1. an updated internal control framework, broadly scoped like the current framework, to include internal control over financial reporting, compliance, and operational controls, and
2. a separate document focusing on application of the guidance to internal control over financial reporting (that portion of the guidance most relevant to Sarbanes-Oxley Section 404 internal control attestations).
5 Components To Be Expanded To 20 'Principles,' Additional 'Attributes,' Potential Impact on Sarbox Assertions
Significantly, Landsittel noted that the updated framework "Will focus on 20-plus principles in total, extending over the 5 components [i.e., the 5 components of internal control over financial reporting established in the 1992 framework: control environment, risk assessment, control activities, information & communication, and monitoring], in other words, for each of the 5 components, we’ll have a specific set of principles that support those components, and in each chapter [of the updated framework], we’ll have ‘attributes’ that support those principles."
He noted that the expansion to a 20+ principle and additional attribute approach was first used in COSO's 2006 guidance for small public companies. (Later in the meeting, he noted the small business guidance would likely be superceded by the overall update to COSO's internal control framework, unless the COSO board and advisory task force become aware of a reason to have separate guidance for small companies following the incorporation of a principles based approach and certain other aspects of the 2006 small business guidance into the overall framework update.
Separately, on the question of how this may impact attestations on the effectiveness of internal control by reference to a suitable internal control framework - of which COSO's framework was specifically cited as a suitable framework by the SEC in its Sarbox 404 rulemaking - Landsittel noted, "The fundamental components have not changed, so, on an overall basis, [the Sarbox Section] 404 objectives and focus on the components will not change, but we do believe, with the articiulation of principles, particularly, there will be more guidance that will be helpful in carrying out the guidance in [Sarbox Section] 404. For example, if we have 20 principloes and a conclusion that those [principles] are relevant to any overall conclusion as to the overall effectiveness of internal control, that gives us a a little more concrete area as to what determines an effective system of internal control, and to those who test to it, to determine when it is effective, and when there are shortcomings or weaknesses."
Said another way, the core message as to the potential impact on Sarbox 404 assessments stemming from the changes coming to the COSO framework (changes resulting from the 'update' to modernize the framework to take into account changes in the business environment since the 1992 framework was written, including the advent of the internet, email, and other changes, as well as changes resulting from the expansion of the 5 core components of internal control into 20-plus 'principles' and another layer of more detailed 'attributes' supporting the 20 principles) is summed up on the following slides within the COSO slide deck circulated to PCAOB SAG members:- slide 15: "It is generally expected that all [20+] principles will, to some extent, be present and functioning for a organization to have effective internal control, [and] When a principle is not being met, some form of internal control deficiency exists."[NOTE: Landsittel commented on this point further later in the meeting, regarding issues like the determination of material weakness, as noted further below.]
- slide 19:
"•Updated Framework intended to remain consistent with SEC suitability criteria
• Updated Framework will be an evolution from the original Framework
•An appendix to the [framework] will highlight significant changes in the updated Framework as compared with the original framework
•A companion document will assist organizations in meeting financial reporting objectives
•Greater clarity contemplated around the basis for determining significant deficiencies and material weaknesses
•COSO anticipates that regulators will provide any needed transition guidance to filers."
Miles Everson, a partner with audit firm PwC (PwC predecessor firm Coopers & Lybrand coordinated the publication of the original 1992 framework for COSO, and PwC is coordinating the current update of the framework, under the auspices of the COSO Board and a COSO Advisory Council), noted some of the feedback received from a survey it released earlier this year - on which over 650 responses were received - pointed out: (1) The need to create greater clarity around the role of the control environment, vs. reliance put on control activities, (2) The role of the monitoring component, and what constitutes appropriate monitoring for Sarbox 404 purposes, and (3) A general sense there is too much reliance on the control activities component.
Key Points Raised in Q&A With SAG Members: Totality/Interrelationship of the Three Objectives of Internal Control; Risk Assessment and ERM; Applicability to/ Filling the Gap for Small Co's Exempted From 404b by Dodd-Frank; Board Responsibilities, Including Qualifications/Quality of Audit Committee 'Financial Expert'
Following are some highlights, but not necessarily a complete listing, of points raised by SAG members during the Q&A with Landsittel and Everson which followed their presentation on the update to the COSO internal control framework. As always, the SAG webcast was very interesting, with a wide variety of experts from the world of accounting/auditing, academia, law, investor representatives, and more, and reference should be made to the complete webcast for details on these and other points made. Some of the major points made once or as a recurring theme are shown in the bold heading immediately above.
- Jim Cox (law school professor, Duke University): Has COSO given any consideration to the fact that small companies received an exemption under the Dodd-Frank Act from providing the Sarbox Section 404(b) auditors attestation on internal control? Summary of Landsittel/Everson response: COSO framework can be applied whether or not a company provides a 404(b) auditors assertion; all auditors are required to consider internal controls in performing an audit, and small co's still have to provide the Sarbox 404(a) management assessment, for which reference can be made to the COSO framework.
- Joe Carcello (accounting/auditing professor, co-founder and director of research, Corporate Governance Center, Univ. of Tennessee): Governance, independence: there are academic studies pointing out that lack of independence in CEO appointment of board members can reduce effectiveness of board. Additionally, some 'financial experts' serving on audit committees do not have sufficient grounding; SEC originally wanted to require an 'accounting expert' but business community objected, settling on broader requirement for a 'financial expert.' Summary of Landsittel/Everson response: will consider these comments and the related studies in the update.
- Jim Doty, Chairman, PCAOB: Thinking about the database you have, and $75 million threshold [exemption for small co's from Sarbox Section 404(b)], to what extent can you find information to direct the [PCAOB] board in Audit Practice Alerts, Studies of Communication with Audit Committees, ... to enable us to better assist the auditor in looking for fraud at a sub-$75 million or sub-$250 million company; can’t we get some free and reliable [advice]..."Landsittel: Joe Carcellos’ study includes some insights that are helpful, we have a separate project that tries to extend that, your comments are well stated and so noted, we should focus on where we can make more robust the guidance in this area."
- Doug Carmichael (professor at Baruch College, former Chief Auditor, PCAOB): "It is important you not lose sight of the fact that although COSO is not a regulator, it is effectively the setter of internal control standards, and those standards play a vital public interest role through the [Sarbox Section] 404 requirements; I undersand why you want to separate the discussion of financial reporting [from operational and compliance controls], but it is important to realize that compliance and operational objecvtives [can effect financial reporting]... an outstanding example in the current financial crisis is New Century Financial, they had operational control deficiencies related to not tracking repurchase claims, and they missed in their repurchase calculation operational claims. The other thing relates to estimates, we discussed at the last SAG meeting, importance of having a formal document for estimates, and the connection between the number companies arrive at for ... [an] estimate and the process [to make that estimate], it would be helpful for the COSO framework to cover that." Landsittel response: "What you are saying, as an internal control measure, you [should] have methodology to rely on that judgements are reasonable." Carmichael: "We hear all the time, 'we have judgments, controls, just not documented' that usually means not effective either." Landesittel: "At 40,000 feet, I can causually say we can split out an application in [internal control over] financial reporting, but at [COSO's] advisory council meeting, that very point was made... it is not so simple, because some of the compliance and operational [controls] have an effect on financial reporting… we have 3 principles that are at this point separated [controls over financial reporting, compliance, and operations]; how we get them to interrelate, is important to us." Everson: "Important distinction: [within the 2 documents that COSO is going to split its current update project into]: 1st document is the integrated framework, all the objective categories [internal control over financial reporting, compliance, operations]; 2nd document is [going to be] guidance on application of that framework over internal controls over financial reporting.
- Marty Baumann (Chief Auditor, PCAOB) I’d like to build on that, and I think it’s a very important point, [there are] 3 components of COSO (internal control over compliance, financial reporting, and operational controls); we spend a lot of time talking about Internal Control over Financial Reporting, [Sarbox Sections] 404a, 404b, but [not as much about weaknesses in] the other components: compliance controls, operational controls... maybe one of the greatest causes of the financial crisis was financial companies that advertised world class risk management, that maybe didn’t understand risk, and didn’t have risk management… my question would be, do you think there were deficiencies in operational controls over risk management, or maybe - because internal controls over financial reporting are subject to auditor review and reporting, whereas operational controls are not - were those operational controls subject to auditor review, might that have had a better impact on (stopping ) the next financial crisis from happening?"Landsittel: Marty and I [and Keith] met early on [to discuss the COSO project]... the notion that one real opportunity/benefit for the refresh/update of the COSO framework is in the operational area, and not get so narrowly focused... are there implications from the financfial crisis or otherwise, that we can provide benefit in terms of guidance in the control area; your earlier comments [when project began] were very influential to us."
- Mary Hartman Morris (investment officer, global equity, CalPERS): Importance from investors' perspective strengthing governance and risk... [re: Dodd-Frank] carve out [of smaller companies on Sarbox Section] 404, investors lost out, we still appreciate management has to make an opinion on that. Since CalPERS is becoming more global, question about reducing US-centric perception [of the COSO framework]? Summary of Landsittel response: We have 2 people on advisory council whose roots are outside US, one thru IFAC, another rep from Switzerland, they have already been very helpful to us in providing a perspective that we need to be sensitive to, in terms of not inadverteluy writing the guidance in such a manner that people outside the U.S. will say ‘this is American, doesn’t apply to us.” [We don't] feel obligated to fully harmonize our guidance with other models, but it is important we present our guidance as meaningful and helpful and aren't automatically discounted because of inadvertent editing. [Additionally] we have a responsibility to our sponsoring organization's [AAA, AICPA, FEI, IIA, IMA] stakeholders to look outside the U.S. I assure you we don’t want to unnecessarily make mistakes that result in our credibhility suffering unnecessarily." Additional comment by Morris: As we comment to others, even the European Union, we point out it is important to elevate the idea of COSO or other internal control frameworks.
- Gaylen Hansen (audit partner, and board member of NASBA): Given that 60% of public companies may become exempted from Sarbox 404(b) reporting under Dodd-Frank, couldn't the [PCAOB's] risk assessment standards require the auditor to look at whether management did a risk assessment, not to audit it, but even to have the auditor [just] read it? Reply from Keith Wilson, PCAOB Deputy Chief Auditor: "We looked through .. SAS AU 550 [the relevant auditing standards for] Other Information in a Document Containing Audited Financial Statements ... it's something we could go back and look at in the context of what we would do in AU 550, that would more likely be the place."
- PCAOB Chairman Jim Doty: "We ought to think about how the risk assessment standards require that the auditor scope the audit, to take into account whether or not management has applied the modernized COSO standards." PCAOB's Wilson: Opportunity to incorporate this into the standards.
- Gary Kabureck, VP and Chief Accounting Officer, Xerox: I would suggest, in prioritizing focus on updating the COSO framework, that extra time be spent on: (1) Companies are much more reliant on outsiders than in 1992, consultants, outsourcing, business processing, I.T.; it's one thing to outsource a process; shouldn’t outsource reponsiblity; (2) Where the value in companies continues to change, what more and more companies value today, is intellectual property, whether intangibles, software, IT; the original (1992) COSO framework more industrial age society; suggest you look into there; (3) a couple of [SAG members] talked about Enterprise Risk Management at the board level, that’s where a lot of the action is; the more you can tie the framework to the most modern practices for ERM, would be well served for everybody; (4) The true independence of governance, accounting, ethics office, tone at the top, role of getting by doing more with less people; these groups need to be independent and effective. Landsittel reponse: Your comments are helpful. The risk assessment component is one where, at the end of the day, [the framework] may be most effected, where we may have the opportunity to enhance its robustness, that directly relates to your ERM comment, interestingly touches upon your intellectual property and outsourcing in today’s environment too.
- Arnie Hanish (VP Finance, Chief Accounting Officer, Eli Lilly & Co.): In same spirit as Gary [Kabureck], I don’t know if this is within the ‘authority’ of COSO or the framework of what you are doing, seems like can fit in governance and tone at the top issue, I still believe there is some need to beef up the issue of 'financial experts' on boards, you mentioned we have financial experts on boards as result of SOX [the Sarbanes-Oxley Act], there is no real definition of financial expert in my view; you see a wide variety of individuals that hold themselves out as financial experts, I think Congress fell short [in defining 'financial expert']; I don’t know if there is any opportunity for your framework to provide guidance, thoughts, on individuals on boards who have the right expertise to pose questions to company executives and auditors; we talk about communication with auditors, [but it] ha[s] to go the other way .. do they really [i.e. board members] understand questions to ask of us [i.e. for board members to ask questions of management and the auditors] ... if there is some way to build meat around that in the framework, it would be helpful from a control perspecvtive. Landsittel response: I chair two Audit Commitees, I know there is a wide difference among people designated as 'financial experts,' it was alluded to earlier, if we [COSO] could put guidance in terms of good governance as to what a financial expert is."
- Steve Homsa (Managing Director of Internal Audit, Legg Mason, Inc.):As external auditor and internal auditor, for large part of my career, one area of greatest opportunities is where we could find linkage between ERM and both internal and ext auditors, and to strengthen that and leverage ERM process; I believe that generally out there in the business community, that is, I won’t say a weakness, but a potential soft spot, and also, once ERM engages in that process of identification of business risk, operational risk, a def. of what may be ’auditable’ with what could potentially be ‘unauditable’ and so forth could potentially be helpful. Landsittel:
My experience on audit committee, more than once I’ve commented that the ERM group and external auditors need to make sure they are in synch, e.g. in fraud area, auditors need to do brainstorming.
- Brian Croteau, (Deputy Chief Accountant, SEC; observer at SAG meeting): As always, these remarks are my own, I'll comment on a couple things here; I appreciate those who reminded those about requirements for Internal Control over Financial Reporting and the management report, and Keith’s remarks on AU 550, and auditor’s responsibility to read management's report and consider whether anything inconsistent in mgmt report with anything they’ve encountered in conducting the audit… surely under exception from 404b and whether anything .. and in terms of AU 550, reasonable to consider, but don’t forget we’ve got standards today... In internal control over financial reporting context, companies will continue to need statements about effectiveness of internal control in context of internal control over financial reporting, to the extent the framework begins to combine some of those things in ways they don’t today, important to be sufficiently clear, what that means, in context of internal control over financial reporting... Dave, you’ve teed that up as a separate document .. Some guidance for smaller public co’s that might be important and should continue to be relevant in context of co’s complying with 404a, that guidance is still very important and useful. Landsittel: On the latter comment, we do plan to supersede the 2006 small bus guidance, and integrate that in some way to this guidance, that’s a tentative conclusion, one reason that drives us to that, we want to be explicit in articulating the principles, that’s such an important part of the 2006 small bus guidance, it would make it awkward if the 2 documents are both out there, we there need to get guidance , if truly relevant to small co’s as opposed to relevant to everybody, need to get it out there someplace. Another point you touched on, the issue of what constitutes ‘effectiveness,’ e.g. when we have 20 principles, and we presume each of those principles should be supported in a determination of the effectiveness of the controls, then, if one of those principles isn’t supported adequately, does that mean the controls are ineffective, and if the answer is yes, then is it a material weakness, so it is that kind of effectiveness question we are beginning to touch on, .. can take it offline.. what constitutes material weakness, what constitutes effectiveness, particularly as 20 principles articulated explicitly as opposed to implicitly
- Lynn Turner (Senior Advisor and Managing Director, LECG; former Chief Accountant, SEC): Back when the original COSO framework was being developed in the late '80s, early '90s, the Commission staff said one major principle was missing: nothing talked about the need for companies to identify changes going on in business, industry, trend, or the company, and that needed to be a very fundamental part of framework, COSO decided to leave it out. I think one of the lessons we learned in the financial crisis, was that indeed, that pillar should have been at the forefront as businesses changed and became more active in securitization, changed in no longer skin in the game. I would (1) urge you to go back and reconsider that [i.e. identifying and considering change in the business environment and the company], and put it in as one of the pillars; unless you’ve got some kind of control in business to look at changes and that you are reacting to them, you’ll always be behind the eight ball, always have that problem (2) Chairman Doty’s comment about scoping audit very good (3) Comment from Arnie Hanish, Joe Carcello, we’ve given way too much credit to corporate directors, I’ve recently had conversations with people at NACD, too many people [directors] don’t know what to ask; I would encourage you to put a whole chapter in there for audit committees; as we’ve seen in recent revelations from the FCIC [Financial Crisis Inquiry Commission], a number of audit committees in these large banks were literally clueless, and that’s the best you can say of them, if you have audit committee that is that clueless, raises question, how can you ever have effective internal control, let alone tone at the top. (4) On fraud side of things, I’d suggest you go back and build into it something along lines of the ACFE on whistleblowers, that is the one thing that seems to detect fraud, and yet today, we still see auditors that don’t’ have understanding whether that works or not, don’t know if independent or not, I think you should build in something about whistleblowers, very important; while there’s a lot of discussion today about sec rules, I don’t think that’s where a lot of whistleblower complaints will go, I think they’ll go to WikiLeaks, guarantee confidentiality, as we move into facebook world, internet, WikiLeaks guarantees confidentiality, as that becomes more prominent, whistleblower will become thing to watch (5) as Gary said, outsourcing, you could make chapter just on outsourcing ; and Gary’s point about you can outsource the work but not the responsibility; so very important. Landsittel: Whistleblowing, particularly interesting to me, chairing an audit committee, we’ve looked pretty hard at whistleblowing, it's not easy to assess whether effective or not, you can have things in the program that on paper, look great…Turner: I’ve chaired 3 audit committees, I have a different view; you can get it up and running, you can make it somewhat effective in today’s environment with all the tools you have, got to dedicate time and resources, not all of them are effective.
- Damon Silvers (Director of Policy and Special Counsel, AFL-CIO): (1) Seems to me, behind some of this conversation, is that we have a framework here that is, to some degree, built and has in mind a world of discrete organizations, and we live increasingly in a world of networks, or people who think they have networks, and that you can see this at play in phenomenon as diverse as the mortgage irregularities that are currently being negotiated by state attorneys general, and the economic impact of the earthquake in Japan, on firms that had no idea they had Japanese operations, or in fact don’t have Japanese operations, but yet are significantly affected by a set of networks that go beyond their line of sight. The implications of that for internal control go right to this issue of, raised several comments back, Lynn reflected on somewhat, question of, what’s the relationship between fin reporting and systems of internal control around supposedly nonfinancial activity. There is no better example of how these things completely intertwine than the mortgage irregularity situation, where, you now have, I believe all 4 major banks have filed with SEC statements to the effect they expect material regulatory costs associated with that problem, I suspect they would have denied that 6 months ago, I assume they may even have denied that honestly 6 months ago, it does not appear any of these large organizations have any idea the true nature of variety of absolutely critical contractual arrangements inside their organizations or inside their networks, so again, this is a network problem. (2) Also to Jim Cox’s point about, what are the implications of exempting folks, because part of what went on here, in the mortgage irregularities matter, was that there were no full-fledged audits of the securitization vehicles, but there were audits of servicers; so, you can sort of say, well, this is an issue of people being exempted from the audit process, but they actually weren’t, and that would seem to raise some pretty significant questions. (3) Finally, all these issues require governance systems and boards that are substantively able to understand the organizations and networks they are operating in, and I can tell you from the interactions that union pension funds had with some of the boards of major banks, even long before the irregularities issue arose, from firsthand experience talking to those board members that one of two things is true, either (1) key decision makers in those firms had no idea the nature of the firms and networks they were overseeing, or else (2) they thought they could fool us into believing that they didn’t; I’m not sure which one it was, I don’t think it really matters; I suspect it was the former, sadly enough, I suspect it was true, that the leaders of audit committees at major financial institutions simply didn’t understand the nature of the businesses they were overseeing. And I think all of this goes to the wisdom of questions discussed earlier, and the general path you are on.. But I want to enforce these points so that anyone who suggests these were minor matters, or insignificant to financial reporting, these are the biggest matters facing our countries economy, and our system of financial regulation today.
Baumann closed this section of the SAG meeting, noting that representatives of PCAOB and SEC staff serve as observers on the COSO Advisory Council working on the update of COSO's internal control framework.
Landsittel thanked the PCAOB and SAG members for their thoughtful input, and invited additional feedback at any time, through COSO's website or by emailing him directly.
The notes above are highlights based on my listening to this portion of the SAG webcast; for futher detail, tune into the SAG webcast.
Other Topics Discussed By SAG:PCAOB Update; Implications of FASB-IASB Convergence; Auditing Disclosures
Other topics discussed at the March 24 PCAOB SAG meeting, as noted on the SAG agenda, include: PCAOB Standard-Setting update; Potential Audit Implications of FASB-IASB Joint Projects, Related effective dates and Transition methods, and Auditing Financial Statement Disclosures. There was also an update on the board's discussion earlier in the week on the Auditors' Reporting Model; the PCAOB board met with its staff in an open meeting earlier in the week to discuss possible approaches to a Concept Release that would propose changes to the auditor's reporting model.
According to this PCAOB press release issued following the March 22 PCAOB board meeting, a Concept Release on the auditor's reporting model is slated to be issued for public comment later this year.
Print this post