SOX: Potential Changes to Internal Control Over Financial Reporting

As I open my email these days, I see people suggesting that we are about to enter a new era of assessments for SOX (Sarbanes-Oxley Section 404).

Some are excited; some are in despair.

Some are keen to jump on a new bandwagon and sell seats at classes on assessing internal control over financial reporting using COSO 2013 (COSO is preparing to issue an update of its 1992 landmark Internal Control Framework).

Others are lamenting the advent of a checklist-approach to SOX assessment that they believe is implicit in the drafts of COSO 2013.

A few continue their quixotic attempts to brand the COSO Internal Control Framework (ICF) as inept, preferring a totally different approach.

So let me see if I can bring some sanity to this excited confusion.

In my opinion, the 1992 ICF provides a reasonable basis for SOX assessments. What people have overlooked in their haste to criticize is that it requires a risk-based approach! The Risk Assessment component asks that you identify and assess sources of risk to your objectives (in the case of SOX, the objective is financial statements that are free of material error) before selecting the controls to address those risks.

Those who criticize COSO ICF as failing should look, not to any defect in the framework, but to defects in its use – by external auditors and those influenced by them.

The quixotic point out, correctly, that the greatest risks lie in areas that are not given the attention they should: such as the integrity of management and the skills and competencies of those involved in financial reporting (including those responsible for compliance with accounting rules and for tax accounting).

But these are areas included in the Control Environment component. The fault, if fault exists, is that insufficient attention is paid to the Control Environment and too much is paid to detailed business process controls that reside in the Control Activity component.

While most organizations and their external auditors spend the great majority of their time testing detailed controls, very few material weaknesses are uncovered there. In fact, when they do find important issues during that testing, the root cause is typically a failing in the Control Environment activities related to staff competencies.

If I may, I believe any defect in SOX assessment processes has been a deficiency in the use of judgment to understand each organization’s sources of risk to the financial statements – a deficiency in the attention paid to the Risk Assessment component and to the activities in the Control Environment component.

So, COSO 1992 still works for me. But will 2013 augur a change in approach? Will it reduce us from using our judgment to relying on a checklist?

The jury is still out, as we don’t know what the COSO Board is going to do. The signs are not promising, as the last draft continued to be unclear on the role of judgment vs. assessing internal control based on the presence of defined principles (which is the checklist approach). In addition, the supplementary documents that were designed to help with an assessment are entirely checklist-based.

Any class that is offered today on assessing SOX using COSO 2013 should be viewed with great skepticism. How can you teach something that is not yet final – and whose drafts may be changed significantly?

I hope that the COSO Board continues to listen to those (including me) who promote the continued use of a top-down and risk-based approach to assessing internal control – especially internal control over financial reporting. Judgment rather than a checklist is the only way to go.

Guidance specifically for SOX should embody the top-down and risk-based approach, demonstrating with examples how the process explained in SEC guidance and in PCAOB Auditing Standard Number 5 is followed using COSO ICF.

It should start with Risk Assessment, the identification of sources of risk (significant accounts and locations, etc.) and continue with the identification of key controls – which may exist in at any level of the organization and are found in Control Environment, Control Activities, Information and Communication, and possibly in Monitoring.

So, I would not enroll in classes in COSO 2013, nor would I despair (yet) about COSO 2013. All I would do is encourage everybody to lobby COSO to stress judgment over checklists and to promote the top-down and risk-based approach to assessing internal control.

I welcome your comments.