CFOs have had to certify their company’s internal controls for nearly a decade, putting their professional and personal well-being on the line every time they sign a 10-K. The work hasn’t gotten any easier as internal-control risks continue to increase.
Forthcoming guidance from COSO (the Committee on Sponsoring Organizations) may help executives who sign off on internal controls keep with the times. However, CFOs will continue to make missteps even if they religiously follow the guidelines, since they lack real-world examples. As we like to say in Colorado, “there’s no silver bullet.” If you follow everything in COSO’s exposure draft released in December, there is no guarantee that your company’s system of internal controls will be effective. This is especially true of the proposal’s guidelines for companies on how to perform risk assessments of their internal controls.
Still, management will likely find the new guidance more up-to-date. CFOs have until the end of March to comment on COSO’s refresh of its 1992 Internal Control – Integrated Framework (IC-IF). A key driver for the refresh project is the dramatic change in the business environment since the original IC-IF was issued. Increased business complexity, globalization of markets, regulatory mandates, and more enterprise risk factors have put greater pressure on companies to develop and implement an effective system of internal controls.
How the Framework Will Change
The basic structure of the framework is unchanged, including the definition of internal control. COSO still believes it is made up of five components: the control environment, risk assessment, control activities, information and communication, and monitoring activities. And the standard-setter is still stressing the need for management’s judgment for creating and assessing an effective system. But now there’s an expectation on management to consider additional factors when making assessments, including changes in business models and the ability of the organization to implement broader controls to strengthen its internal-control system and prevent fraud. The guidance is more relevant and useful in today’s reporting environment than the original IC-IF.
The IC-IF draft’s risk-assessment guidance is something CFOs can use to mitigate their organizations’ risk of fraud and financial-reporting misstatements. This component, coupled with a company’s overall risk-management strategy, can address CFOs’ expanded responsibility for internal controls. For example, say a U.S. company that historically focused only on U.S. markets decided to expand internationally. During the assessment of its expansion strategy, the company identified incremental financial and operational risks to its base business, such as cultural differences and corruption in the foreign markets. The CFO’s team can assess and address these factors with enhanced internal-control procedures.
The guidance defines four principles to follow when conducting a risk assessment of internal controls: 1) specific relevant objectives, 2) identification and assessment of risk,
3) the identification and assessment of significant changes, and 4) the assessment of fraud risk. However, without a risk-management system in place, an organization will be unlikely to effectively achieve these objectives because internal controls cannot operate in a vacuum: they must be linked to the organization’s risk-management processes. This is one of many incentives for CFOs to become actively involved in the overall risk-management strategy in their organizations if they haven’t already.
How the Framework Will Be Implemented
Internal-control assessments are accurate only for companies that have a fully developed risk-management process. Several of COSO’s recent projects have emphasized risk management through the lens of an enterprise risk-management system and stress the need to link risk management to corporate strategy and the board of directors’ objectives. COSO’s thought leadership series provides valuable information about understanding risk management and how to leverage ERM to manage, mitigate, and measure risk in an organization. Once an organization has adequately developed risk-management processes, it is well positioned to define and implement internal controls that address risk.
It is still unclear how companies will implement the new guidance. The Securities and Exchange Commission, which blessed but did not require the use of the original IC-IF, will need to provide a transition plan. And companies will have to come up with their own examples after COSO finalizes the guidance, which could happen by the end of 2012. As written, the examples in the refresh draft are high level and do not provide the adequate “how-to” that is particularly helpful for small-cap companies with limited resources. This is where CFOs can help. Who is better qualified to comment on the report and its impact on internal-control risk than the finance executives who are on their organization’s internal-control front line?
Kristine Brands, CMA, is an assistant professor at Regis University in Colorado Springs, Colorado. She is also a member of the Institute of Management Accountants Global Board of Directors.