The Sarbanes-Oxley Act of 2002 requires companies that are subject to U.S. reporting requirements to establish and maintain a system of internal control over financial reporting and periodically assess the effectiveness of that system. National Instrument 52-109 of the Canadian securities administrators imposes similar requirements on companies that are reporting issuers in Canada. Both the U.S. and Canadian rules require the use of a recognized framework against which to measure and evaluate the design, assessment and effectiveness of a public company’s internal control over financial reporting. Although several other frameworks exist, the vast majority of U.S. and Canadian public companies have been using the framework developed by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) that was released in 1992 (the Original COSO Framework). Recently, COSO has released an updated version of its framework (the 2013 COSO Framework) which, among other objectives, expands the application of internal controls to address operations and reporting objectives and the identification of, response to and mitigation of risk; and clarifies the requirements for determining what constitutes effective internal control. Every U.S. and Canadian public company using the Original COSO Framework will have to assess the changes to COSO’s framework in order to determine whether, and to what extent, any changes to its own system of internal control over financial reporting will be necessary.
The Original COSO Framework was released more than 20 years ago, and since that time business and operating environments have changed dramatically, becoming increasingly complex, technologically driven and global. The needs of investors are also evolving, as they seek greater transparency and accountability for the integrity of internal control systems that support business decisions, governance and improved detection and prevention of fraud.
The 2013 COSO Framework sets out 17 guiding principles, organized around the original five components of the framework (Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring Activities), to help companies design and evaluate internal control systems. Those principles were derived from the Original COSO Framework and the principles that were developed and articulated in COSO’s 2006 Internal Control Over Financial Reporting — Guidance for Smaller Public Companies. Except in rare circumstances, each of the 17 principles should generally be relevant to all companies.
One example of the changes from the Original COSO Framework to the 2013 COSO Framework is the topic of identifying and responding to risks. The 2013 COSO Framework includes more detailed discussion about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed and linkage between risk assessment and control activities. Unlike the Original COSO Framework, it explicitly includes the concept of considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives (see Principle 8 below). The 2013 COSO Framework identifies various ways that fraudulent reporting can occur, including:
- management bias, for example, in selecting accounting principles
- degree of estimates and judgments in external reporting
- fraud schemes and scenarios common to the entity’s industry sector and market
- nature of technology and management’s ability to manipulate information
- unusual or complex transactions subject to significant management influence
- management vulnerability for potential schemes to circumvent existing control activities
The five components and 17 principles comprise the criteria that management should use in designing internal controls and in assessing whether the internal controls are effective. In order for a company’s internal controls to be effective, generally all of the components and relevant principles must be present and functioning.
The 2013 COSO Framework
The 17 principles supporting the components of an effective internal control system are listed below, organized by the five system components to which they relate:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of internal control.
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Changes in Terms Used to Describe Deficiencies of Internal Control
The 2013 COSO Framework uses the terms “internal control deficiency” and “major deficiency” to describe degrees of severity of internal control deficiencies. Under the 2013 COSO Framework, an internal control deficiency refers to a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives,” and a major deficiency refers to an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives.” Further, the 2013 COSO Framework explains that a major deficiency exists when “a component and one or more relevant principles are not present or functioning” or when “components are not operating together.” In addition, if a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. To comply with internal control reporting requirements under the Sarbanes-Oxley Act of 2002, an issuer’s management and independent auditors would continue to use the terms “significant deficiency” and “material weakness” as defined by the SEC and the Public Company Accounting Oversight Board. Similarly, under National Instrument 52-109 in Canada, issuers would still be required to make disclosure of any “material weakness”. Under both U.S. and Canadian rules, a public company’s internal control over financial reporting may not be considered effective if a material weakness is found to exist.
Transitioning to the 2013 COSO Framework
COSO has encouraged users of the Original COSO Framework to transition to the 2013 COSO Framework as soon as possible. The Original COSO Framework will remain available during a transition period extending to December 15, 2014, after which time COSO will consider it as superseded by the 2013 COSO Framework. During the transition period, public companies should clearly disclose in their filings with securities regulatory authorities whether the Original COSO Framework or the 2013 COSO Framework was utilized to assess their internal control over financial reporting.
Companies using the Original COSO Framework that have not already done so should consider whether any changes to their system of internal control over financial reporting are necessary or desirable in order achieve alignment with the 2013 COSO Framework and its 17 principles. We expect that in most cases issuers will conclude that the transition from the Original COSO Framework to the 2013 COSO Framework will not require any significant changes to existing systems of internal control over financial reporting. However, it is important for every public company to ensure that the outcome of an internal control assessment under the 2013 COSO Framework will not result in the identification of any deficiency while there is still ample opportunity to make any necessary adjustments to its internal controls.