The March meeting of the PCAOB's Standing Advisory Group included an examination of the pending revised internal controls framework being developed by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"). Describing the update as a welcome development, PCAOB Member Lewis Ferguson said that the update will make the COSO internal control framework more relevant to the complex global business environment.
Section 404(a) of Sarbanes-Oxley requires that annual reports filed with the SEC must be accompanied by a statement by company management that management is responsible for maintaining adequate internal controls. In the report, management must also present its assessment of the effectiveness of those controls. In addition, Section 404(b) requires the company's auditor to report on and attest to management's assessment of the company's internal controls
SEC rules require that management's evaluation of a company's internal controls pursuant to Section 404 must be based on a suitable, recognized control framework established by a body that follows notice and comment procedures. The Commission has identified the COSO internal controls framework as such a framework.
While PCAOB auditing standards are neutral regarding the internal control framework that auditors use for testing and evaluating controls, Board standards require auditors to use the same internal control framework that management uses and the overwhelming majority of U.S. public reporting companies use the COSO framework. Changes to the COSO framework would thus have significant implications for audits conducted in accordance with PCAOB standards. Changes to the COSO framework could lead companies to make changes to their controls, their control documentation or management's process for assessing the effectiveness of internal controls which, in turn, could affect the auditor's procedures regarding internal controls.
COSO officials told the SAG that the enhancements to the framework are not intended to alter the core principles of the framework, but to facilitate a more robust discussion of internal controls. Concepts and guidance in the framework will be refined to reflect the evolution of the operating environment and the changed expectations of regulators and other stakeholders. In addition, the enhancements are expected to cover more than financial reporting by considering ways to enrich the guidance on operations and compliance objectives.
COSO has engaged PricewaterhouseCoopers to support its update of the framework. PwC will work under COSO's direction in developing the updated framework. COSO will conduct the update pursuant to rigorous due process. In order to ensure a broad representation of perspectives, COSO is forming an advisory council comprised of representatives from industry, academia, government agencies and nonprofits to provide input as the project progresses. In addition, the updated framework will be exposed for public comment. COSO intends to issue an exposure draft this year, with final adoption of a revised framework planned for next year.
COSO envisions two documents emerging from the revision process. The first document will be the updated overall internal controls framework, which will supersede the original 1992 framework. COSO’s 2006 small business guidance will also be superseded and folded into the revised framework.
A second document will deal with applying the framework in the financial reporting arena, such as in Section 404 areas. The COSO officials hastened to add that the internal controls framework is not being bifurcated. The first document is the updated framework, while the second document is guidance in specific areas.
COSO believes that the impact of the revised framework on governance will be positive. The framework will also provide a better understanding of programs supporting fraud deterrence.
SAG member, and Duke University Law Professor, James Cox asked if COSO has considered the carve out from the Section 404(b) auditor attestation requirement in the Dodd-Frank Act for small companies in light of the fact that most abuses are disproportionately found in smaller issuers. He asked if the framework would bifurcate companies exempt from 404(b) from those that are non-exempt. The COSO officials said that they have not considered this, noting that COSO is not the regulator. They said that the core internal controls framework is important and relevant for all companies, exempt or not. Former PCAOB Chief Auditor, and SAG member, Douglas Carmichael noted that, while COSO may not be a regulator, COSO is effectively the center of internal controls standards and as such plays a vital public interest role through the Section 404 mandates.
With regard to the carved out small companies, SAG member, and Director of Accounting and Auditing Quality Assurance at Ehrhardt Keefe Steiner & Hottman, Gaylen Hansen suggested that COSO do something in the risk assessment area to ascertain if company management did what 404(a) commands it to do, not to audit management’s conclusions of the effectiveness of the internal controls, but to tie it in to risk assessment, without conducting an audit.
Regarding the Dodd-Frank carve out, PCAOB Chairman James Doty asked COSO to help enable the Board to direct auditors to look for fraud in smaller companies. COSO officials replied that they could make guidance more robust in this area. Chairman Doty also said that there should be a consideration of whether risk assessment standards should require a determination that company management has taken into account the COSO guidelines outside of a 404(b) attestation requirement.
Given the fact of global financial markets, SAG member, and CalPERS official, Mary Hartman Morris questioned whether COSO could make the updated framework less US centric. COSO officials responded that are obtaining the views of the International Federation of Accountants in preparing the revised framework. While noting that they are not obligated to fully harmonize the COSO framework with non-US guidance, COSO officials said that the revised internal controls framework must be globally meaningful and relevant.
They are also aware that non-US users and jurisdictions would discount the framework if it was too US-centric. Furthermore, they noted that the sponsoring organizations of the Treadway Commission, which include the AICPA and the Financial Executives International, have many members outside the US, and COSO has a duty to these non-US stakeholders.
SAG member, and former SEC Chief Accountant Lynn Turner noted that the original COSO framework was missing a principle that the SEC staff had wanted to include, which was the need for companies to identify changes and trends. In light of the financial crisis, said Mr. Turner, that pillar should have been in the framework. He asked COSO to consider including it in the updated framework.
Noting the Sarbanes-Oxley Sec. 407 requirement that companies disclose if they have a financial expert on the audit committee, SAG member, and Eli Lilly & Company Chief Accounting Officer, Arnold Hanish said that there is a need to beef up financial experts on boards. He said that there is no firm definition of what a financial expert is, and that there is a wide variety of people calling themselves financial experts. Given the complexity of FASB standards, audit committees must have true financial expertise, he emphasized, so that the right questions get asked of auditors. This should be baked into governance. COSO officials agreed that there is a wide difference among financial experts and offered that guidance could be drafted to help determine what good governance is in this regard.