• Take advantage of the unique guidance in this volume on crafting interviews and questionnaires, sampling and testing and deficiency assessment.
• Try your ideas out. Include IT assessments and walkthroughs and controls tests to give any revised approach a full trial.
• Revise the plan and flesh out the new directions.
• Provide a forum for discussion with all core team members to share observations and suggestions.
• Develop training material to ensure consistent application as you roll out the new direction.
• Utilize continuous improvement and other techniques to keep the project fresh and current.
This book updates and replaces two separate volumes previously published by John Wiley & Sons: Internal Controls–Guidance for Private, Government, and Nonprofit Entities (2007) and Complying with Sarbanes Oxley Section 404: A Guide for Small Publicly Held Entities (2010). Because of the common Framework these diverse applications now share, it makes sense to combine these volumes at this time. Many of the technical and operational issues are shared in these applications, albeit with different levels of importance and intensity to specific entities and audit environments.
The evolution of the COSO Framework is one of close personal association since I was a partner with Coopers & Lybrand as the 1992 Framework was first being drafted for COSO and introduced to (C&L) clients. I was responsible for the development and training at BDO in applying the Framework to SOX, was a member of a professional Firm 404 Implementation Task Force and was a member of the Auditing Standards Board as the COSO Framework was further integrated into Generally Accepted Auditing Standards. I was appointed as an AICPA representative in roundtable discussions with COSO developers leading up to the release of the 2006 enhanced guidance for smaller public entities and have worked with companies and auditors in implementation issues throughout this period and to date. I have developed several training courses for the AICPA and other associations in documenting internal controls. My sincere hope is that this work will make a difference for those seeking new insights and better approaches to the implementation of the Framework. I would like to thank my clients for all the learning opportunities along the way.
Acknowledgments
As always, special thanks go to my wife Barbara and to my family, who again tolerated my being sequestered in my office during the development and refinement of this work.
Thanks to my clients, both companies and auditors and peers, that provided the experiences and training grounds. Also to be acknowledged are the dedicated professionals of the various COSO development teams and the AICPA and PCAOB whose writings have been woven into this work.
A special thank you also goes to the many John Wiley and Sons production and editing professionals that have helped make this work and its predecessors along the way more readable and focused and to the Wiley leadership of John DeRemigis and Timothy Burgard who strongly supported the production of this volume.
Chapter 1
What We All Share
Regardless of the type of entity, all Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework users and auditors in the public and nonpublic sectors share a great deal in common. We broadly outline those shared characteristics here before plunging into the details of application and documentation. This will also help readers to target the specific goals they have in studying this material. Later these concepts are developed in more detail. For now they serve to overview the subject matter.
Need for Control Criteria
Early auditing literature talked about controls, primarily in terms of controls over more routine transactions, such as cash receipts and disbursements. Based on the analysis of business and accounting failures over decades of experience, it became clear that a broader view of controls was necessary to address the various management, information processing, or oversight weaknesses that so often contributed to these events. However, there was no broader framework or set of criteria against which to evaluate the effectiveness of the entity in controlling its risk of filing materially false financial information and preventing other types of fraud. The COSO Framework has filled that void.
A set of criteria is a standard against which a judgment can be made. In the United States, the internal control integrated framework published by COSO is just about the only overall controls criteria to assess the effectiveness of internal controls over financial reporting (ICFR). Choosing an appropriate control criteria is a Securities and Exchange Commission (SEC) requirement for public companies when performing an assessment of the effectiveness of an entity's internal control. The American Institute of Certified Public Accountants (AICPA) auditing literature references COSO components in its guidance to auditors of nonpublic companies, so from a practical perspective, COSO is the only game in town. While there are other frameworks out there (e.g., the criteria of control (COCO) framework from Canada, the Turnbull Report in the United Kingdom, and SOX of Japan), these are not that dissimilar to COSO in overall concept and have not gained wide acceptance outside of their home countries.
Overview of the COSO Internal Control Integrated Framework
In 1985, COSO was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting. It was motivated by yet another intense period of time when financial reporting fraud and alleged audit failures were prominent in the news. Since this initial undertaking, COSO has expanded its mission to improving the quality of financial reporting. A significant part of this mission is aimed at developing guidance on internal control. In 1992, COSO published Internal Control – Integrated Framework, which established a framework for internal control and provided evaluation tools that businesses and other entities could use to evaluate their control systems.1
The COSO internal control framework identifies five components of internal control:
1. Control environment
2. Risk assessment
3. Control procedures
4. Information and communication
5. Monitoring
Today these remain unchanged from the 1992 Framework. That is a testament to the fundamental correctness of the COSO Framework. However, the level of detailed guidance over the years has increased due to the more recent widespread implementation of the Framework in our business environment and a desire to have more consistency in the application of COSO principles.
Holistic, Integrated View
The COSO Framework identifies five main components of internal control, and one of the keys of working with it is to understand how these components relate to and influence one another. COSO envisions these individual components as being tightly integrated in a nonlinear fashion. Each component has a relationship with and can influence the functioning of every other component, operating in an almost organic way.
The five interrelated components of the COSO Framework are, briefly:
1. Control environment. Senior management must set an appropriate tone at the top that positively influences the control consciousness of entity personnel. The control environment is the foundation for all other components of internal controls and provides discipline and structure.
2. Risk assessment. The entity must be aware of and deal with the financial reporting risks it faces. It must set objectives, integrated throughout its activities, so that the organization is operating in concert. Once these objectives are set, the entity is in a better position to identify the risks to achieving those objectives and to analyze and develop ways to manage them.
3. Control activities. Control policies and procedures must be established and executed to help ensure transactions being processed on a day-to-day basis, such as sales and expense transactions, or on a periodic basis, such as accruals and consolidations, are resulting in complete and accurate