Weak Risk Management Leads to Internal Controls Deficiencies
Steven Minsky | Sep. 17, 2015
Jeanette Franzel, board member of the Public Company Accounting Oversight Board (PCAOB), recently spoke at the American Accounting Association (AAA), according to The Wall Street Journal. She says audit-oversight inspections show a twenty percent increase (since 2013) in internal-control deficiencies of company audits. Inspections also indicate that 36 percent of company audits now have internal-control deficiencies, which constitutes a threefold increase from five years ago.
Franzel indicated that inadequate internal controls are the source of the most frequent problems addressed by the PCAOB. Even more concerning, more than 80 percent of restatements in 2014 came from organizations that simultaneously reported effective internal controls. This troubling trend indicates that not only do these companies have material deficiencies, but they’re either not disclosing them or are unaware of them to begin with. As a result of this trend, the PCAOB is increasingly zeroing in on internal controls.
How do the 2013 changes to the COSO framework relate to this issue?
In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), updated their common internal control model with the goal of adopting an increasingly risk-based approach to internal control environments. COSO revamped these safeguards, which hadn’t been altered since 1992, in an effort to streamline and reduce costs associated with ICFR compliance. To learn more about these changes, read our blog post, “A Quick Guide to COSO Internal Controls 2013 Changes.”
COSO 2013 specifically outlines that assertions and risks must be linked to financial line items. Controls are mapped to financial line items, assertions, and risks so that their effectiveness can be evaluated. This requires collaboration between finance, compliance, and audit departments.
Many organizations, however, skip this risk exercise and simply document controls and perform tests to prove that they are being performed. Controls cannot be evaluated in isolation of the risks, financial line items, and assertions being connected. This is the root cause of the problem; the PCAOB and SEC are now considering this shortcut to be negligence, and are stepping up their inspections.
While there is no strict deadline by which companies need to transfer to the 2013 framework, the risk-based approach promoted by COSO enables faster identification of deficiencies in internal control environments. Instead of treating all controls as equal and separate, the new framework asks organizations to complete a risk assessment in order to distinguish material weaknesses from superficial ones. Additionally, adoption delays will undoubtedly increase the level of scrutiny coming from both the SEC and investors.
As required by COSO 2013, assessments prioritize which internal controls need review, and how frequently. Further risk assessments give clear guidance as long as the controls are not only documented, but effective. Controls must evolve as the risks evolve.