Using COSO Updated Internal Controls Framework in a Top-Down, Risk-Based Sarbanes-Oxley Program
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
Over the years, organizations and their auditors have moved to a top-down and risk-based program for Sarbanes-Oxley. Not only is this the most efficient and effective way, but it must be used by the external auditors (PCAOB’s Auditing Standard Number 5) and management is advised to use it by the SEC (their Interpretive Guidance).
But, the updated COSO (2013) Internal Control–Integrated Framework is not presented in a top-down and risk-based fashion. Certainly, you can show how the Framework says to assess risks and then identify controls to manage them. You can also point to the sentence (preceding the requirement that the components and principles are present and functioning) that says that effective internal control manages risk at acceptable levels.
The trap for the unwary in the Framework is that people will leap to assess internal control over financial reporting by using the set of 17 principles as a checklist — which COSO has expressly stated is not their intention.
So how do you use COSO 2013 in a top-down and risk-based SOX program?
Earlier this year, I wrote a blog with a suggested approach.
I received a lot of positive feedback (including from several involved in the COSO update) and have incorporated the approach, with much more specific guidance, in my SOX book — just published by The IIA Research Foundation and available from the IIA Book Store.
It is still early days, although I strongly advise organizations to move quickly to adapt their SOX program for COSO 2013 and discuss it with their external auditors ASAP. Only as we work through using COSO 2013 next year and following will we know for sure which approach will serve us best.
I am very interested in what the external audit firms are advising their clients. Are they simply saying to map the controls to the 17 principles and identify gaps? That is hardly a top-down or risk-based approach, nor is it consistent (IMHO) with the Auditing Standard.
I believe it will lead to more work than is necessary.
I would appreciate your sharing what they are telling you.
Posted on Nov 7, 2013 by Norman Marks
Share This Article: