Jeff Thomson: What is COSO’s role regarding the establishment of internal control frameworks?
Sandra Richtermeyer: One of the most important things to remember is that COSO is not a standard setting organization. It’s an organization with a mission focused on thought leadership. Therefore, in that capacity, our goal is to provide thought leadership on items such as enterprise risk management, internal controls and fraud deterrence, and in the spirit of designing and improving frameworks, it is used for risk management and internal control. The outcomes are aimed at improving organizational performance and governance while reducing fraud in organizations.
(Interview continues below)
JT: Why is COSO’s work relevant for management accountants and organizations in general?
SR: We have two key frameworks: the enterprise risk management framework and the integrated integral control framework. We believe these two frameworks are essential to every management accounting professional’s toolkit. Accounting and finance professionals or management accountants have the potential to be a key part of value creation and performance goals in their organizations. Management accounting professionals are key business partners in helping organizations with both short-term and long-term goals. It’s essential that they have tools like the COSO framework in their back pockets and that they understand these tools, so they can provide a solid foundation for improving performance and achieving strategic objectives.
JT: What are the major differences or changes from the 1992 landmark framework that in many ways created internal controls as a way of thinking about U.S. and even global businesses?
SR: The new framework that we’ve just released is essentially building upon what we believe is the very strong 1992 framework, but it’s updated to reflect changing and complex business environments and conditions. We have essentially codified the principles that support the five components of internal control. We’ve expanded financial reporting objectives to include both internal financial reporting and external financial reporting.
What I really like is the way we’ve highlighted four key buckets – internal financial reporting, external financial reporting, non-financial internal reporting and non-financial external reporting. We’re not just focusing on external financial reporting; that’s very important, but we need to have a strong system of internal controls and a strong internal control framework that supports all of these areas. We’ve also increased our focus on operations, compliance and reporting objectives in general.
JT: Publicly-traded companies need to attest in writing as to the effect of the internal controls over external financial reporting. Are there any changes in how these companies comply with Sarbanes Oxley section 404?
SR: Representatives from the SEC have been a part of the COSO Advisory Council from the beginning of the refresh project right through the completion. Their feedback and collaboration was very helpful. It is critical that publicly traded companies watch for any specific guidance that the SEC may issue regarding implementation timelines or general recommendations regarding the internal control integrated framework. At this point, I have not seen specific guidance related to a timeline from the SEC.
JT: How else can companies get information on how they may implement the revised framework?
SR: I believe it is really important for accounting and finance leaders in publicly traded companies to have a dialogue with their peers from other organizations to learn how they may be planning to implement the revised framework. I think the more dialogue we have about sharing practices and procedures, the more we can prevent concerns or perhaps negative reactions to change as organizations become familiar with the refreshed framework. It’s important to me (as a COSO board member) that we’ve partnered with so many different organizations in our Advisory Council during the refresh process. The Advisory Council members have been integral to the entire process, listening, giving feedback and helping make sure the 2013 framework is the best it can be.