I continue to see and hear questions about how organizations should address the 17 principles in the updated COSO Internal Control–Integrated Framework.

The consensus advice from consultants is that organizations should take each of the 17 principles (and more often than not this exercise is performed down to the points-of-focus level of detail) and map their existing (i.e., prior year) SOX key controls to them. When they see a gap, the advice is that additional key controls should be identified. All such key controls are included in scope and tested.

COSO has provided a template for this purpose. It is not required but is available for companies to use. At least one of the public accounting firms, as well as several consultants, has provided a similar template.

But I do not believe this is the right approach.

While it will ensure that each of the 17 principles are satisfied, in many if not most cases the scope of the SOX program will be inefficient. It will include key controls that are not necessary to ensure that material misstatements of the financials filed with the SEC are either prevented or detected.

I address how to address the COSO principles in detail in my book, Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, published by and available from The IIA and on Amazon.

In this post, I am going to use excerpts from that book to describe my suggested approach.

I have reviewed this approach with leaders at COSO, the regulators, and major public accounting firms and received both support and encouragement.

In a major keynote at the IIA GAM conference, a member of the PCAOB Board discouraged organizations from taking a “checklist” approach — and in my opinion, that is what the templates and mapping exercises represent.

It is worth emphasizing that neither the SEC nor the PCAOB have updated their guidance that both management and their auditors should use a top-down and risk-based approach to setting the scope of their SOX program.

This was repeated as recently as the PCAOB Staff Alert in October 2013 — published after the COSO 2013 update had been released.

This is how I describe how COSO talks about "effective internal control":

The 2013 internal control framework provides two key points relating to the assessment of internal control.

  • First, it states that “An effective system provides reasonable assurance regarding achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.”

COSO has made public statements that support the application of a top-down and risk-based approach to assessing internal control over financial reporting described in this book and in both SEC and PCAOB guidance.

  • COSO continues by explaining requirements for achieving reasonable assurance; these are based on the presence and functioning of five components of internal control and 17 principles.

I explain how the regulators, the PCAOB in Auditing Standard No. 5 and the SEC in their Interpretive Guidance (PDF) (get a copy if you don’t have one), explain the top-down and risk-based approach:

AS 5 includes the following:

“The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.

“This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.

“Note: The top-down approach describes the auditor’s sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the auditing procedures.”

The SEC uses different language, but the principles are the same:

“Management should evaluate whether it has implemented controls that will achieve the objective of ICFR (that is, to provide reasonable assurance regarding the reliability of financial reporting). The evaluation begins with the identification and assessment of the risks to reliable financial reporting (that is, materially accurate financial statements), including changes in those risks. Management then evaluates whether it has controls placed in operation (that is, in use) that are designed to adequately address those risks. Management ordinarily would consider the company’s entity-level controls in both its assessment of risks and in identifying which controls adequately address the risks.”

My advice is to retain the top-down and risk-based approach, but adapt it to address the new COSO principles. This is how I summarize it in the book. The steps include:

a. Identifying and assessing the sources of risk to the financial statements. With respect to the COSO Framework, this is addressed in the Risk Assessment component and its principles (i.e., principles 6-9 above). Steps include identifying:

  • The general ledger accounts that constitute each line in the financial statements as filed. For example, accounts payable is normally one line in the financial statements, although it represents a group of related general ledger accounts.

  • For each of the above, the accounts that are considered significant.

  • The financial statement assertions relevant to those accounts and material to the investor.

  • The locations to include in scope.

  • The business processes that process transactions into the significant accounts at in-scope locations.

  • The key transactions representing balances in the above accounts.

b. Identifying those controls that have a direct effect on the likelihood of material misstatement, either by preventing or detecting material errors or omissions. These are referred to in this book as “direct controls” (a term not used in regulatory guidance, although the latter does talk about controls that only have an “indirect effect”). The majority of the direct controls are typically in the Control Activities component (principles 10-12 apply).

c. Obtaining a self-assessment from management of each of the COSO principles. I am going to assume, being prudent, that all 17 are considered “relevant” for our purposes.

d. Performing a risk assessment for each of the COSO principles.

e. Where a defect in the presence or functioning of any of these principles is at least reasonably likely to lead to the failure of one or more direct key controls, rate it as high risk and identify the key controls that will be relied upon for each principle. Otherwise, rate it as a low risk and rely on management’s self-assessment of the principles. (See detailed discussion below.)

f. Performing a “reasonable person” review. Would a reasonable person believe that the set of key controls that has been included in scope would, if adequately designed and operating effectively, provide the reasonable assurance desired?

Each of these steps is described in detail in the book, especially step d. Here, the key is to ask:

Could a failure to achieve this principle, or any of its points of focus, result in the failure to prevent or detect a material misstatement? Is that failure at least reasonably likely?

If the answer is "yes," then after carefully documenting the risk assessment and its results, key controls are identified to address the risk that has been identified.

If the answer is "no," then after documenting the risk assessment and its results it is essential to discuss the results with the external auditor.

Hopefully, this approach makes good sense.

I welcome your comments and perspectives. I am especially interested in any stories you can share on how your discussions have gone with the external auditors with respect to COSO 2013.

  1. Norman: I agree 100% that SOX 404 should be top-down/risk-based.  I thought you might find it interesting that this month's issue of IIA Your Career Compass calls for an "inventory of where your organization stands regarding the 17 principles".  Perhaps I'm missing something, but that still sounds like a checklist to me.   The article then calls for mapping controls to principles which likely provides more flexibility to claim controls are effective in accordance with COSO than mapping principles to controls.  I would be interested to know if, based on your discussions with the PCAOB, they think there needs to be an "inventory" against COSO principles.

  1.  Tim, I think I quoted from AS5, referenced the October Staff Alert, and quoted from the PCAOB Board member speech.

    They continue to emphasize the top-down approach, have not updated it to require addressing all the Principles, and if you read the PCAOB Board member speech, they say that completing a checklist is a lost opportunity.

    On the other hand, if you are looking at the organization's system of internal control beyond SOX, at how objectives in general are achieved, you can't argue that all of the principles are important and need to be considered.

  1. Thank you Norman and Tim.

    I haven't considered the COSO update as a checklist approach but a mapping of controls to principles that provide management and the external auditors with a better understanding of the overall control structure for SOX.

    And if organizations were following the original framework as a process for meeting their SOX objectives, there shouldn't be a great degree of work to be done in the update.

    I appreciate the dialogue and perspectives. Thanks.

  1.  Dan, would you agree that the SOX scope should include only those key controls relied upon to either prevent or detect a material misstatement?

    If so, why include controls where a failure to achieve a COSO principle would not, directly or indirectly, represent a financial reporting risk?

  1.  Norman-I do agree on SOX scope to include only those key controls relied upon to either prevent or detect a material misstatement.

    I see your point and in my approach, the mapping exercise would show that achieving some COSO principles in one organization may not be applicable but in other organizations with a different control structure, the failure to achieve the same principle may represent a financial reporting risk.

  1.  Thanks, Dan. This is an excellent opportunity (a risk assessment of the principles) to understand where the financial reporting risks lie and to remove from scope some of the 'old' and unnecessary entity-level controls we had in the past.

  1. Norman:   Unfortunately, I expect a large percentage of U.S. listed companies are/will soon be busy mapping controls to COSO principles diverting valuable resources away from rigorous assessment of the statistically probable risks that threaten the objective of reliable financial reporting.  The SEC and PCAOB, not Congress, decided to require registrants opine against a "suitable control model".   Unfortunately the current guidance is vague on when the  COSO "mapping" exercise recommended in the recent IIA Compass report discloses deficiencies to the point they can no longer claim to have "effective" controls in accordance with COSO 2013.   The article my daughter and I authored titled Preventing the Next Wave of Unreliable Financial Reporting: Why US Congress Should Amend Section 404 of the Sarbanes-  Oxley Act  describes what we think US. Congress should do if the real goal is improving the reliability of  U.S. listed financial statements.  It can be accessed with a simple Google search.   I fear the SEC and PCAOB will sit on the sideline for a couple of years to see how many companies and auditors do, in fact, treat SOX 404 like a checklist/mapping exercise, at least in part.  A number of excellent white papers have recently postulated that there is a human tendency to want to audit what is easy, not what is really key to high certainty an objective will be achieved.  Time will tell how many decide "mapping" controls to principles is easier than actually identifying and assessing the real risks to reliable financial reporting.

