We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Weak Risk Management Leads to Internal Controls Deficiencies

Vote 0 Votes

Jeanette Franzel, board member of the Public Company Accounting Oversight Board (PCAOB), recently spoke at the American Accounting Association (AAA), according to The Wall Street Journal. She says audit-oversight inspections show a twenty percent increase (since 2013) in internal-control deficiencies of company audits. Inspections also indicate that 36 percent of company audits now have internal-control deficiencies, which constitutes a threefold increase from five years ago.

Franzel indicated that inadequate internal controls are the source of the most frequent problems addressed by the PCAOB. Even more concerning, more than 80 percent of restatements in 2014 came from organizations that simultaneously reported effective internal controls. This troubling trend indicates that not only do these companies have material deficiencies, but they're either not disclosing them or are unaware of them to begin with. As a result of this trend, the PCAOB is increasingly zeroing in on internal controls.

How do the 2013 changes to the COSO framework relate to this issue?

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), updated their common internal control model with the goal of adopting an increasingly risk-based approach to internal control environments. COSO revamped these safeguards, which hadn't been altered since 1992, in an effort to streamline and reduce costs associated with ICFR compliance. To learn more about these changes, read our blog post, "A Quick Guide to COSO Internal Controls 2013 Changes."

COSO 2013 specifically outlines that assertions and risks must be linked to financial line items. Controls are mapped to financial line items, assertions, and risks so that their effectiveness can be evaluated. This requires collaboration between finance, compliance, and audit departments.

Many organizations, however, skip this risk exercise and simply document controls and perform tests to prove that they are being performed. Controls cannot be evaluated in isolation of the risks, financial line items, and assertions being connected. This is the root cause of the problem; the PCAOB and SEC are now considering this shortcut to be negligence, and are stepping up their inspections.

While there is no strict deadline by which companies need to transfer to the 2013 framework, the risk-based approachpromoted by COSO enables faster identification of deficiencies in internal control environments. Instead of treating all controls as equal and separate, the new framework asks organizations to complete a risk assessment in order to distinguish material weaknesses from superficial ones. Additionally, adoption delays will undoubtedly increase the level of scrutiny coming from both the SEC and investors.

As required by COSO 2013, assessments prioritize which internal controls need review, and how frequently. Further risk assessments give clear guidance as long as the controls are not only documented, but effective. Controls must evolve as the risks evolve.


Learn more about how LogicManager's risk-based approach to SOX compliance can help your organization identify key controls and prioritize resources, while staying up-to-date with the evolving requirements of the SEC and PCAOB. Then, download our eBook, "5 Characteristics of the Best ERM Programs," to learn more about adopting a risk-based approach at your organization.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives