COSO 2013: "dream team" shares implementation advice.


A CFRI panel described by moderator John Neuman, global financial accounting director, Dow Chemical Company, as a 'dream team' of COSO 2013 implementation, reviewed key topics including the impact of the updated internal control framework on Sarbanes-Oxley Section 404 assertions, such as the determination of material weaknesses, common implementation 'gaps' identified by auditors, and implications for outsourced service providers.

Panelists Ray Purcell, director financial controls, Pfizer, and Steve Forrest, assistant controller, Raytheon Company, shared key learnings from their companies' respective COSO implementation.

Purcell, who chaired FEI's Working Group on COSO and served on COSO's advisory task force that oversaw development of the updated framework, said, "I think COSO largely achieved their goal," with the update to the 1992 framework being an opportunity to review controls and make improvements.

Purcell said COSO sought feedback from constituents and decided an update to the original framework was warranted, rather than starting with a blank page. "The important thing is, throughout, the PwC team [that drafted the new guidance, under the oversight of the COSO board and advisory task force], along with the advisory team and board, focused on maintaining management's role in the process of selecting controls and evaluating deficiencies."

What's changed?

"In order to have an effective system of internal control," emphasized Purcell, "you have to have all [17] principles--that is one very important ramification of the change to a principles-based model."

Areas that received additional emphasis in COSO 2013, said Purcell, included:

* Outsourcing

* The role of the corporate board

*Control environment

* Element of fraud as an express component of risk assessment

* Updated discussion of IT and information/communication

Sarbanes-Oxley Reporting

COSO's definition for effective internal control, according to the updated framework, requires that each of the five components of internal control (carried forward from the 1992 framework) are present and functioning, as well as the 17 principles articulated in the 2013 framework.

Even if none of the principles, in isolation, have a major deficiency, said Purcell, it is important to consider if in the aggregate, there is any pervasive issue or theme that raises a concern relating back to one of the principles or components. In that case, consideration should be given to whether there is a...

To continue reading