Ever since the passage of the Sarbanes-Oxley Act of 2002 (SOX), the concept of internal control over financial reporting has taken on a new meaning. The U.S. Congress passed this legislation in part because of the failure of certain large companies, notably Enron and WorldCom, which met their demise in part because of real or perceived weaknesses in company internal control and less than adequate corporate governance. SOX reinforces the concept that company management is responsible for establishing and maintaining an adequate internal control structure and robust procedures for financial reporting.
Requirements under SOX
SOX, which only applies to public companies subject to Securities and Exchange Commission (SEC) oversight, requires company management to certify in certain financial statement filings with the SEC (e.g., Forms 10-K and 10-Q) whether the company’s system of internal control as it relates to financial reporting is effective. These representations must be made by a company’s chief executive and chief financial officers. Further, the company’s external auditors must state in such SEC filings whether they agree with management’s assessment. Certain public companies are exempt from the auditor attestation requirement, including smaller reporting companies, “smaller issuers,” and “emerging growth companies” created by the Jumpstart Our Business Startups Act (JOBS) signed into law in 2012. Nevertheless, all companies, whether private or public, small or large, have been under increased pressure to improve their systems of internal control over financial reporting.
Weak and Strong Internal Control Systems
So what is a system of internal control and how is such a system designed? To use a very simple example, if a company bookkeeper could initiate a purchase, execute a purchase order, accept the goods ordered when received, and issue a check together with making the necessary accounting entries without any other employee involvement, that would demonstrate a weak system of internal control. At the other end of the control spectrum, if this same purchase required several different employees to approve the transaction at different stages in the process, including approval or oversight by senior management and possibly its board of directors, before a payment is made, it would likely be viewed as being subject to a strong system of internal control.
COSO and Its Current Framework
Extremely weak and extremely strong internal control systems as described in the preceding paragraph are rare, so how do companies establish an appropriate level of internal control that keeps costs reasonable and still provides shareowners and lenders with an appropriate level of comfort? Many companies use the internal control “Framework” established in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Founded in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing a framework, guidance, and thought leadership for Enterprise Risk Management (ERM), internal control, and fraud deterrence. The five sponsors of COSO are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).
Note that the SEC does not mandate that companies use the COSO guidance, but has acknowledged that use of the COSO Framework is acceptable when evaluating internal control and the required reporting under SOX. Separately, the COSO Framework is widely accepted throughout the world and is used in the United States by many smaller companies, even if they are not a public company.
The Forthcoming Updated COSO Framework
In November 2010, COSO announced a project to review and update its 1992 Framework and on December 19, 2011, issued an exposure draft for a revised Framework. COSO received nearly 200 comment letters from CPA firms, companies, and the like on its exposure draft. On September 18, 2012, COSO issued an updated Framework exposure draft that considered the comments on the first exposure draft, and also issued the following documents:
Internal Control—Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Control;
Internal Control—Integrated Framework, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples; and
Internal Control—Integrated Framework, Executive Summary.
All of these documents are available on the COSO website www.ic.coso.org. Comments on these documents are due December 4, 2012, with the expectation that the updated Framework, tools, etc. will be issued on or before March 31, 2013.
COSO states that its enhanced Framework is not intended to alter the core principles first developed in 1992, but rather to facilitate more robust discussion of internal control. Certain concepts and guidance in the Framework are being refined to reflect the evolution of the operating environment and changed expectations of regulators and other stakeholders. In addition, enhancements are expected to consider more than financial reporting and to provide enriched guidance on operations and compliance objectives.
Planning for the Revised Framework
Companies are running out of time to submit comments to COSO on the proposed updated Framework and related documents. However, regardless of the scheduled due date, companies should provide COSO any comments or concerns as discovered—the sooner they are provided, the more likely they might be considered in the final versions. That said, because COSO has already exposed its proposed revised Framework and considered numerous constituent comments, the likelihood of future changes or clarifications is reduced.
So, probably, the smart approach is to study the revised Framework and related documents and determine when and how changes to your company’s internal control should be made to conform to the updated Framework—assuming your company follows the COSO internal control Framework, as many do. This means that several people inside a company must get involved—obviously, the larger the company, the greater the number of employees who need to consider the enhanced Framework and implement any changes to company internal control.
A Few Unanswered Questions
Assuming that the revised COSO Framework is issued in March of 2013, should a public company that must certify to the effectiveness of it internal control in its SEC filings follow the old Framework or the revised Framework in 2013? Several constituents raised this concern in the original comment letter process, but because “transition” was not addressed in the updated Framework issued in September 2012, one might assume that COSO believes that no material changes will result in internal control and that it doesn’t matter which Framework you follow. Further, COSO is not a standard-setter, so any “transition” guidance would more likely come from the SEC or maybe the Public Company Oversight Board (PCAOB), which oversees public company auditors.
Companies, large and small, public or private, that follow the COSO guidance when designing their internal control structure, need to plan to fully understand the forthcoming enhanced COSO Framework and decide how and when to incorporate any required changes. A system of strong internal control is a must for any successful company that competes in the world we live in today.
About the Author
Ron Pippin is an experienced CPA based in Wheaton, IL. His 40 plus year career includes being an audit partner in Arthur Andersen, a member of Andersen’s Professional Standards Group (“national office”) in Chicago, the Director of Financial Reporting for a Fortune 50 company and most recently, the editorial director of CCH’s Accounting Research Manager. Currently, Ron does independent writing and analysis together with accounting consultation on a variety of topics.