COSO Expanding 5 Component Internal Control Framework Into 20+ Principles; May Impact Sarbox 404 Assertions
In an update provided at the March 24, 2010 PCAOB Standing Advisory Group meeting, COSO Chairman Dave Landsittel described COSO's current project to modernize and update its 1992 Internal Control- Integrated Framework. COSO plans to issue an Exposure Draft of a proposed revision later this year, followed by the release of two final documents in 2012:
1. an updated internal control framework, broadly scoped like the current framework, to include internal control over financial reporting, compliance, and operational controls, and
2. a separate document focusing on application of the guidance to internal control over financial reporting (that portion of the guidance most relevant to Sarbanes-Oxley Section 404 internal control attestations).
5 Components To Be Expanded To 20 'Principles,' Additional 'Attributes,' Potential Impact on Sarbox Assertions
Significantly, Landsittel noted that the updated framework "Will focus on 20-plus principles in total, extending over the 5 components [i.e., the 5 components of internal control over financial reporting established in the 1992 framework: control environment, risk assessment, control activities, information & communication, and monitoring], in other words, for each of the 5 components, we’ll have a specific set of principles that support those components, and in each chapter [of the updated framework], we’ll have ‘attributes’ that support those principles."
He noted that the expansion to a 20+ principle and additional attribute approach was first used in COSO's 2006 guidance for small public companies. (Later in the meeting, he noted the small business guidance would likely be superceded by the overall update to COSO's internal control framework, unless the COSO board and advisory task force become aware of a reason to have separate guidance for small companies following the incorporation of a principles based approach and certain other aspects of the 2006 small business guidance into the overall framework update.
Separately, on the question of how this may impact attestations on the effectiveness of internal control by reference to a suitable internal control framework - of which COSO's framework was specifically cited as a suitable framework by the SEC in its Sarbox 404 rulemaking - Landsittel noted, "The fundamental components have not changed, so, on an overall basis, [the Sarbox Section] 404 objectives and focus on the components will not change, but we do believe, with the articiulation of principles, particularly, there will be more guidance that will be helpful in carrying out the guidance in [Sarbox Section] 404. For example, if we have 20 principloes and a conclusion that those [principles] are relevant to any overall conclusion as to the overall effectiveness of internal control, that gives us a a little more concrete area as to what determines an effective system of internal control, and to those who test to it, to determine when it is effective, and when there are shortcomings or weaknesses."
Said another way, the core message as to the potential impact on Sarbox 404 assessments stemming from the changes coming to the COSO framework (changes resulting from the 'update' to modernize the framework to take into account changes in the business environment since the 1992 framework was written, including the advent of the internet, email, and other changes, as well as changes resulting from the expansion of the 5 core components of internal control into 20-plus 'principles' and another layer of more detailed 'attributes' supporting the 20 principles) is summed up on the following slides within the COSO slide deck circulated to PCAOB SAG members:
- slide 15: "It is generally expected that all [20+] principles will, to some extent, be present and functioning for a organization to have effective internal control, [and] When a principle is not being met, some form of internal control deficiency exists."[NOTE: Landsittel commented on this point further later in the meeting, regarding issues like the determination of material weakness, as noted further below.]
- slide 19:
"•Updated Framework intended to remain consistent with SEC suitability criteria
• Updated Framework will be an evolution from the original Framework
•An appendix to the [framework] will highlight significant changes in the updated Framework as compared with the original framework
•A companion document will assist organizations in meeting financial reporting objectives
•Greater clarity contemplated around the basis for determining significant deficiencies and material weaknesses
•COSO anticipates that regulators will provide any needed transition guidance to filers."
Miles Everson, a partner with audit firm PwC (PwC predecessor firm Coopers & Lybrand coordinated the publication of the original 1992 framework for COSO, and PwC is coordinating the current update of the framework, under the auspices of the COSO Board and a COSO Advisory Council), noted some of the feedback received from a survey it released earlier this year - on which over 650 responses were received - pointed out: (1) The need to create greater clarity around the role of the control environment, vs. reliance put on control activities, (2) The role of the monitoring component, and what constitutes appropriate monitoring for Sarbox 404 purposes, and (3) A general sense there is too much reliance on the control activities component.
Read additional highlights from PCAOB SAG Members Q&A with COSO's Landsittel and PwC's Everson, here.