As has become a custom for Financial Executives International, we present the top challenges for financial executives for 2013. It is obvious the role of the senior-level financial executive is key in helping organizations meet their challenges. Our top areas identified are listed in alphabetical order:
COSO's Updated Internal Control Framework In December 2012, FEI's Working Group on COSO filed its comment letter on the Committee of Sponsoring Organizations of the Treadway Commission's suite of three Exposure Drafts (EDs) updating COSO's landmark Internal Control-Integrated Framework. FEI is one of the five founding member organizations of COSO.
The COSO framework, originally published in 1992, was due for a "refresh" to reflect changes in the business environment, particularly in information technology. Additionally, over the past 20 years, COSO has increasingly become the "go-to" internal control framework, in the U.S. and in numerous countries abroad, as a result of being cited in regulations of the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board for purposes of implementing Sarbanes-Oxley Section 404 on internal control reporting by public companies, as well as being cited in certain American Institute of Certified Public Accountants literature for certain internal control-related engagements for private companies.
FEI's letter acknowledged COSO's refresh of the internal control framework, but questioned whether the EDs went beyond a refresh. Also, the letter questioned whether the 17 "principles" and 81 "attributes" or "points of focus" identified in the EDs could encourage too much of a checklist approach and significantly change the way the effectiveness of internal control over external financial reporting is determined, which could unduly harm companies that have not experienced any change in their underlying internal controls.
Similar to the experience with Sarbanes-Oxley, this is something members should focus on when the new guidance is issued in early 2013 and not wait until the final implementation date. If implementation issues are identified, members may be able to assist each other and raise issues, with the audit community and within COSO.
No matter how worried the top management team is about information security, it isn't worried enough. The team should be terrified for at least two reasons: any system connected to the Internet can be breached by attackers; and cyber-attacks could destroy the company.
What started as aggravating hacking by kids and disgruntled insiders has now expanded to vicious and plundering attacks by organized crime, fierce competitors and rogue nations. The number of attackers is increasing quickly, and the losses due to their attacks are soaring. The 2011 Norton Cybercrime Report estimated global losses of $400 billion a year, with one million victims a day.
Virtually all information is valuable to somebody besides its owner, whether it is internal data, such as bank accounts or new product designs, or external data, such as credit card numbers. The larger the company, the larger the loss, and the more it would be worth the time and resources required to crack its defenses.
Cyberattackers look for the easy hits, so companies with robust defenses aren't often worth the trouble. But security breaches are now so...