Not everyone can say they love the company they work for, but that’s...Read More
Making the Grade
Under New Management
Clearing the Air
A Wild Pitch
A Christmas Message
Around Utah December Facts
Utah County Roundtable
The Cannery Center: Not Just Another Strip Mall
2014 In Review
A lot has changed in the business world over the past 20 years: technology, globalization of business, organizational relationships, such as outsourcing and joint ventures, to name a few. Alas, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recognized these vast changes to the business environment and issued the COSO 2013 Internal Controls Framework, an updated version from the 1992 model.
Why is this important?
COSO is a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control. The COSO Internal Control framework is also the only framework that meets the criteria for the SEC’s acceptable framework for Sarbanes-Oxley. When COSO released the 2013 framework, it also considered the original framework superseded as of December 15, 2014. Thus, public companies that have internal control assessment responsibilities pursuant to Section 404 of SOX will need to be in compliance with the guidance and requirements of the COSO 2013 framework.
Back to the Basics
To understand what companies need to do to be in compliance with the new framework, we need to revisit the original framework. The core, or in this case the COSO cube, remains intact. The Framework Objectives (Operations, Reporting, & Compliance), the Framework Components (Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities) and the different levels of the organization (Entity Level, Division, Operating Unit, Function) all still exist, and the criteria used to assess the effectiveness of an internal control system are quite similar. Bottom line: All five components must be present and functioning and operating together when concluding that internal control over a particular objective is effective.
Key Changes to the New Framework
While the end goal remains the same, the 2013 framework added several enhancements designed to help companies address the evolution of the business environment along with their associated risks and to expand internal controls beyond just financial controls.
Transitioning to the New Framework
At CBIZ MHM, we believe there is not a one size fits all approach to adapting and transitioning into the new framework. A lot of factors come into play such as the size and complexity of the business as well as how well the company has kept up-to-date with controls documentation. To this extent, we recommend the following transition to the new framework:
1. Gain Alignment, Develop Awareness & Expertise
This process doesn’t happen in a tunnel. It’s important to have subject matter experts in the company who understand the new framework and how it relates to your business. The team must understand the concept of internal control, the requirements of effective internal control and what would constitute a deficiency versus a major deficiency when evaluating the system.
2. Conduct an Impact Assessment
This is where the rubber meets the road. The principles should be mapped to the organization’s existing controls documentation, not directly to the five components. Next, the team must evaluate whether there are any gaps or deficiencies in the controls or documentation by determining if all of the elements of the 17 principles were addressed. Remember, for management to conclude that its system of internal control is effective, all relevant principals must be present and functioning and all five components must operate together in an integrated manner.
3. Define Gaps and Remediate
As gaps are identified, the team must address by identifying additional controls or enhancements to existing controls. All internal control documentation should be updated throughout this process.