COSO transition getting a close look from auditors
The early stages of implementation are over for many companies using
the updated internal control framework of the Committee of Sponsoring
Organizations of the Treadway Commission (COSO).
In 2013, the framework—which had been in use since 1992—was updated
to reflect changes in the business environment. U.S. public companies
have been working to implement the new framework to fulfill their
internal control over financial reporting requirements under the
Sarbanes-Oxley Act (SOX).
COSO will consider the 1992 framework to be superseded following a
transition period that ends Dec. 15, 2014. Although COSO is not a
regulatory agency with enforcement power, then-SEC Chief Accountant
Paul Beswick said shortly after the framework’s release that the SEC
plans to monitor the transition, and referred users of the framework
to the statements COSO has made about transition.
After working on implementation, many companies that use the
framework are having discussions with their auditors about what has
“Now what’s happening, as we turn the corner in the third and fourth
quarters, the company’s accounting firm is now getting involved in the
transition, asking and having discussions about what was done, what
have the results been, what were their expectations,” COSO Chairman
Robert Hirth said.
Jennifer Burns, CPA, a partner in the regulatory and professional
matters group at Deloitte LLP, said her impression after working with
clients is that they appreciate the way the updated COSO framework
explicitly expressed 17 principles for effective internal control—and
points of focus that provide greater understanding of each principle.
One task for organizations in implementing the framework has been an
exercise to map the controls to those 17 principles.
“People really like the structure of the new framework—using the
principles and the points of focus,” Burns said. “I think they find it
helpful in terms of understanding and improving controls overall.”
Sandy Herrygers, CPA, a partner and IT specialist leader at Deloitte
& Touche LLP, said the difficulty organizations have experienced
in implementation has varied depending on how well their controls had
been implemented around the original framework.
“Companies that went above and beyond on the original framework—most
of the larger, mature public companies—haven’t seen as significant a
change with the new framework,” she said, “because in a lot of the new
content areas, they had already implemented controls.”
Here are some of the areas that Herrygers and Burns said have
required extra attention from organizations in implementing the framework.
Burns said the initial gap assessments performed as part of
implementation have discovered gaps that can be placed into four categories.
Deloitte also has advised clients to look beyond the basic
mapping to the new principles and points of focus and take a fresh
look at the areas of internal control that historically have been
problem areas for public companies in general. For example, these
include lack of technical accounting skills, and accounting for income taxes.
“There are areas that have just been difficult for companies to get
their arms around from an internal control perspective,” Herrygers said.
But the basic implementation has been smooth, she said, because
companies have had a healthy dialogue with their auditors while
undergoing the mapping process and addressing any shortcomings.
“When the client works on the gap assessment, we’re one step behind
them, reviewing the work and providing input,” Herrygers said. “So I
feel that the process has been very effective in terms of how we’re
coordinating to make sure there aren’t surprises at the end of the year.”
Ken Tysiac (
) is a JofA editorial director.
Research & References of COSO transition getting a close look from auditors|A&C Accounting And Tax Services