Using COSO Updated Internal Controls Framework in a Top-Down, Risk-Based Sarbanes-Oxley Program

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Over the years, organizations and their auditors have moved to a top-down and risk-based program for Sarbanes-Oxley. Not only is this the most efficient and effective way, but it must be used by the external auditors (PCAOB’s Auditing Standard Number 5) and management is advised to use it by the SEC (their Interpretive Guidance).

But, the updated COSO (2013) Internal Control–Integrated Framework is not presented in a top-down and risk-based fashion. Certainly, you can show how the Framework says to assess risks and then identify controls to manage them. You can also point to the sentence (preceding the requirement that the components and principles are present and functioning) that says that effective internal control manages risk at acceptable levels.

The trap for the unwary in the Framework is that people will leap to assess internal control over financial reporting by using the set of 17 principles as a checklist — which COSO has expressly stated is not their intention.

So how do you use COSO 2013 in a top-down and risk-based SOX program?

Earlier this year, I wrote a blog with a suggested approach.

I received a lot of positive feedback (including from several involved in the COSO update) and have incorporated the approach, with much more specific guidance, in my SOX book — just published by The IIA Research Foundation and available from the IIA Book Store.

It is still early days, although I strongly advise organizations to move quickly to adapt their SOX program for COSO 2013 and discuss it with their external auditors ASAP. Only as we work through using COSO 2013 next year and following will we know for sure which approach will serve us best.

I am very interested in what the external audit firms are advising their clients. Are they simply saying to map the controls to the 17 principles and identify gaps? That is hardly a top-down or risk-based approach, nor is it consistent (IMHO) with the Auditing Standard.

I believe it will lead to more work than is necessary.

I would appreciate your sharing what they are telling you.

Posted on Nov 7, 2013 by Norman Marks

Share This Article:    

  1. Hi Norman, 'surfing' the www came across your article COSO Updated Internal Controls Framework in a Top-Down, Risk-Based Sarbanes-Oxley Program. Never having taken an understanding that SoX is anything but a 'Top-Down' I was taken aback when informed that J-Sox had a top-down approach unlike SOX which was bottom-up approach - would you be able to explain please what is meant or confirm my understanding. Thanks for your articles, regards John
  1.  John, although not consistent in practice, SOX is and should be top-down. Whoever said otherwise is mistaken.

  1. Norman: I agree with you that SOX 404 "should" be top-down but in my experience many companies are pressured by external auditors and sometimes external advisors not to adopt a true top-down approach. My guestimate is that a large percentage of SOX 404 work done today still focuses on areas that are rarely the cause of material errors. True "top-down" should start with the statistically probable risks that have shown themselves to be primary sources of material errors in financial statements. This should include risks like "CFO/controller staff not technically current/competent", "CEO/CFO collude and fraudulently misstate the accounts", and others. The risk treatments in place should then be documented and assessed and, when they exist, selectively tested to verify their existence/functioning. In my experience many companies are still "down in the weeds" with their approach to SOX with the blessing and sometimes even persuasion of their external auditors/advisors.

Leave a Reply