A Danger to Every SOX Program

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


*** Note: the following represents my views and not necessarily the official position of The IIA (although I believe they will be supported by leaders of COSO).


I am starting to hear that people are adding a fair number of key controls to the existing scope of their Sarbanes-Oxley program. This should sound the alarm, as most of us had spent a fair amount of time over the last few years streamlining the program.

Why is this happening?

People are moving from a SOX program that is risk-based, designed to address identified financial reporting risks, to one that is designed to address the 17 principles in the 2013 update of the COSO Internal Controls–Integrated Framework.

They are taking each of the principles and ensuring they have key controls for each and every one of them — often more than one key control for each Principle.

In principle (pun intended), there is nothing wrong with ensuring that they have adequately addressed each of the 17 principles.

But what is “adequate”? How many key controls do you need and when do you have enough? Should the program be designed primarily to address the 17 principles, or primarily to address financial reporting risk — with the principles a guide along the way?

As the regulators have said and included in their guidance and standards, the SOX assessment of internal control over financial reporting should be risk-based and top-down. That has not changed. The SEC guidance and PCAOB standards have not been changed. They remain risk-based.

The regulators correctly say that the SOX program should be designed to identify any deficiencies in internal control over financial reporting that are material: representing at least a reasonable possibility that an error would be made in the financial statements filed with the SEC that would be material in the eyes of the reasonable investor.

Does that mean we can ignore the principles?

A resounding NO.

The regulations require that companies use a recognized internal controls framework for their assessment of internal control over financial reporting. The updated COSO framework is the only specifically recognized framework, although in principle (smile) an organization could use the Canadian CoCo or U.K. Cadbury framework.

In practice, you must use the updated COSO framework, and that means that in addition to assessing whether the risk of a material error in the financials is at an acceptable level (see the COSO 2013 section on effective internal control) you have to assess whether each of the 17 Principles are present and functioning.

What does that mean in the context of SOX?

The regulations say that you can assess the system of internal control over financial reporting as effective if there are no material weaknesses.

In the same way, present and functioning for SOX means that there are no material weaknesses in the system of internal control over financial reporting caused by a failure relating to any of the 17 principles.

We need key controls to address the 17 principles to the extent that they provide reasonable assurance that there are no failures relating to the Principles that would result in a material weakness. For example, Principle 4 is “Demonstrates commitment to competence.” You need key controls that relate to the competence of those involved in the reliable performance of your SOX key controls, but the SOX scope need not include controls over the hiring and retention of individuals in other parts of the business. Principle 1 is “Demonstrates commitment to integrity and ethical values.” This is clearly important, but should be seen within the context of your fraud risk assessment. It may well be more effective and efficient to focus on this principle in relation to those fraud risks that could be material (the only ones you need to assess for SOX) than to take a broad view.

My guidance is to determine what you need in terms of key controls to reach a level of reasonable assurance that there are no material weaknesses. We are not talking about perfect, but reasonable assurance.

A test I recommend to ensure you don’t have too many key controls is this:

If this key control failed, would it represent a material weakness?

If not, then on a de facto basis it is not a key control: it is not relied upon to provide reasonable assurance that the financial statements are free from material error.

My book on SOX, Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, published by The IIA and available in both hard cover and as a download, covers the topic of addressing COSO 2013 in more detail.

You might also be interested in a short IIA video on Considering COSO 2013 From a Risk Perspective.

I welcome your views and commentary.

  • How many key controls are you adding because of COSO 2013?
  • Are you adding too many or not enough?

Posted on Jan 18, 2014 by Norman Marks

Share This Article:    

  1. Norman,

    Thank as always for your insightful commentary.  I agree with your contention that the management assertions related to adequacy and effectiveness of internal controls for financial reporting required by the Sarbanes Oxley act should be principles based.  However, I would assert that it is not the implementation of COSO 2013 that will drive management to add controls to their assessment but rather the increasing pressure of PCAOB on the external audit firms. 

    Your test:  "if this key control fails, would it result in a material weakness" is one that I have used at previous companies and had worked well in the AS 5 environment.  I recently took a position with private company that is looking to establish a "SOX" like control envirnonment in anticipation of exploring the public equity markets.  Our external auditors have been asking for me and my team to prove that not only the key control works but also the accuracy and completeness of the underlying data used in the key control which has led to exponetially more testing if you have, as we do, multiple sources for data in our some of our key analytical controls. 

    The external auditors are also asking about the persicsion of the key control and whether management can determine if a material weakness would be detected.  I sometimes feel like a supreme court judge defining "porn", in the sense, that if our management saw a material weakness in the analytics they would know it. 

    My company is just establishing its control framework so we do not have to worry about the transition from the orignal COSO frame to the COSO 2013 frame but I do not see that implementation as adding excessive numbers of controls to our environment.  I am much more concerned about this new scrutiny from the PCAOB on external audit firms and their reactions to rebukes issued by the PCAOB in their reviews.  

  1. Richard/Robert: COSO's decision to continue to promote a "control-criteria" centric approach to SOX 404 when many respondents to their original exposure draft called on COSO to integrate their "control" framework with their 2004 ERM framework was disappointing and is already producing predictable results - a lot of work that won't produce commensurate improvement in opinion reliability. The comment letter I filed with COSO detailing what I see as the shortcomings of a "control-criteria centric" approach can be found at the link below. Unfortunately this site doesn't support links so it will have to be pasted in to your browser. http://riskoversight.ca/wp-content/uploads/2011/03/RO-Leech-Response-to-September-2012-Reexposure-Draft.pdf It is also very unfortunate that the SEC and COSO appears to show no interest in studying the thousands of materially wrong opinions arrived at using COSO 1992 to shape the next generation tools. One could say there are material failings in the COSO development methodology. Asking CEOs, CFOs and external auditors to opine that controls are, or are not, "effective" is not what investors and other key stakeholders of financial statements need - but it is what they are going to continue to get.
  1. Norman; My apologies for the address line in my point above. It should read "Norman/Robert" but I was thinking about Richard Chamber's role as the IIA representative on COSO. We haven't heard whether the IIA endorses the "control-criteria centric" approach to SOX 404 or whether the push was led the AICPA. The control-criteria centric approach's biggest positive would seem to be that a "checklist" is still the foundation of the approach. There is no research that I am aware of the establishes convincingly that companies that look like COSO 92/2013 are overall better companies than those that don't or even the narrower position of whether they actually create more reliable financial statements. I believe COSO 2013 still suffers from a lack of emphasis on measurement controls and commitment/reward alignment.
  1. Tim, neither IIA nor COSO advocate a control-centric approach. I believe you are misreading the internal control framework.

    What COSO does talk about is whether internal controls are effective - within the context of managing risks at acceptable levels.

    While I can and do criticize COSO for not making this as clear as they could (or intended), saying that they are control-centric is wrong. It misses the point that you assess whether controls are effective against the criteria of managing risk at acceptable levels.

    This translates to whether the company is able to provide reasonable assurance that risks are at acceptable levels.

  1.  Robert, I am afraid I have a great deal of sympathy for the external auditors in each of the examples you cite. If you take the first one, "prove that not only the key control works but also the accuracy and completeness of the underlying data used in the key control ", on the face of it if the underlying daya is inaccurate or incomplete it would seem the key control would not be effective. This sounds like a key control based on a report, where it is necessary to ensure that the basis of the control, the report, can be relied upon.

    I also concur with the view that it is necessary to consider the "precision of the key control and whether management can determine if a material weakness would be detected". Yes, this requires judgment - but that should be something we can do and justify our position.

  1. Norman: Having taught the different assessment methods for over 20 years I have to respectively disagree. A methodology that requires assessment against 17 specific criteria as opposed to one that focuses on acceptability of residual risk status related to key objectives is, in my view, a "control-criteria" centric framework. I warrant that a large percentage of companies and external auditors will treat it that way. You are correct in saying doing lots of all the criteria in COSO isn't a bad thing in terms of more control versus less gives more assurance but it is a bad thing for companies that want to deliver good returns to shareholders. Just like safety, a company can implement so many safety controls they go broke. Financial reporting is no different. People have to realize that financial reporting control failures will happen and will even happen to "good" companies. When they are really a big problem is when senior management is corrupt or inept.
  1. Tim, you may want to re-read the final version. It says:

    "Internal control helps entities achieve important objectives and sustain and improve performance. COSO’s Internal Control—Integrated Framework (Framework) enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization."

    "An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives."

    Where I part ways with COSO is that it ALSO requires that all the components (and principles) are present and functioning. What my post says is you need to assess whether they are present and functioning by reference to whether the risks to objectives are at acceptable levels.

    COSO has asserted time and again that they did not intend to create a checklist. My fear is that people misinterpret their intentions (by reading their words) and treat the Principles as a checklist.

  1. Norman: Since I filed detailed comments to the original COSO 2013 ED and the COSO re-exposure and provide training on it as one of the "control-criteria" centric models I would warrant I have read it in more detail than most. ISO 31000 in its current incarnation is interpreted by most to be "risk-centric" framework. What I also get to see because of my work globally is how the majority of external auditors and companies interpret the notion that all of the COSO component/principles must be present and functioning. The majority of examples I see treat the "COSO conformance" element of their exercise a lot like a checklist with little linkage to which elements of the financial statements are materially impacted by non-use of COSO criteria. What I also see is very few companies disclosing to their boards and external auditors true results of objective-centric risk assessment including which the line items of income statements, balance sheets and key note disclosure that have the highest "composite uncertainty". Composite uncertainty is another way of stating highest overall retained/residual risk status. Had COSO said they were retiring the "internal control integrated framework" and elevating COSO 2004 with updates as their dominant framework I think you would see companies and auditors take a different approach. I encourage readers to source my article on why U.S. Congress should amend SOX 404 and require an opinion on the effectiveness of risk management processes not what people's binary opinion on internal control "effectiveness" is.
  1. Tim, thanks for the explanation.

    May I suggest  that you join me in helping people understand that the COSO ICF is NOT intended to be a checklist, is NOT controls-centric, and that effective internal control is achieved when the risk to the achievement of objectives is reduced to acceptable levels.

    The issue is that people are not understanding COSO 2013 correctly. It IS risk-based, although that intention is not clear the way the framework has been written.


  1. Norman; What you or I say is less important than what the SEC and PCAOB say. They should clarify what it is they expect. I am starting to read "how to" advice from a range of sources that says just start with what controls you have and link those controls to the COSO 2013 criteria. If you can make connections with all of them you must be well on your way to having "effective" control in accordance with COSO. Starting with the principle and looking for robust controls in all areas will result in big incremental costs. The SEC and PCAOB need to say unequivocally what they expect but I'm not going to hold my breath waiting for any clarity from them. Right now my work-around solution to this is to advise/train people how to do the SOX 404 assessment in a way that will actually show the line items and note disclosures with the highest uncertainty/residual risk status and then get them to the linking to the COSO principles to pacify external auditors.
  1. Tim, what you and I say is listened to by many (or so I tell myself). So it matters.

    A meaningful message by the regulators is that they have not changed either AS5 or the SEC Interpretive guidance.

    Rather than identifying the highest level of risk, because everything and only anything over material needs to be addressed, I always suggest a top-down and risk-based approach. That is what the SEC recommends in the Interpretive Guidance, what is in AS5, and what is in my book - I assume you have a copy.

  1. Norman: I think it's important to note that the SEC and PCAOB don't seem to really be very bothered that thousands of companies have issued materially wrong reports on control effectiveness since SOX 404 started. As far as I know there has never been a rigorous study to determine why, when material restatements are required, what went wrong with the work done to assess whether controls were effective in accordance with COSO 1992 (and more importantly,were suppose to prevent even a single material error) If it's been done it's being kept a secret. I think stakeholders should be able to see a company's 10 year restatement history. It would, in my opinion, be more useful information than another dubious representation from CEOS, CFOs and external auditors that controls are effective in accordance with COSO 1992 or 2013. Unfortunately, the chances of any serious change happening at the SEC or PCAOB in this area appear slim. The PCAOB appears to be pressuring auditors to charge more, test more but not really change they way they assess risk.
  1. Tim, you continuously and continually state "thousands of companies have issued materially wrong reports on control effectiveness since SOX 404 started". You offer no proof, just your personal opinion in support.

    As I have explained many times before, many restatements were for technical breaches of filing requirements and the SEC and PCAOB criticized the audit firms for requiring unnecessary restatements.

    You are smart and sketical and so you should be able to see through the laments of the external audit firms about pressure from the PCAOB. The examiners failed the firms for failing to document their judgment, when such was required. For example, they are criticized less for reliance on IA management testing than for not documenting why they believe they can place reliance.

    I respect your 20 years of teaching and your influence on our profession justifies my trying to persuade you to align your message with mine. I am sure you respect my more than 20 years as a practitioner CAE and teacher on SOX.

  1. Norman; I do respect you and your many years of experience but am not likely to change my opinion that binary opinions on control effectiveness against any framework, be it COSO 92, COSO 2013 or any other, are not in the best interests of shareholders or regulators. I suspect that the regulators like the simplicity of a binary opinion on control effectiveness but it doesn't help boards understand where the highest levels of uncertainty are in the financial statements. I understand you are working hard to make the best of what I believe is a bad SEC decision to opine against COSO, and that you like COSO 92 and 2013. I continue to believe COSO 92 and 2013 have serious technical flaws with the most significant being underweighting on measurement, commitment and oversight. I suspect we will carry on with you making the best of a bad situation and me continuing to suggest Congress should amend SOX 404 to better protect shareholders.
  1. OK, Tim Don Quixote Leech

    We are where we are because the Congress requires management to express an opinion on the effectiveness of internal control over financial reporting. The SEC only wrote the rules, so we should not blame them.

    I am with you that companies need additional disclosures, not limited to internal control but including the management of risk and the effectiveness of governance. For example, they should state why they believe they have effective governance process, including oversight of management in all relevant respects.

    In the meantime, we have to deal with the real world and our advice should be practical and relevant for the practitioner.

    It doesn't matter whether I like COSO 2013 (I argued hard against the checklist). It is our reality,

  1. Norman; While it's true that I continue to lobby for change it's important to note that I have made most of my money and gained a measure of financial security helping U.S. and Canadian companies comply with what I see as seriously sub-optimal U.S. SOX 404 laws and regulations. In spite of that apparent contradiction, to date I haven't given up trying to convince U.S. Congress and the SEC and PCAOB that they having a material negative impact on the world and the advancement of better risk governance by insisting on binary opinions on control effectiveness against COSO 92/2013. Alas, I have been trying diligently since 2003 making last year the 10th anniversary of what you reference somewhat unkindly as my "Don Quixote" efforts. On a positive note, the UK appears to be headed in the right direction with their Nov 2013 consultative draft on risk, control and going concern. Perhaps the FRC work will have a greater impact on Congress, the SEC and PCAOB than I have but in spite of my persistence even I am losing hope. By the way, Audit Analytics provides excellent,very fact based information on the number, magnitude and reasons for accounting restatements. I didn't dream the assertion that since 2003 when SOX 404 came in force thousands of materially wrong opinions on control effectiveness have been issued. Your assertion/assumption that the majority of accounting restatements relate to immaterial technical accounting issues is not, in fact, based on facts. It's true that some are but I warrant not the majority. In any event, I do enjoy debating.
  1. Norman - i have perused your guidance because I am wondering if I missed a comment by you on the recent PCAOB changes & subsequent affect on external auditor testing & documentation which subsquently affects all of us. It was referred to above, but I am specifically questioning the new focus on management review controls & use of system generated data & reports. I feel that these new requirements have been rolled out without any consideration for cost over benefit & whether or not we are talking about a "key" controls. As an example, we use a database to capture electronic signature of prepares & approvers for balance sheet reconciliations which per our auditor is no longer sufficient. Even if a preparer sits outside the office of our assistant controller they are expecting emails & other documentation to "prove" that a reconciliation was actually reviewed. We are doing our best to move towards more of a paperless company leveraging "automated" controls so I am wondering where the happy medium and/or compromise will be. 

    At this point in time we are pushing back at will look at the changes for our key controls, but I see these more as a documentation exercise that won't really change anything in the grand scheme of things other than increase our audit fee & require more work for our process owners.

    Any advice you have would be fabulous! 

  1. Denielle, it is good to hear from you.

    I assume you are talking about the October 2013 Staff Alert. If so, there is nothing new in that guidance. From what you are saying in your comment, it appears that your external auditor is reading more into the Alert than it says. I suggest that you sit down with him or her and discuss what the Alert says and what they are requiring. For example, there has to be reasonable evidence (prior SEC and PCAOB guidance) that the review was performed: what is their concern? Is is reasonable to believe that somebody else signed electronically? I would want to see some controls over the signature process myself.

    If you take the "system-generated data and reports", we are talking about hybrid or semi-automated controls. You need assurance that the automated part (the data and reports) can be relied upon. Nothing new there.

    To restate: the PCAOB has not added any new requirements. They have stated very clearly what the auditors should have been doing all along.

    Frankly, I think you should push back, especially on the fees. This is what they should have been doing all along and the company should not pay for their audit deficiencies.

    Am I missing something?

  1.  I found it interesting 

  1. Hi Norman,

    I have one qurey with regard to limitation of internal control mentioned in COSO 2013. I have been reading about limitations before also and understands them & their improtance well.

    I am unable to understand below limitation and its significance. Can you please help me in elobrating this clearly. I googled it but could not get any answer for this.

    Suitability of objectives established as a precondition to internal control




  1.  Hi Kushal,

    If the organization's objectives are not clearly stated, it is not possible to understand them and therefore to assess risks to their achievement. The controls address the identified risks.

    Does that help?


  1. Hi Norman,

    Thank you for your insightful comments.  Our company is beginning to transition to COSO '13.  We were mapping the Principles to our controls; I like your thoughts much better!  My question is this - how do entity level controls factor in - or what your thoughts on them as they relate to the Principles and the transition to COSO '13?  Thanks!  Kiersyn

  1.  Kiersyn, entity level controls are of two types: those that may be relied on to prevent or detect a material error, and those that have an indirect effect. This is explained in AS5 and the SEC Interpretive Guidance. Of course, I think the best explanation of how to address them is in my book! You can find it on Amazon or in the IIA Bookstore

Leave a Reply