Weaknesses in internal controls remain on regulators’ front burners. Witness J.P. Morgan agreeing to pay $920 million to settle civil claims by U.K. and U.S. regulators from an ongoing breakdown in the control environment that allowed a single individual, the so-called London Whale1, to rack up $6 billion in derivative trading losses. It is noteworthy that JPM acknowledged that it had violated securities law.
Challenges to the adequacy of internal controls have been appearing in both SEC Enforcement Actions and private litigation. This trend is likely to continue. A summary of accounting class actions spotlights this trend from 2010 to 2012, and also explains that cases involving company announcements of internal control weaknesses increased to almost 45 percent of all cases settled in 2012 and were associated with higher settlements.2 Moreover, the SEC’s Division of Enforcement’s new financial reporting and accounting fraud task force will reinforce this trend.
In July 2013, the SEC announced three new initiatives to build upon its Division of Enforcement’s focus and allocation of resources on high-risk areas of the market. One of these initiatives was the creation of “The Financial Reporting and Audit Task Force”. As described by the SEC, the task force will be “dedicated to detecting fraudulent or improper financial reporting [and] will enhance the Division’s ongoing enforcement efforts related to accounting and disclosure fraud.”3 Given the almost symbiotic relationship between internal controls and fraud prevention and detection, it is likely that the task force will focus on the strength or weaknesses of the internal controls in place during its investigations and enforcement actions.
Making a timely entrance into this uncertain environment is the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) updated Internal Control – Integrated Framework (2013 Framework). Since the original Framework was released in 1992, the business environment has undergone dramatic changes. COSO’s update provides much needed clarification and guidance to meet the challenges businesses face in the second decade of the 21st century.
The increased scrutiny along with the new 2013 Framework signals boards of directors and their audit committees, management, and auditors to focus their attention on internal controls. With the original Framework to be superseded by December 15, 2014, there is little time hesitate.
COSO is a committee of five sponsoring organizations, the goal of which is to be a leader in the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence. The committee studies the causal factors that can lead to fraudulent financial reporting, and has developed guidance in the areas of risk and control which enable good organizational governance and the reduction of fraud. In 1992, COSO published its original Framework which provided principles-based guidance for designing and implementing effective internal controls. This Framework was developed to help management achieve its organizational objectives related to operations, reporting and compliance. Since its publication, the original Framework has become the most widely used, adopted or adapted internal control framework both in the U.S. and abroad.4
COSO's new 2013 Framework retains the core definition of internal control and the five components of internal control – control environment, risk assessment, control activities, information and communication, and monitoring activities. Building on this foundation, it clarifies and provides more specific guidance for incorporating concepts that apply to 21st century business and operations. Applying a principles-based approach, the 2013 Framework establishes 17 principles categorized by internal control components. Effective internal control requires that each of the components and relevant principles be present and functioning, and that the five components are working together.
Among the significant business changes driving the update are (i) expanded external reporting beyond just financial reporting; (ii) increased anti-fraud efforts; (iii) vastly increased sources, volume, and forms of information and communication, including social media; and (iv) the expanding role of technology in business and the migration from centralized data centers to decentralized, mobile, intelligent and web-enabled technologies.
The 2013 Framework responds to these and other changes by, among other things, (i) placing more emphasis on setting objectives as a precondition to risk assessment; (ii) focusing risk assessment on articulating objectives relating to all three categories of objectives: operations, reporting, and compliance; (iii) broadening the financial reporting category of objectives to include non-financial external and internal reporting; (iv) considering fraud risk as part of a risk assessment process; and (v) discussing the impact of expectations for verifying to a source and for retention when information is used to support reporting objectives to external parties.
2013 Framework Addresses Changes in Technology
One of the most significant changes the 2013 Framework addresses is the change in the nature, breadth and use of technology in business. In 1992, the Internet essentially did not exist. Research scientists and a few early adopters of CompuServe and AOL dial-up services generated in a full year the same amount of data currently streamed by YouTube in 21 seconds.
In response to this radical change, the Framework provides Principle 11 relating to Control Activities, “The organization selects and develops general control activities over technology to support the achievement of objectives.” A discussion of four related Points of Focus provides further guidance, including that management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
For the risk assessment component, Principle 8 requires the organization to consider the potential for fraud in assessing risks to the achievement of objectives. One of the Points of Focus calls on management to assess each prong of the fraud triangle: incentives and pressures; opportunity; and attitudes and rationalization.
Control Environment Defined
COSO also takes a major step in clarifying what comprises the control environment, along with providing additional guidance for establishing an effective control environment. The old adage that internal control starts with the somewhat vague term “tone at the top” is now spelled out in five basic principles. Each principle is illustrated by Points of Focus, which highlight important characteristics. For example, one of the points explains that the board’s oversight responsibility includes providing oversight for the system of internal control. The 2013 Framework then lists specific oversight activities applying to each internal control component.
Companies are not mandated to use the 2013 Framework as the basis to develop and evaluate internal controls. However, since 1992, the Integrated Framework produced by COSO has been the most commonly-used “suitable, recognized control framework,” and is widely recognized for providing appropriate control criteria.5 With less than a year to implement the 2013 Framework before the original one is considered superseded, now is the momentto establish a plan of action.
A good way for a company to start planning the transition to the 2013 Framework is to review the materials COSO has available to assist users. In addition to the Executive Summary, and the Integrated Framework and Appendices itself, COSO developed two helpful publications, Integrated Framework Illustrative Tools for Assessing Effectiveness of a System of Internal Control and Internal Control over External Financial Reporting: A Compendium of Approaches and Examples. After performing initial assessments of how the 2013 Framework will impact a company, it is critical to get buy-in throughout the organization. The transition will require significant effort and cooperation from all stakeholders; they should understand the importance of thorough evaluation, documentation, and validation of components necessary to adopt the new internal control guidance.
Boards and their audit committees should educate themselves on the new requirements and monitor management’s progress. Regulators and private litigants will follow close behind. Those who embrace what the 2013 Framework has to offer will likely sleep better on the control side of their mattresses.
Michael Garcia is a manager and Sally L. Hoffman is a senior advisor with the Berdon LLP Litigation & Dispute Resolution Group. The firm has offices in Jericho and New York City.
1 The nickname given to J.P. Morgan trader Bruno Iksil who had accumulated outsized CDS (credit default swap) positions in the market.
2 Cornerstone Research, “Accounting Class Action Filings and Settlements, 2012 Review and Analysis,” at http://www.cornerstone.com.
3 July 2, 2013 Press Release: “SEC Announces Enforcement Initiatives to Combat Financial Reporting and Microcap Fraud and Enhance Risk Analysis,” available at https://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171624975.
4 See Committee of Sponsoring Organizations of the Threadway Commission, “Executive Summary,” available at http://www.coso.org/ic.htm.
5 COSO, Guidance on Internal Control: Internal Control-Integrated Framework (1992) available at http://www.coso.org/ic.htm. See also Public Company Accounting Oversight Board “Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements.” para. 5 fn. 7, available at http://www.pcaobus.org (delineating SEC Rules that set forth a “suitable, recognized control framework (also known as control criteria)”).