COSO 2013: implications for fraud

If they haven’t already, boards and C-suite executives at publicly held companies must immediately revisit how effective they are at preventing fraud or ensuring its early detection. That’s the word from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which marked its 20th anniversary last year with the release of COSO 2013, an update of the original 1992 COSO Framework for internal controls that firms need to implement by December 2014.

Rooting out fraud was a key goal of the original framework, but now the directive to constantly monitor and assess risk is explicitly stated in two of the new framework’s 17 principles. Collectively, the principles are meant to remind boards and senior management that the framework is about much more than mere compliance with Sarbanes-Oxley (SOX), which first brought the framework to the attention of boards, audit committees and management. The new principles also acknowledge the extent to which companies have changed the way they conduct business over the past 20 years in such areas as working with outside vendors and relying on the internet and social media.

Unfortunately, many executives say the importance of fraud detection and prevention – along with some other goals of the original framework – was ‘lost in translation’ precisely because of the corporate world’s inordinate preoccupation with SOX.

‘There are greater expectations of boards and the C-suite regarding fraud identification,’ observes J Stephen McNally, finance director and controller for the Campbell Soup Company. ‘The SEC is keeping a very close eye on this transition to COSO 2013, so there can be no skating around the issue.’

Entity-level commitment

‘COSO 2013 places greater emphasis on entity-level controls, not simply activity-level controls – the focus until now – where management must demonstrate involvement in ethics and compliance programs, emphasizing its commitment to all employees
and the board,’ says Elliott Fisch, president and founder of Corporate Directives, a new Los Angeles-based consulting firm specializing in corporate compliance, governance, auditing and controls issues.

Fisch says the board should be required to attend the company’s ethics and compliance training program and certify its understanding of the program as part of its entity-level commitment – something that isn’t currently required. This would give directors a better grasp of what the company has put in place and demonstrate their support of it.

More immediately, companies are identifying gaps between their current internal and external controls programs and what’s required by COSO 2013. Three clients of Washington-based Global Governance Consulting recently reviewed their compliance and controls processes, including codes of conduct, says Susan Wolf, the company’s CEO. Two determined that their processes needed no refinements, while the third added quarterly presentations from the internal audit, compliance and SOX teams for its general counsel and CFO.

Firms such as Campbell’s are jazzed about implementation, claiming to be ahead of this compliance curve. McNally has posted a paper on COSO’s website detailing a five-step approach companies can take to transition to COSO 2013, including conducting a preliminary impact assessment, facilitating board awareness, training and comprehensive assessment, developing and executing a COSO transition plan for SOX compliance, and driving continuous improvement.

In June, the Financial Executives Research Foundation (FERF), part of FEI, and RR Donnelley, released ‘Impact of the 2013 COSO framework’, a white paper that concludes that companies with aggressive, proactive control systems and environments will only have to tweak their controls systems to comply with the new framework, while others may have to provide much more documentation of their controls.

Compliance priorities

Companies shooting for optimal compliance with COSO 2013 will spend most of their time on the components of control environment, risk assessment, information and communication, and monitoring activities, PwC partner Charles Harris explains in the FERF/ Donnelley white paper.

‘Companies have a fairly mature system around control activities because of SOX... but perhaps less so with respect to these other components of internal control,’ he writes. The white paper spends little time on fraud, explaining that many companies seem to be on top of their fraud controls.

Separately, in July FEI and Donnelley offered a webinar on COSO 2013 implementation that drew roughly 80 executives. A survey of these executives conducted by FEI and Donnelley after the webinar suggests many companies are not dissatisfied with the internal and external controls they have in place. Forty-two percent of respondents say they don’t plan to add new controls to comply with COSO 2013, while 34.7 percent expect to add four or more controls.

Asked which issue they are putting most effort into, 36 percent say control activities, 30 percent say control environments and 25 percent cite risk assessment, the area under which fraud prevention and detection fall. Just 2.5 percent are spending time on information and communication, and 6 percent say they are focusing on monitoring activities.

‘None of the accounting firms thought fraud was a key issue to focus on during the transition,’ says John Truzzolino, director of business development for Donnelley’s ActiveDisclosure system. ‘CFOs thought SOX 404 compliance was enough.’

Applying the framework

But some accounting executives worry about companies falling through the cracks, especially smaller ones less concerned with governance. Others say they’re implementing the framework, but with SOX compliance as the primary objective. ‘We’re not reinventing the wheel,’ says one chief audit executive. Others say outside accounting companies may not be aggressive enough in pushing COSO 2013 implementation.

Justin Snell, a director at accounting firm Bennett Thrasher in Atlanta, says some C-suite executives may gloss over the framework with their boards: ‘Management has to fight the tendency to say, We’re already doing it; we’ve got the 17 principles covered. Do we have fraud risk assessment? Yes, check the box.’ He urges senior managers and directors to ask tough questions on the quality of implementation.

When given a little flexibility, companies tend to relax vigilance, according to Fisch. He cites his concern in 2007 when the PCAOB abandoned AS2, which required detailed internal controls reporting exclusively by the company’s external auditor, instead allowing internal controls reporting by a company’s own internal auditor or a third party other than its external auditor.

‘The [new] AS5 guidelines allowed less detailed – and less costly – documentation of internal controls but also provided some leeway, creating some laxity with control issues,’ Fisch says.

Clearly there’s a need for more top-down ownership of fraud controls, says FEI president and CEO Marie Hollein. ‘A few years ago we looked at 10 years of SEC fraud-related cases and found that 89 percent of the CEOs and CFOs were implicated. That further demonstrates how crucial tone at the top is – and will continue to be.’