A New Perspective on SOX and the COSO Principles

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.

 

As I prepare for my next SOX Master Class, I have been thinking about the 17 COSO principles and the template (or checklist) that some seem to feel is necessary.  How can I explain why it is wrong to map last year’s key controls to each of the new COSO Principles without first assessing whether a failure to achieve a principle would result in a financial reporting risk, potentially a source of material misstatement?

One of the people I have been debating with (via email) is an individual with significant influence at COSO and for whom I have great respect. I have known him for many years and he was a key outsource provider while I was CAE at a couple of companies.

We started our email chat when he read my last blog post, "How to Address the COSO Principles for Sarbanes-Oxley."

 He tried to persuade me that because COSO says internal control is effective when all the relevant principles are present and functioning, mapping controls to the template (checklist) as a first step is appropriate. The mapping allows you to assess the principles. 

I replied by pointing out that COSO says a principle may be considered to be present and functioning as long as there are no deficiencies that represent a major risk to the achievement of the objective.

I continued by saying that the COSO process is to identify the risks and only then identify the controls required to manage the risks at acceptable levels.

Assessing the principles before determining the risk is not consistent with COSO.

At this point, he made the excellent observation that the correct sequence is:

  1. Identify the objective.
  2. Identify and assess the risks to the achievement of the objective.
  3. Determine what controls are required to manage the risks at acceptable levels.

Let’s take these one by one.

When it comes to SOX, the objective is to file reports with the SEC that are free from material misstatement.

The guidance from both the SEC and PCAOB to use a top-down and risk-based approach helps us identify and assess risks to the objective, in other words our financial reporting risks.

The regulators’ guidance also helps us identify the controls we rely on to either prevent or detect a material misstatement.

The “acceptable level of risk” (whether you want to call it risk criteria or risk appetite) is that there is less than a reasonable possibility of a material misstatement.

So, SOX program managers should ensure that:

  • They continue to follow a top-down and risk-based approach.
  • Their prior year risk assessment process should be modified to include assessing the risks to financial reporting should there be a deficiency relating to any of the COSO principles.
  • They do not identify controls to include in scope until they have determined that they are necessary to address a financial reporting risk.
  • They work closely with their external auditors and agree on a process for transitioning to the 2013 update of COSO, including how risks are identified and assessed, that is acceptable both to the external auditors and management.
  • They are not bullied by the external auditors to adopt a process that is not top-down and risk-based. In my earlier blog post, I referenced a speech by a member of the PCAOB Board that criticized a checklist approach to the principles. It may be necessary to remind the external auditors that Auditing Standard Number 5 and the October 2013 Staff Alert both emphasize the top-down and risk-based approach, that AS5 has not been modified, and the Staff Alert was issued after COSO 2013 was published.

My friend is cautious and properly so. We are still waiting (at the end of April!) for the firms to tell us how they will address COSO 2013. I hope that they will see sense and continue with a top-down approach. He is less optimistic.

What do you think?

Posted on Apr 25, 2014 by Norman Marks

Share This Article:    

  1. I concur to: (1) “.. a principle may be considered to be present and functioning as long as there are no deficiencies.....that represent a major risk... (2) “COSO process is to identify the risks and only then identify the controls required to manage the risks at acceptable levels.”

    “Functioning” would of course mean to us as free from major deficiencies (or within our risk appetite) against set objective(s). 

    The 17 principles set the tone in support of the 5 original components which were implicit before, now made explicit). What would mean is that since they are made more explicit, it would be beneficial (and should be made mandatory) to still apply and focus on the application of risk-based approach that could have been by-passed formerly when the detailed 17 principles were only implicitly revealed.

    Further, risks that would have been not considered concerning in the past should be reassessed vis-à-vis controls and where necessary mitigate prior to mapping or transitioning into the new Framework. I believed it is but fair to have these to ensure all grounds are covered with a more explicit new Framework and the assessment how well the original one was implemented is another crucial point to consider, and that could likely call for the re-evaluation of risks vs. controls.

  1. Hi Norman,

    I agree with you that one should perform a risk assessment first but most in the SOX world have been doing so for ages in their efforts to address the risks associated with internal control over financial reporting. But whether you look at risks first or principles first really doesn't matter as long as both are considered in the process of determining which key controls are in place to minimize the risk of material misstatements to the financials.  I firmly believe that if an organization has passed consistently using the 1992 model, then transitioning to the 2013 model will be painless and the mapping exercise is probably the most cost effective way to do so (particularly if this is assigned to a group who already had a holistic view / understanding of the company's risks already, particularly those risks associated with internal control over financial reporting).  

    As I mentioned in a post on linkedin, all management needs to do is align with the external auditor's approach, which is outlined in the AS5 literature (top down approach (begins at finstmt level and the understanding of overall risks to internal control over financial reporting), focus on entity level controls and work down to significant accounts and disclosures and their relevant assertions. Once those controls are identified that map to the assertions, objectives and risks, then all is good. If management follows the same approach, there would be a minimal chance of failing as both teams are using the same methodology (one to comply - the company, and one to validate - the auditors), unless of course management does not have a sustainable test model in place to validate the effectiveness of controls. 

  1. My question concerns the "newness" of this approach. While COSO has revamped their control principles from the 1992 version to the 2013 version, neither the SEC nor the PCAOB have deviated publicly from the need for a Top Down risk assessment. Since SOX deals with financial reporting, not operational or environmental controls, it seems the assessment requirements haven't changed. I'm of the opinion little has changed other than terminology and nomenclature. The cynic, some might say grumpy curmudgeon, says the accounting firms will trot out new guidance and documents with glitzy covers (fancy wrapping paper) that when digested is little different than prior practice.
  1.  I hope you are right, Karl. The issue is that the SEC says we must base our assessment on a recognized internal control framework. But they also say we should use a top-down and risk-based approach. I am trying to reconcile these two.

  1. Norman: I share your difficulty trying to "reconcile" the SEC views. I believe the problem is that the SEC lacks a robust understanding of the different assessment methods available. In our advanced risk workshop we teach 5 distinct assessment methods. These are 1.Process centric 2.Risk centric 3.Control criteria centric 4. Objective centric and 5.Compliance centric. When SOX was enacted a large percentage of companies adopted "process centric" as their dominant 404 approach with only limited attention to identifying and measuring risks. PCAOB claims to want more focus on risk. The current debate is whether to add "control criteria" centric method via checklists against COSO 2014 principles and more granular "points of focus". (i.e. require process centric and control criteria methods) I have promoted the use of "objective centric" risk assessment for SOX as I believe it will provide the best insight in to the areas that have the highest uncertainty after considering risk treatments/controls. My response to COSO indicating that there current direction would push SOX 404 towards a checklist/control criteria approach can be sourced at:http://www.coso.org/documents/IC_COSO_COMMENTS/2Tim%20Leech_RO%20Leech%20Response%20to%20September%202012%20Reexposure%20Draft.pdf Binary opinions on control effectiveness against COSO 2013 criteria added to process centric assessments will not significantly improve financial statement reliability IMO. SEC needs to study which of methods available will produce the highest reliability opinions.
  1. Norman: I share your difficulty trying to "reconcile" the SEC views. I believe the problem is that the SEC lacks a robust understanding of the different assessment methods available. In our advanced risk workshop we teach 5 distinct assessment methods. These are 1.Process centric 2.Risk centric 3.Control criteria centric 4. Objective centric and 5.Compliance centric. When SOX was enacted a large percentage of companies adopted "process centric" as their dominant 404 approach with only limited attention to identifying and measuring risks. PCAOB claims to want more focus on risk. The current debate is whether to add "control criteria" centric method via checklists against COSO 2014 principles and more granular "points of focus". (i.e. require process centric and control criteria methods) I have promoted the use of "objective centric" risk assessment for SOX as I believe it will provide the best insight in to the areas that have the highest uncertainty after considering risk treatments/controls. My response to COSO indicating that there current direction would push SOX 404 towards a checklist/control criteria approach can be sourced at:http://www.coso.org/documents/IC_COSO_COMMENTS/2Tim%20Leech_RO%20Leech%20Response%20to%20September%202012%20Reexposure%20Draft.pdf Binary opinions on control effectiveness against COSO 2013 criteria added to process centric assessments will not significantly improve financial statement reliability IMO. SEC needs to study which of methods available will produce the highest reliability opinions.

  1.  I agree with Mr. Hagerman - we also follow a top-down, risk-based methodology, but have already mapped our key controls & entity-level processes to the principles; the risk assessment was of course an inherent part of that, since we already have a holistic perception of the company.

Leave a Reply