While the Center for Audit Quality generally supports the efforts of COSO to update and enhance the original Internal Controls Framework, the updated framework does not provide sufficient guidance regarding the transition from the original framework. Absent clarity with respect to how the two frameworks are intended to be used, CAQ believes there could be inconsistent application by entities that have a requirement to evaluate and report on the effectiveness of internal control, as well as potential confusion among users of those reports. For example, without clarity, some organizations may continue to utilize the original framework, while other organizations may utilize the updated framework.
Moreover, the codification of the concepts introduced in the original framework into principles and underlying attributes in the updated framework could result in entities coming to different conclusions with respect to whether their system of internal control is effective, depending on which framework is utilized. Even more, the CAQ believes that investors and other users of the external reports on effectiveness of internal control could view the frameworks as providing differing expectations for what constitutes an effective system of internal control.
Given these potential outcomes, the CAQ urged COSO to work with the SEC and other regulatory agencies as necessary, to consider guidance and clarification regarding the validity of the original framework subsequent to the issuance of the updated framework.
COSO, the Committee of Sponsoring Organizations of the Treadway Commission, has indicated that its updated Internal Controls Framework is not expected to change the underlying assessment and attestation process of Sections 404(a) and 404(b) of Sarbanes Oxley. While the original Internal Controls Framework has proven to be one of the most widely accepted frameworks for designing and evaluating systems of internal control, the COSO Board recently proposed to update the Framework to make it more relevant to stakeholders in the current business environment.
Section 404(a) of Sarbanes-Oxley requires that annual reports filed with the SEC must be accompanied by a statement by company management that management is responsible for maintaining adequate internal controls. In the report, management must also present its assessment of the effectiveness of those controls. In addition, Section 404(b) requires the company's auditor to report on and attest to management's assessment of the company's internal controls.
In its comment letter, the CAQ noted that the updated framework segregates deficiencies in an organization’s internal control over financial reporting from deficiencies in other components. As part of this segregation, it incorporates the three tiers of deficiencies used by the SEC and the PCAOB related to external assessments required by Section 404 of the Sarbanes-Oxley Act. The CAQ does not believe that the incorporation of these three tiers is appropriate as it unnecessarily links the updated framework to a U.S. regulatory reporting framework and could risk obsolescence of the framework based on future regulatory changes.
Given the use of the COSO internal controls framework around the world, the CAQ said that it would be more appropriate for the updated framework to consider deficiencies across all components consistently. To the extent further guidance tailored to the financial reporting component is deemed necessary, CAQ believes that providing such guidance in COSO’s upcoming external financial reporting guidance would be more appropriate.
The CAQ also noted that the updated framework provides an overview of risk tolerance, but is silent regarding the concept of risk appetite. The concepts of risk tolerance and risk appetite are often used in the same context by directors, observed the Center, as well as senior management, yet some organizations struggle with articulating and reporting on these concepts leading to inconsistent application and inadequate reporting.
Thus, the CAQ urged COSO to enhance the updated framework to provide additional clarity regarding the application of risk tolerance and introduce the concept of risk appetite, with appropriate examples. Similarly, the CAQ believes that users would benefit from additional risk tolerance and risk appetite examples that focus on interactions with other processes, including financial reporting and regulated activities, as opposed to the examples currently included within the updated framework that focus on deliveries, training, and customer complaints.
The discussion within Principle 8 details the consideration of fraud in assessing risks, particularly focusing on risk associated with fraudulent reporting, safeguarding of assets, and acts of corruption. However, the CAQ believes that the discussion within Principle 8 lacks the consideration of other known fraud risks, particularly risks associated with economic incentives that may elicit unethical or inappropriate behavior, such as intentional misconduct and illegal acts.
The discussion within Principle 5 describes the concept of enforcing accountability through the use of incentives and rewards. The discussion within Principle 5 also describes the inherent pressures faced by management and directors toward the achievement of objectives. The CAQ believes that pressures to achieve the organization’s objectives can increase fraud risks, especially if coupled with lucrative incentive plans. However, the discussion within Principle 8 is silent in this regard. Moreover, the discussion within Principle 8 lacks the consideration of management negligence, which can increase the opportunity for fraud. Thus, the CAQ urged COSO to expand the discussion within Principle 8 to consider such known fraud risks, particularly as it relates to economic incentives and the consideration of management negligence, and their relationship to other control components.