Monday, February 27, 2012

COSO Says Updated Internal Control Framework Should Not Change Section 404(b) Attestation

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has indicated that its updated Internal Controls Framework is not expected to change the underlying assessment and attestation process of Sections 404(a) and 404(b) of Sarbanes Oxley. While the original Internal Controls Framework has proven to be one of the most widely accepted frameworks for designing and evaluating systems of internal control, the COSO Board recently proposed to update the Framework to make it more relevant to stakeholders in the current business environment.

Section 404(a) of Sarbanes-Oxley requires that annual reports filed with the SEC must be accompanied by a statement by company management that management is responsible for maintaining adequate internal controls. In the report, management must also present its assessment of the effectiveness of those controls. In addition, Section 404(b) requires the company's auditor to report on and attest to management's assessment of the company's internal controls.

To capture views of a broad range of professionals in the market place, COSO has formed an Advisory Council representing industry practitioners as well as representatives and observers from government agencies and non-profit organizations to capture views of a broad range of professionals in the market place. The PCAOB and SEC have been invited as observers to attend the Advisory Council meetings and provide input to the project.

The updated Framework should enable more effective application in practice of internal control over operations, compliance and reporting. Certain concepts and discussions are expected to be refined to reflect certain changes in the business environment and in expectations in the market place. However, COSO believes that the principles embedded within the original Framework are timeless.

Thus, the updated Framework is consistent in many respects with the original Framework and includes the same definition of internal control and five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. Also, the updated Framework continues to apply judgment in developing, implementing and assessing effective internal control. Similarly, the updated Framework retains the three categories of objective: the effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations;

To have an effective system of internal control, each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective. In addition, the existence of any material weakness or major non-conformity would preclude an organization from concluding that the entity's system of internal control is effective.

While PCAOB auditing standards are neutral regarding the internal control framework that auditors use for testing and evaluating controls, Board standards require auditors to use the same internal control framework that management uses and the overwhelming majority of U.S. public reporting companies use the COSO framework. Changes to the COSO framework would thus have significant implications for audits conducted in accordance with PCAOB standards.

COSO officials told the PCAOB’s Standing Advisory Group that the enhancements to the framework are not intended to alter the core principles of the framework, but to facilitate a more robust discussion of internal controls. Concepts and guidance in the framework will be refined to reflect the evolution of the operating environment and the changed expectations of regulators and other stakeholders. In addition, the enhancements are expected to cover more than financial reporting by considering ways to enrich the guidance on operations and compliance objectives.