Controls needed to successfully adopt the new COSO 2013 Framework

Posted by Guthrie Chen on June 13, 2014

describe the image

By now, we have all started to become aware that the new COSO 2013 framework MUST be adopted by all publically traded companies by the end of their current fiscal year. There’s a great deal of material out there explaining what needs to be implemented yet, very few of those items (including the documents provided directly from COSO) explain HOW to actually make this implementation happen.

Is it just me?

Many of you may feel the same way Gary Burns, Associate Director of Internal Audit from MannKind did here in the following statement:

"These are the things I’ve done to learn about COSO 2013:

  1. Print every article I could find on the Internet that pertained to COSO 2013. As I read the articles I highlighted areas that I thought were relevant. I found that many of these articles were just a rehash of what other articles were saying;
  2. Attended several COSO 2013 seminars and webinars put on by the “Big Four” and Protivity;
  3. Ordered all of the materials (books and spreadsheets) published by COSO and read through them several times. Again, highlighting things that I thought were relevant to our specific implementation;
  4. Held discussions with our external auditors;
  5. Created my own COSO 2013 Implementation Plan since there were no good examples available to follow."

"What I’ve seen about Vibato’s approach to demonstrate compliance with COSO 2013: It didn’t take long to realize that all of the articles and COSO materials I’ve read only discussed WHAT is included in the new COSO 2013 framework. While this was educational, it did not give any insight into HOW to actually implement the new framework, nor HOW to document our company’s compliance with it. What really impressed me with Vibato’s new Internal Control Suite for COSO 2013 was how thoroughly Vibato incorporated the COSO 2013 framework into their new product. By using Vibato’s new Internal Control Suite for COSO 2013 it automatically generates the evidence needed to show our external auditors that we formally addressed the framework’s Objectives, Components, Principles and Points of Focus."

"Vibato took the mystery out of the COSO 2013 implementation process." -Gary Burns, Mannkind Corporation

If this sounds familiar, you certainly are not alone. Many auditors of the Big Four auditing firms are about just as lost since the implementation of this new framework will be as unique as each individual company undertaking this change.


Why Change?

Considering that the last time a change of this scale took place in 1992, one can imagine how much the business world in general has changed since. A major facet to the creation of this Framework is due to the evolution and ubiquitous nature that the internet has undertaken over the years. Today, nearly every company has some form of online presence that ranks from being solely for investor relations to a means to perform the bulk of their business operations. This is a stark contrast from 1992 to 2014 so it is reasonable to ponder the implication of risk mitigating procedures needed to maintain a valuable investment to stakeholders.

So What Are Some Examples?

Clearly the internet is a powerful tool in business and there are many ways is can be used to mitigate risk. So for one example, let us consider an averted catastrophe from Chobani yogurt. Recently, there was an issue with the lids of their products popping out due to bacteria cultivating inside the cup. Though no one came directly to Chobani and complained about the problem, there was a great deal of buzz on the internet and an associate at the company was able to pick up on  this early and  issue a recall before any more damage was done. This is a great lesson in how to become more efficient in mitigating risks like these and COSO would like to see more controls in place like this.

Hopping around to another potential risk, imagine that one of your company buildings collapsed due to a natural disaster – what has the company done to mitigate risks like these? Would this cripple your company? Do you have adequate insurance to cover the company’s assets? How about your data back-up procedures? Is your data stored off-site or would you lose everything in this potential disaster? COSO is very serious about safeguarding the stakeholder’s investments and will require documented procedures from companies that may be subject to such a risk.

In a final example, let’s tackle one that some executive level employees might have an issue with - grooming individuals for succession arrangements.  Whether you retire from your current position or god forbid, you lose the ability to carry on your duties as the backbone of an organization, you will not be able to carry on forever. COSO wants to see that you have a plan in place for such instances so that the transition can be as smooth as possible when the time is right.

It’s Time to Get Serious

Whether you have made great strides in moving your implementation of the COSO 2013 Framework forward or you have only just begun, the change is coming and we could all use a little help in polishing off the edges or even to begin forming them.

For more examples, contact Vibato today and we will provide you with a free COSO 2013 assessment for your company and put you in the right direction.

Tags: Internal Controls, examples, controls, audit, SOX, audit committee, COSO, COSO 2013, framework, documentation