1. What is COSO?
2. What is the Internal Control – Integrated Framework?
3. How is the COSO framework applied at the entity level during the Section 404 assessment process?
4. How is the COSO framework applied at the activity or process level during the Section 404 assessment process?
5. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?
6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?
7. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?
8. Will the COSO framework on enterprise risk management affect the Section 404 assessment?
The SEC ruled that the criteria on which management’s evaluation is based must be derived from a suitable, recognized control framework that is established by a body or group that has followed due process procedures, including the broad distribution of the framework for public comment. As defined in the Commission’s rules, a “suitable framework” must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting. The SEC points out in its rules that the COSO Internal Control – Integrated Framework satisfies this requirement. It acknowledges that frameworks other than COSO that satisfy the intent of the statute without diminishing the benefits to investors may be developed within the United States in the future. Other frameworks in other countries may also meet this requirement, e.g., CoCo, Turnbull, King or other country-specific authoritative frameworks.
COSO stands for “Committee of Sponsoring Organizations” and is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative often referred to as the Treadway Commission. The Commission studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.
The sponsoring organizations are the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA) and American Accounting Association (AAA). COSO so far has produced four documents, one in 1992 on the Internal Control – Integrated Framework, one in the mid-1990s on derivatives, one in 2004 on the Enterprise Risk Management – Integrated Framework and the most recent in 2005, which provides guidance to smaller public companies applying the integrated internal controls framework to report on internal control over financial reporting.
The COSO Internal Control – Integrated Framework defines internal control as a “process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations.” The Integrated Framework uses three dimensions, illustrated in the adjacent cube, that provide management with criteria by which to evaluate internal controls.
The first dimension is objectives. Internal controls are designed to provide reasonable assurance that objectives are achieved in the following categories: effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (left to right, across the top of the cube).
The second dimension required by COSO is an entity-level focus and an activity-level focus (front to back, across the right side of the cube). Internal controls must be evaluated at two levels: at the entity level, and at the activity or process level.
The third dimension includes the five components of internal controls (bottom to top, on the face of the cube):
- Control environment – Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
- Risk assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
- Control activities – Includes the policies and procedures that help ensure management directives are carried out.
- Information and communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Monitoring – Consists of the processes that assess the quality of internal control performance over time.
These five components provide the framework for effective internal control over financial reporting and, in similar fashion, provide a framework more generally for disclosure controls and procedures. They provide the context for evaluating internal control over financial reporting.
These three dimensions represent the Integrated Framework. The framework works in the following manner: For any given objective, such as reliability of financial reporting, management must evaluate the five components of internal control at both the entity level and at the activity (or process) level.
Management must decide on a control framework on which to base its assertions regarding – and its evaluation of – the effectiveness of internal control. We recommend the COSO framework. It meets the test of an authoritative framework as it is widely accepted and reasonably intuitive. The SEC’s rules and interpretive guidance for Section 404 refer to the COSO framework and define “internal control over financial reporting” consistently with the framework. The U.S. professional auditing literature historically has embraced the COSO framework since it was issued. When the PCAOB issued, and subsequently revised, its auditing standard for an audit of the effectiveness of internal control over financial reporting, the Board reaffirmed the COSO report as providing “a suitable and available framework for purposes of management’s assessment” in accordance with Section 404. Banks complying with FDICIA (see Questions 6 and 7) have also used COSO.
If management decides not to use COSO, an alternative framework must be selected. Any framework management chooses to use must meet the SEC’s criteria. If a company chooses to use a non-COSO framework, we suggest that management “map” the framework to COSO to demonstrate coverage of the key COSO components for the benefit of the external auditor and other parties who may challenge the use of the framework. For example, in its interpretive guidance to management, the SEC states the following: Both the COSO framework and the Turnbull Report state that determining whether a system of internal control is effective is a subjective judgment resulting from an assessment of whether the five components [as discussed above] … are present and functioning effectively. Although CoCo states that an assessment of effectiveness should be made against twenty specific criteria, it acknowledges that the criteria can be regrouped into the five-component structure of COSO.
COSO is applied at two levels – the entity level and the activity or process level. At the entity level, each of the five components is broken down into attributes to support the assessment. “Attributes” define the nature of a component. For example, as illustrated in the accompanying graphic, the control environment component is further defined using seven attributes. For each attribute, COSO provides appropriate “points of focus” representing some of the more important issues relevant to the attribute. Not all points of focus are necessarily relevant to every entity. Additional points of focus may be relevant to some entities. COSO recommends that, for purposes of a controls evaluation, every organization should tailor the points of focus to fit the organization’s facts and circumstances; e.g., smaller companies with management closer to the front lines and more knowledgeable of business realities will often have a different approach than larger companies with several layers of management and multiple operating units.
Both the SEC and PCAOB refer to these controls as “entity-level controls.” These are the controls that management relies on to establish the appropriate “tone at the top” relative to financial reporting. They often have a pervasive or indirect impact on the effectiveness of controls at the process, transaction or application level. At the entity level, management must address the various attributes COSO provides for each component. The following illustration shows the various attributes provided for each of the five components and illustrates points of focus for one attribute – human resource policies and procedures:
To continue with this illustration, human resource policies and procedures are designed to recruit and retain competent people who can achieve the entity’s stated objectives and execute its strategies successfully. The points of focus provided above for “human resource policies and practices” are illustrative and are not intended as a comprehensive list. As noted earlier, management may tailor them to the organization; i.e., management may add, delete and modify points of focus. Management may also add more specific granular questions or issues addressing each point of focus. For example, the first illustrative point of focus above is, “Are there policies, procedures and effective processes for hiring, compensating, promoting, training and terminating employees?” For this point of focus, more granular criteria (not intended as all-inclusive) might include:
- Personnel policies are effectively communicated for (a) recruiting or developing competent people with integrity, and (b) encouraging and incenting them to support an effective system of internal controls.
- Existing personnel procedures and processes for recruiting or developing competent people with integrity are in accordance with stated policies and are effectively executed.
- Existing personnel procedures and processes for encouraging and incenting people to support an effective system of internal controls are in accordance with stated policies and are effectively executed.
- The emphasis on recruiting the right people and training them to do the right things is appropriate.
- Management periodically communicates expectations about the desired characteristics of the people targeted for hiring.
- Personnel policies are effectively communicated for counseling people who are experiencing difficulty on the job and for terminating and exit-conferencing people who are not performing to standards.
- Existing procedures and processes for counseling people who are experiencing difficulty on the job and for terminating and exit-conferencing people are in accordance with stated policies and are effectively executed.
- For each of the five components, COSO provides several attributes.
- For each attribute, COSO provides points of focus.
- For each point of focus, more granular criteria may be developed to support the assessment.
- COSO recommends the following:
- Responses should be documented for each point of focus rather than for the more granular criteria. Responses should be based on management’s conclusion that the stated policies, processes, competent people, reports, methodologies and systems actually exist and are effectively functioning.
- A response should generally not be a “yes” or a “no” answer, but rather should address specifically what the entity does to address the point of focus.
- Management should conclude as to the effectiveness of internal controls with respect to each attribute supporting a given component of internal control. The responses providing information with respect to the points of focus, as described on the previous page, support management’s conclusions on the attributes. To illustrate, management should conclude on each of the seven attributes of the control environment, including human resource policies and practices.
- An overall conclusion should be reached with respect to each COSO component. This overall conclusion is supported by the collective weight of the individual conclusions on each of the relevant attributes. Thus, management formulates a conclusion as to the effectiveness of the control environment. This conclusion is supported by a conclusion on each of the seven attributes of the control environment.
- A response of “ineffective” or “requires improvement” for a given attribute does not necessarily warrant a conclusion that the related component is ineffective at the entity level. There may be compensating controls in other areas (see Question 107).
- A response of “ineffective” or “requires improvement” for a given attribute should lead management to evaluate whether improvements are needed in internal controls and to take appropriate action to close any gaps. If management believes there is an absence of one or more key controls that, if not compensated for in other areas, increases the likelihood that there are significant control risks (meaning an increased risk of control failure), action should be taken quickly. Further, such conditions are very likely significant deficiencies that should be communicated to the audit committee and independent public accountant.
Depending on how the reporting entity (the “issuer” for SEC reporting purposes) divides into control units (see Questions 54 and 55), the stated attributes and points of focus may apply to one unit but not to another. All assessments of the control environment for the various control units must be taken into account for management to reach an overall enterprisewide conclusion with respect to the control environment.
For example, consider a reporting entity with several highly autonomous operating units included in its consolidated statements. Assume that each of the operating units represents a control unit along with the reporting entity. For purposes of assessing the control environment:
- The reporting entity may set the tone at the top with a corporatewide code of ethics, and oversee the various compliance and enforcement activities (e.g., the “integrity and ethical values” attribute). The board of directors and audit committee meet at the reporting entity level (another separate attribute of the control environment). The reporting entity establishes the organizational structure (another separate attribute), provides overall HR policies (part of the “human resource policies and practices” attribute), etc.
- The various operating units functioning as control units address other attributes of the control environment, such as commitment to competence, management’s operating style, assignment of authority and responsibility, etc.
- The assessments for all of these units are taken into account in formulating a conclusion for the entity as a whole. The overall assessment summarizes the impact of the various entity-level assessments.
In summary, the extent of top management’s control over the consolidated reporting entity, the diversity in the nature and types of operations and business units, the unique risks inherent in those operations and business units, and other factors impact the project team’s approach to assessing the entity-level controls.
Just as it is applied at the entity level, the COSO framework is also applied at the activity or process level. When assessing the “design effectiveness” of process-level controls over financial reporting and documenting that assessment, the five COSO components are considered, as shown in the following illustration:
From a practical standpoint, when performing a review of internal control over financial reporting, most of the attention at the process level focuses on control activities and the monitoring of those activities. Once the assertions related to reliability of financial reporting are generally understood and documented (see Questions 71and 72 for two illustrative groups of financial reporting assertions), control activities most directly address those assertions. Monitoring provides assurances that the control activities are performing as intended.
- Control Activities are an integral part of making business processes work. Embedded within the processes, they provide assurance that the processes are preventing and detecting on a timely basis errors and fraud as close as possible to the source, providing assurance that relevant assertions are met. Control activities at the process level are the internal controls that specifically address the financial reporting assertions or risks (see Questions 71 and 72 for examples). Control activities should be in place within the process to reduce “financial reporting assertion risks” to an acceptable level. The financial reporting assertions and the risks (“what can go wrong”) to achieving those assertions provide a context for evaluating the design effectiveness of control activities at the process level.
- Monitoring includes the activities focused on evaluating the performance of control activities and the results of the process to ensure they are in accordance with the entity’s objectives and established performance criteria for the process. Monitoring consists of both ongoing monitoring and separate evaluations.
The control activities in place should provide reasonable assurance that management’s financial reporting objectives or assertions are met. It is important to note that the SEC’s interpretive guidance states that, through a top-down, risk-based approach, management focuses on those controls that are needed to prevent or detect a material misstatement in the financial statements. In this regard, management may identify controls for a financial reporting element that are preventive, detective or a combination of both. Management is not required to identify the entire population of controls, just those controls that adequately address the risk of a material misstatement. To illustrate, if a particular risk is addressed by an entity-level control or by a few controls within a process, the SEC’s interpretive guidance states that management is not required to identify and document all controls within the process.
The SEC states that “[e]ntity-level controls may be designed to operate at the process, application, transaction or account level and at a level of precision that would adequately prevent or detect on a timely basis misstatements in one or more financial reporting elements that could result in a material misstatement of the financial statements.” The Commission also states that other entity-level controls comprise the control environment (e.g., the “tone at the top” and entitywide programs, such as codes of conduct and fraud prevention) and “have an important, but indirect, effect on the likelihood that a misstatement will be prevented or detected on a timely basis.” Therefore, the so-called direct entity-level controls may be considered a “control activity” because they operate at a sufficient level of precision to support a conclusion that they are effective in preventing or detecting material misstatements and reduce financial reporting assertion risk to an acceptable level. The so-called indirect controls – those with an indirect effect on the likelihood a misstatement will be detected or prevented – are also important, because their absence increases the risk of a control failure. The existence of direct entity-level controls, along with controls that monitor the effectiveness of other controls, allow the evaluator to reduce the scope of testing process-level controls.
The distinction between direct and indirect entity-level controls is important from the standpoint of testing process-level controls. An entity-level control to monitor the results of operations may be designed to detect potential misstatements and investigate whether a breakdown in lower-level controls occurred. In these instances the SEC states: “If the amount of potential misstatement that could exist before being detected by the monitoring control is too high, then the control may not adequately address the financial reporting risks of a financial reporting element.” Therefore, the control is indirect in nature.
Once the key control activities are identified, management must evaluate their design and operational effectiveness:
- The assessment of design effectiveness addresses whether the control activities, as designed, provide reasonable assurance that identified risks are mitigated and the stated financial reporting assertions are achieved.
- The validation of operational effectiveness addresses whether the control activities are functioning as intended (i.e., are they performing as designed?).
At the process level, monitoring activities address the effectiveness of the key control activities built into the process, as well as the effectiveness of the control environment, risk assessment and information/communication components. Monitoring activities consist of both ongoing monitoring and separate evaluations. Ongoing monitoring arises from regular management and supervisory activities, comparisons, reconciliations, and other formal and informal mechanisms in the ordinary course of business that provide continuous feedback as to the effectiveness of internal controls. Examples of ongoing monitoring activities include:
- Day-to-day monitoring by supervisors and process owners
- Formal processes for following up on information received from external sources to improve internal processes, e.g., customer complaints about billings result in correction of deficiencies in the billing system
- Comparisons of physical assets with recorded balances, e.g., physical inventories result in book-to-physical adjustments
- Active follow-up on feedback received through planning meetings, employee suggestions systems, training sessions, etc.
- Periodic reports, e.g., exception and “near misses” reports, audit reports, limit violation reports and status of improvement initiatives reports
- Analytics built into financial systems to handle data correctly or “kick out” data failing to meet selected criteria
Senior and unit management, process owners and internal audit periodically take a fresh look at the components of internal controls (including the ongoing monitoring procedures) to evaluate their effectiveness. These initiatives are called “separate evaluations.” Internal audit reviews are a common example.
Monitoring requires protocols and processes for capturing, reporting and following up on deficiencies to ensure all significant deficiencies, or deficiencies that could eventually become significant, are considered and resolved in a timely manner.
The preceding discussion has focused on the two COSO components that are most prevalent at the activity or process level – control activities and monitoring. With respect to the risk assessment, control environment and information/communication COSO components, generic questions may be developed for application at the activity or process level to facilitate evaluation of those components at that level. To illustrate, following are examples of generic questions applicable to each of these three components that may be customized to virtually any significant process.
Business processes are exposed to risk from external and internal sources. These risks must be assessed in terms of their impact on the achievement of process objectives. Process owners must either establish a process or be part of an established process to effectively identify and evaluate the risks in the external and internal environment that present threats to the achievement of process objectives.
Following are appropriate questions pertaining to the risk assessment component at the activity or process level:
- Has the process owner established process objectives that are consistent with the overall objectives established by the reporting entity or unit management?
- Do the process objectives provide clarity and sufficient granularity as to what the process is designed to achieve? Are the objectives consistent (and not in conflict) with the objectives of other processes? Has management been involved in setting the process objectives, particularly those that are critical to the success of the reporting entity or unit?
- Does the process owner have adequate resources to achieve the stated objectives?
- Does the process owner have an effective process to: (a) identify significant risks arising from external and internal sources to the achievement of key process objectives; (b) assess the significance of the risks and the likelihood of occurrence; and (c) evaluate alternative actions for reducing those risks to an acceptable level?
- Does the process owner continuously anticipate, identify and react to routine events and changing circumstances and conditions that could affect the achievement of process objectives?
- Are process activities dependent on the integrity and availability of information identified, captured, processed and reported? If so, has the process owner evaluated the risks related to the security, integrity and availability of that information?
Process owners must establish an effective control environment to provide discipline, structure and a strong foundation for control within the process. The control environment consists of the control owners and other personnel responsible for executing the process and the environment in which they operate. It sets the tone for the effective functioning of the process, influencing the control consciousness of everyone involved in making the process work. It is the foundation for all other components of internal control within the process.
Following are appropriate questions pertaining to the control environment at the activity or process level:
- Does the process owner have an effective and understandable structure that (a) effectively facilitates monitoring, and (b) enables the vertical and horizontal communication and information flows necessary to achieve process objectives?
- Are the process owner’s approaches for articulating and clarifying roles, responsibilities, authorities and accountabilities in accordance with the established policies of the entity or unit? Is there effective communication of appropriate policies, performance expectations and established accountability to each individual responsible for important process activities?
- Are the process owner’s policies and practices for recruiting and retaining competent people and developing competence clearly defined, in support of process objectives and in accordance with the established human resource policies of the entity or unit?
- Does the process owner maintain a positive operating style in terms of accepting risks, facilitating interaction among managers and employees, and demonstrating a supportive attitude (as evidenced by appropriate action) toward financial reporting consistent with the tone set by senior management?
- Has the process owner conveyed a clear message to employees, through his or her actions and communications, that the integrity and ethical values established by the organization are an integral part of the manner in which the process is executed, and cannot be compromised?
- Has the process owner documented and communicated policies and procedures regarding information technology managed by control owners and other employees in areas including the following:
- Control over access to sensitive and critical applications and data files supporting the process (including practices to minimize the potential for introducing computer viruses into systems supporting the process)?
- Authorization, documentation, testing and controlled implementation of new applications and application changes affecting the process?
- Appropriate backup and recovery procedures for all critical application programs and data files supporting the process?
Relevant and reliable information is essential to understanding what is really happening in the external environment and in the entity’s business processes. The right performance measures and effective communication processes are essential to ensure that important messages relating to internal control are communicated and managed within a process.
Following are appropriate questions pertaining to the information/communication component at the activity or process level:
- Is the process owner committed to the development of the necessary information systems to ensure all pertinent information is captured as close as possible to the source, accurately recorded and processed, and reported in a timely manner for analysis, evaluation and use in financial reporting?
- Is the process owner able to obtain adequate information – with support from executive management – from relevant external sources to assess the impact of environmental changes on the process, its performance and the information about that performance? For example, is there information about customer needs and wants; the competitive, technological and regulatory environments; and general economic and industry trends and conditions?
- Does the process owner have access to information gathered by the organization on changing conditions and trends affecting the performance of the process?
- Does the process owner determine that relevant and timely information is provided to control owners and other process personnel in sufficient detail to enable them to effectively discharge their responsibilities?
- Does the process owner effectively (a) communicate process objectives to control owners and other process personnel, (b) facilitate communication within the process and with personnel representing other entity and unit processes and functions, and (c) support a process for control owners and other process personnel to communicate upward issues regarding process performance and control?
At the process level, most of the controls will consist of control activities and monitoring. The remaining three COSO components – control environment, risk assessment and information/communication – can be addressed by tailoring relevant questions listed in Question 42 to the appropriate processes. There are a variety of ways these three components can be documented at the process level. Some auditors have insisted that all five components be addressed for each critical process. Others point out that the risk assessment component is generally applied at the entity and business-unit levels. Elements of the control environment and information/communication clearly apply to the processes because process owners set the tone for their subordinates, and must have information with which to manage the process and communicate with others on important topics. Monitoring at the process level often includes ongoing supervisory activities by process owners, including review and follow-up on exceptions and issues identified through reports, reconciliations, comparisons, confirmations and other sources of process performance information (see Question 42 for other examples). Monitoring also includes separate evaluations by internal auditors and others.
6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?
Section 404 does not require management to evaluate internal controls over operations, except to the extent that such controls may overlap with financial controls (see illustration). For example, defining processes, documenting procedures, analyzing root causes and supervising activities are examples of operational controls that may also be relevant to financial reporting activities.
There are potentially strong sources of value extending beyond mere compliance with Section 404. Sections 302 and 404 of Sarbanes-Oxley provide the “launching pad” to improve processes and the internal control structure and enhance entity-level and process-level monitoring of financial reporting processes. Because Sarbanes-Oxley forces public companies to assess weaknesses in their business processes, including their controls over processing information, the line between reliable financial reporting and operational effectiveness and efficiency can be a blurry one. Financial reporting processes for many companies are often dependent on people and manually intensive detective controls and are sometimes inadequately defined. Because this dependency leads to a focus on detecting and correcting errors leading to costly rework, it provides a significant opportunity to “build in” (versus “inspect in”) quality, optimize costs and compress time within the organization’s processes while simultaneously reducing its financial reporting risks. Compressing time in the close process can be especially important due to the accelerated SEC filing deadlines for Forms 10-K and 10-Q of large accelerated filers and accelerated filers (see Question 242). In today’s environment, it is impossible to improve cost, quality and time process performance without also automating controls and improving the balance of preventive and detective controls.
With respect to compliance with laws and regulations, financial reports issued to the public are governed by SEC rules and regulations with which companies must comply. Thus, some compliance controls may be germane to financial reporting, e.g., monitor the SEC regulatory environment, assess impact of changes, clearly articulate company reporting policies and communicate such policies throughout the organization. In the final Section 404 rule, the SEC said that Section 404, in general, does not cover compliance with laws and regulations. Notwithstanding the SEC’s statement, if a company is NOT complying with specific laws and regulations, the question arises as to whether that noncompliance must be identified and assessed by the company’s disclosure controls to determine whether there is a possible impact on the financial statements or on other disclosures in the company’s current or periodic public reports.
Management always has the option to expand the review of its processes, risks and controls to other categories of objectives, e.g., operational effectiveness and efficiency, and compliance with applicable laws and regulations. If management chooses to do so, however, that action is a business decision and not a Sarbanes-Oxley-driven initiative. (See Question 22.)
The COSO framework has been available for companies to use since the early 1990s. Many internal audit departments use it in organizing and documenting assessments of internal controls. However, just because the framework has been used by internal auditors or by anyone else does not mean a company is prepared to demonstrate compliance with Section 404. Use of the COSO framework in the past does mean that the documentation available will be more useful and comprehensive for purposes of preparing Section 404 documentation.
No. When COSO released the Enterprise Risk Management Conceptual Framework and the accompanying Application Techniques in September 2004, it made clear that this framework would not replace the Internal Control – Integrated Framework. The Integrated Framework will continue as a viable and authoritative framework for companies to use when evaluating the effectiveness of internal controls.