control framework. I have been fortunate to be able to bounce ideas off a few individuals for whom I have great respect and who were involved in the COSO update project.

In this post, I want to share and get feedback on the approach I have developed and will include in an update of my (IIA) book for management on Sarbanes-Oxley.

The basic thinking is this:

  1. Organizations are required to base their assessment on a recognized internal controls framework, and there is only one in practice.
  2. Companies should start working on addressing the updated framework now, even if there is an option to wait until 2014.
  3. The primary change is that the framework states that in order to have effective internal control you need not only to have reduced the risk of a material misstatement of the financials filed with the SEC to acceptable levels (which are defined by the regulators as the absence of material weaknesses), but that all relevant principles need to be present and functioning.
  4. Although a theoretical argument could be made that not all 17 principles are relevant to financial reporting risk (at SOX materiality levels), in practice this will be a tough argument to win. I would not try. Prudence dictates that all 17 should be considered relevant.
  5. Management will need to be able to assert that all 17 principles are present and functioning.
  6. Many of the principles relate to the context within which the controls that directly prevent or detect material errors (I call these direct key controls) operate. These principles have an indirect effect on financial statement risk — affecting the level of risk that the direct controls will fail to prevent or detect material errors. The key controls that are relied upon to ensure these “indirect effect” principles are present and functioning I refer to as indirect key controls — in contrast to the direct key controls.
  7. The scope of work for SOX, which is the population of key controls — direct and indirect — and the nature and extent of testing of those key controls should be based on a top-down and risk-based approach. This is not a change in principle, only in practice, when it comes to these indirect key controls and their principles. The guidance in the SOX book on direct key controls is unchanged.
  8. So, I am recommending that management perform a self-assessment for each of the 17 principles. Where possible, it will probably be useful to reference key controls (typically from the prior assessment period’s scope).
  9. Then, the risk relating to each principle should be assessed. The question is whether a defect in any aspect of that principle makes it at least reasonably possible that a material misstatement would neither be prevented nor detected. In the case of indirect effect principles, that means assessing whether a defect in the principle means it is at least reasonably likely that a direct key control would fail. The assessment of risk should be clearly documented and agreed with the external auditor.
  10. Management should vary the level of testing performed to provide evidence and supplement the self-assessment based on the level of risk.
  11. The principles relating to integrity and competence should be assumed to be high risk, requiring the identification of sufficient key indirect controls to reduce the level of risk of material misstatement to less than reasonably possible.
  12. When assessing deficiencies, it is essential to perform a root cause analysis. This is likely to point to an underlying problem in one or more principles, and that additional deficiency should be assessed.

I welcome your views. Does this approach make sense? Will it result in the “right” scope and the desired level of testing? I don’t think it will result in a significant increase, although the scoping exercise will have to be carefully documented.

Posted on Jul 2, 2013 by Norman Marks

Share This Article:    

  1.  By the way, this approach will be included in a future update to my SOX book (available from either the IIA Bookstore or Amazon) and I will cover in my SOX Master Classes.

  1. Norman thanks for the as always thoughtful insight and advice. I share your views that the updated COSO framework will not, should not, lead to a significant increase from a SOX perspective. The area where I think or expect more attention will be required lies with the indirect key controls especially in area of the so-called company level controls or entity level controls. My feel is that by COSO 2013 spelling out the 17 principles and having companies to document and assess the risk when any of these is not functioning it will become more visible how these interact with the direct key controls. Will be an interesting period ahead.
  1.  Norman, when do you plan to have your next SOX Master Class? 

  1. Norman,

    I think it's useful for you to offer a "short-list" of implementation guidance, and I would encourage others to do do so as well.

    Please note my comments are solely my own, and are as follows, regarding your points above numbered:

    1 - you refer to "only one [internal control framework] in practice"; it is true that as a practical matter there is only one generally accepted internal control framework in the U.S. - and that is the COSO framework

    2- I wholeheartedly agree with your point that "Companies should start working on addressing the updated  framework now." As to the rest of your sentence, what you refer to as an "option to wait until 2014" isn't exactly an "option" - the effective date is 12/15/14 and companies must disclose (in any Sarbox disclosures prior to that date) which COSO framework they are using - i.e., the 1992 framework or the 2013 framework. In addition, as a practical matter, for most companies, 100% of testing cannot take place on 12/15/14 so implementation by the company and the auditor's work as updated for the fact that the company has implemented COSO 2013 will need to take place prior to 12/15/14.  

    3. I would prefer not to comment on any other points, (not that I necessarily have any other comments, but the remainder of your outline is more technical so I would withhold comments at any rate for other experts to respond to). I do commend you once again for putting this in the public domain to increase awareness and solicit feedback and discussion and good luck with the next installment of your book!

  1. Norman - So far, I haven't seen much commentary on how COSO 2013 will affect SOX compliance in the world of ITGCs. Can companies that currently rely on COBIT (4.1 or 5) continue to base their activities on these frameworks exclusively?

  1. Norman: When COSO issued its re-exposure draft for comment my comment letter states: "While we believe that the September 2012 re-exposure draft represents a significant improvement over the seriously dated 1992 internal control integrated control framework, we do not believe that a control criteria-centric approach is well positioned to minimize the frequency of materially unreliable auditor certified financial reporting. MF Global represents a recent high profile company where the CEO, CFO and PwC, its external auditor and primary author of the COSO September 2012 re-exposure draft, all certified that MF Global had effective accounting controls in accordance with the 1992 COSO Internal Control Integrated Framework" My comment letter can be found at: http://www.coso.org/documents/IC_COSO_COMMENTS/2Tim%20Leech_RO%20Leech%20Response%20to%20September%202012%20Reexposure%20Draft.pdf Readers should be aware that, as far as I am aware, the SEC has not formally stated that the 2013 version of COSO control framework meets its criteria for a "suitable framework". I believe that "control criteria centric" methods that require a conclusion controls are "effective" and capable of reducing risk of restatement below a remote probability will continue to regularly be proven wrong by the need to restate. Implementation advice on the 2013 framework to date has come from other sources not the SEC. I am still optimistic that the SEC will reconsider its position and endorse other frameworks, including ISO 31000, that require users evaluate and report on residual risk status to external auditors and boards. It would be a shame if the SEC continues to legislate the use of frameworks that demonstrate high instances of opinion error without considering other options.
  1. What I find interesting is that the 17 principles, other than the first 5, point to a practical requirement for both a risk management and performance management system that are 'present', 'functioning', and 'working together'. While most companies would say that they have such systems, have they historically provided evidence that such systems are present, functioning, and working together? It seems that in order to meet these principles, companies may need to step up and better formalize their processes to show that they can, for example, "specify objectives with sufficient clarity" to define risks, etc. If they can't do that, then they are failing to achieve that principle. Of course, the beauty of this is that when companies truly move toward this type of risk and performance environment, they will not only achieve compliance with COSO 2013, they will actually have a far better opportunity of meeting their performance goals -- including their financial reporting goals.
  1. Norman: Although I know there is money to be made assisting companies to implement COSO 2013 and this blog site doesn't allow/accept hot links I encourage readers to have a look at an analysis done by IFAC (International Federation of Accountants) representing many millions of accountants globally issued in May of this year on what their PAIB technical committee believes is still wrong with COSO 2013. http://www.accountant.nl/readfile.aspx?ContentID=76614&ObjectID=1104223&Type=1&File=0000040164_PAIB_Revised_COSO_Framework_May2013.pdf A Google search using the term "Revised COSO Framework: Improved but Additional Adjustments Still Needed" will also work. I am still mildly optimistic that the SEC will not impose a sub-optimal framework on all U.S. listed public companies but I fear they will. This would be regulator imposed risk of significant magnitude likely to continue to significantly impede governance improvement efforts.

Leave a Reply