Tag Archive: Internal compliance

COSO 2013: What Have We Learned?

Published by
Jim DeLoach

Jim DeLoach

The U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). In 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated its Internal Control—Integrated Framework, which was first released in 1992. This revised framework meets the SEC’s criteria for suitability and many companies have accordingly transitioned to this updated version. However, in addition to supporting the evaluation of IFCR, the framework offers other important lessons to boards of directors on the relevance of internal control to their risk oversight.

The control environment is vital to preserving an organization’s reputation and brand image. Since the release of the COSO framework, there have been a number of corporate scandals related to operational, compliance and reporting issues. These companies likely lacked a strong control environment in the areas that contributed to the crisis.

The control environment lays the foundation for a strong culture around the organization’s internal control system. It consists of the policies, standards, processes and structures that provide the basis for carrying out effective internal control across the organization. Through their actions, decisions, and communications, the board and senior management establish the organization’s tone regarding the importance of internal control. Management reinforces expectations at the various levels of the organization in an effort to ensure alignment of the tone in the middle with the tone at the top.

According to the COSO framework, the control environment comprises the

  • organization’s commitment to integrity and ethical values;
  • oversight provided by the board in carrying out its governance responsibilities;
  • organizational structure and assignment of authority and responsibility;
  • process for attracting, developing, and retaining competent people; and
  • rigor around performance measures, incentives, and rewards to drive accountability for performance.

Without a supportive boardroom culture and effective support from executive and operating management for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation and brand image. This issue is likely a contributing factor at the companies that have been hit recently with headline-grabbing scandals.

The control environment applies to outsourced processes. Organizations typically extend their activities beyond their four walls through strategic partnerships and relationships. The blurred lines of responsibility between the entity’s internal control system and those of outsourced service providers create a need for more rigorous controls over communication between all parties involved. For example, information obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on which the entity depends for processing its information, should be subject to the same internal control expectations as information processed internally.

The point is clear: management retains responsibility for controls over outsourced activities. Therefore, these processes should be included in the scope of any evaluation of internal control over operations, compliance, and reporting, to the extent a top-down, risk-based approach determines they are relevant. Controls supporting the organization’s ability to rely on information processed by external parties include:

  • Vendor due diligence;
  • Inclusion of right-to-audit clauses in service agreements;
  • Exercise of right-to-audit clauses;
  • Obtaining an independent assessment over the service provider’s controls that is sufficiently focused on relevant control objectives (e.g., a service organization controls report); and
  • Effective input and output controls over information submitted to and received from the service provider.

The potential for fraud should be considered explicitly when conducting periodic risk assessments. Ongoing risk assessments are an integral part of a top-down, risk-based approach to ensuring effective internal control. In these assessments, directors should ensure that management evaluates the potential for fraudulent financial and nonfinancial reporting (e.g., internal control reports, sustainability reports and reports to regulators), misappropriation of assets, and illegal acts. In addition, the potential for third-party fraud is a relevant issue for many organizations. As the COSO Framework points out, fraud risk factors include the possibility of management bias in applying accounting principles; the extent of estimates and judgments in reporting; fraud schemes common to the industry; geographical areas where the organization operates; performance incentives that potentially motivate fraudulent behavior; potential for manipulation of information in sensitive financial and nonfinancial areas; entering into unusual or complex transactions; existence or creation of complex organizational structures that potentially obscure the underlying economics of transactions; and vulnerability to management override of established controls relating to operations, compliance and reporting.

There are important lessons learned in Section 404 compliance. Investors take reporting fairness for granted; however, when public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of important facts, investors notice. The bottom line is that the markets take quality public reporting at face value. Once a company loses the investing public’s confidence in its reporting, it’s tough to earn it back.

Section 404 compliance is important in the United States because material weaknesses in ICFR provide investors early warning signs of financial reporting issues. We have gleaned many lessons in our work successfully transitioning numerous companies to the 2013 COSO framework. The most important of these lessons is that a top-down, risk-based approach is vital to Section 404 compliance. Some companies forgot to apply this approach when setting the scope and objectives for using the updated framework; as a result, they went overboard with their controls testing and documentation. We can’t stress strongly enough that the 2013 COSO Framework did not change the essence of and need for a top-down, risk-based approach to comply with Section 404.

Other lessons include:

  • Meet with your external auditor early and often to ensure that the company is fully aligned with the auditor on the appropriate process for transitioning to the updated framework.
  • Establish an effective and relevant mapping approach to link established key controls to the principles outlined in the COSO framework by leveraging the points of focus provided by the framework; start with existing controls documentation, and consider the nature of the framework’s components.
  • Manage the level of depth when testing indirect controls (often referred to as entity-level controls) by focusing on the specific objectives germane to ICFR; for example, for the indirect control emphasizing background checks, management should scope the application of this activity to the appropriate people designated with financial reporting responsibilities rather than all employees throughout the organization (unless management wishes to expand scope beyond financial reporting).
  • Focus on understanding and documenting control precision by understanding the control’s track record in detecting and correcting errors and omissions to support an assertion that the control effectively meets the prescribed level of precision.
  • Evaluate the completeness and accuracy of information produced by the entity to support the execution of key controls; the Public Company Accounting Oversight Board inspection reports are driving auditors to place more audit emphasis on validating system reports, queries and spreadsheets.

Applying the 2013 COSO framework to operational, compliance and other reporting objectives is virgin territory. In applying the updated COSO framework, most organizations have limited their focus to ICFR. Some organizations even believe that the framework was designed exclusively for Section 404 compliance. Such is not the case. There are benefits to using the framework for other objectives relating to operations, compliance, and other reporting. However, these efforts should be segregated from Section 404 compliance. Progressive organizations are applying the COSO Framework to other areas, such as sustainability reporting, regulatory compliance and controls over federal grants, to name a few.

Questions for Boards

The board may want to consider asking the following questions, based on the risks inherent in the entity’s operations:

  • Have directors paid close attention to whether the organization’s control environment is functioning effectively?
  • Does the organization periodically consider fraud risk in its risk assessments? Is the board satisfied that the risk of third-party fraud is reduced to an acceptable level?
  • Does the company’s process for complying with Section 404 apply a top-down, risk-based approach, and is the process cost-effective?
  • Has management considered applying the COSO framework to improve internal control in areas other than financial reporting?

Jim DeLoach is a managing director with Protiviti, a global consulting firm.

Understanding the New Whistleblower Rules

Published by

On May 25th, the SEC approved a final rule implementing the whistleblower provisions of the Dodd-Frank Act. The rule adds section 21F to the Exchange Act and directs the SEC to pay awards to whistleblowers who voluntarily provide the Commission with original information about a securities law violation leading to the successful enforcement of an action that results in monetary sanctions exceeding $1,000,000.

The rule, proposed on November 3, 2010, garnered significant attention from governance groups, corporations, trade associations, and audit firms. Perhaps most in contention was the provision allowing potential whistleblowers to bypass internal compliance systems and go straight to the SEC and inform them of securities violations. Over the objections of some organizations, including NACD, the SEC’s final rule does not mandate utilizing a company’s internal compliance system prior to or simultaneously with reporting to the SEC. Instead, the SEC has increased the potential amount of award for those who use a company’s internal systems. Whistleblowers may also claim a reward when they report to the company and the company subsequently reports to the SEC. In this case, any information provided by the company will be attributed to the whistleblower, potentially increasing the amount of reward.

The final rule also extends the time frame for whistleblowers to inform the SEC after reporting internally. For purposes of award eligibility, the SEC will treat an employee as a whistleblower as of the date that the employee reports the information internally – as long as the employee provides the same information to the SEC within 120 days. Through this provision, employees are able to report their information internally first while preserving their “place in line” for a possible award from the SEC. This additional time was provided to allow a company to identify, correct, and self-report securities violations.

Certain employees of a company are excluded from being considered for a reward under the new rule. Those unable to claim the award include:

  • Those who obtain the information through a communication that was subject to attorney-client privilege, unless disclosure of the information would prevent an issuer from committing a material violation of securities law or perpetrating a fraud upon the Commission.
  • Those who obtain information in connection with the legal representation of a client on whose behalf the whistleblower or the whistleblower’s firm are providing services, unless disclosure would be permitted in the instances referenced above
  • Individuals who obtain the information in a manner that violates federal or state criminal law
  • An officer, director, trustee, or partner of an entity and another person who informed the whistleblower of allegations of misconduct
  • The whistleblower, if the whistleblower learned about the information in connection with the entity’s processes for indentifying, reporting, and addressing possible violations of law
  • Any persons employed by or associated with a firm retained to conduct an inquiry or investigation into possible violations of law
  • An employee of a public accounting firm if the information was obtained through the performance of an engagement required by SEC

However, internal audit and/or compliance personnel as well as public accountants could become whistleblowers in the following situations:

  • The whistleblower has a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors
  • The whistleblower has a reasonable basis to believe that the company is engaging in conduct that will impede an investigation of the misconduct
  • At least 120 days have elapsed since the whistleblower provided information to the company’s audit committee, chief legal officer, chief compliance officer, or the whistleblower’s supervisor, or since the whistleblower received the information, if it was received under circumstances indicating that the entity’s audit committee, chief legal officer, chief compliance officer, or the whistleblower’s supervisor was already aware of the information

Prior to passage of the final rule, NACD staff submitted a comment letter to the SEC and met with SEC officials to express their concerns. NACD stressed the need for whistleblowers to utilize the internal compliance systems prior to going to the SEC. The systems required by the Sarbanes-Oxley Act (SOX) were established with great expense to companies in the United States. NACD believes these systems are working and we requested a postponement of the whistleblower rules to have the SEC conduct a study on the effectiveness of current whistleblower programs such as those required under SOX.

Another major concern for NACD is the use of consultants. Consultant use is rising and is an important means of acquiring outside third-party information. In certain situations, a consultant may discover information about a securities violation and bring it to the SEC in order to claim a reward. The final rule does not extend the exclusions to outside consultants because the SEC believes that additional exclusions for such outside professionals would too broadly preclude individuals with possible inside knowledge of violations from coming forward to assist the Commission in identifying and prosecuting persons who have violated securities laws.

The new rules will become effective sixty days after they are submitted to Congress or published in the Federal Register.

NACD will continue to monitor any developments involving the whistleblower rules. Despite the passage of the new rules at the SEC, one notable development has occurred. Recently, Congressman Michael Grimm introduced draft legislation amending the Dodd-Frank Act to require whistleblowers to first use a company’s internal compliance systems. Potential whistleblowers may still bypass internal systems if the Commission determines in a preliminary investigation that internal reporting is not a viable option based on evidence that the alleged misconduct was committed by or involved the complicity of the highest level of management, or evidence of bad faith on the part of the employer. NACD will continue to monitor any developments involving the whistleblower rules.

To view the SEC’s summary of the rule, click here.

To read the SEC’s full explanation of the rule, click here.

To read NACD’s comment letter, click here.

To view an NACD webcast regarding the whistleblower rules, click here.