COSO Report Card: How Companies Are Measuring Up


The practice of accounting is orderly, measured, and demands the highest levels of precision and accuracy. The new COSO framework, however, is somewhat the opposite. First announced in 2013 and still under adoption by some, it’s more interpretative than specific, qualitative than quantitative.

True, the new version gives companies the ability to map internal controls to 17 newly codified principles. But organizations looking for strict, by-the-numbers guidance to fulfilling COSO to the letter won’t find it. Instead, they’re finding that fulfilling the spirit of COSO means relying on their own good judgment; that, along with the help of their auditors.

Bob Hirth, current COSO chair and a former senior managing director for Protiviti, notes that COSO 2013 adoption is strong, at nearly 80 percent currently. Still, public companies and auditors face the challenges of satisfying the still-evolving interpretations of the framework. Hirth expects that what he calls “generally accepted COSO documentation” will emerge at some point in the future. But for now, he says, “Questions about completeness of controls really come down to ‘How much is enough?’” These questions apply in a number of areas:


The SEC wants to see a “suitable” framework in place for financial controls, and it considers the new COSO suitable, but it stopped short of mandating any new framework through a rule-making decision. Although the SEC hasn’t set a deadline, Hirth feels that any company that hasn’t transitioned by the end of 2015 should expect tougher questioning on risk assessment and controls from the SEC.


Control precision gets to the essence of control quality, and plays into principles such as those supporting the risk assessment category. There’s plenty of gray area in determining what level of precision is enough for any given direct or indirect control.

“Say you’ve got a $40 million balance on your financial statement,” says Hirth. “To check that balance for accuracy, a mid-size company might feel it’s sufficient for management to have a meeting and review the balance for reasonableness.

“But that might not satisfy the auditor, who feels that the $40 million is of material importance because of the size of the company. So you may have to dig deeper to get the auditor’s approval – to validate and test some of the transactions that went into that number.”


The new framework references outsourcing in a number of areas, noting specifically that a public company should maintain as much responsibility for outsourcer controls as for its own safeguards.

“The reporting convention was you’d be satisfied with the outsourcing entity’s SOC reports,” says Hirth. “Not any more – just getting SOC reports doesn’t relieve you of responsibility.”

It’s now the outsourcing user’s responsibility to test the outsourced product – say an investment management report – for reasonableness. “The SOC reports tells you about the vendor’s controls,” says Hirth, “But it’s up to your management to test the product you’re getting and ask questions if necessary.”


One of the new framework’s 17 principles deals specifically with identifying and analyzing any risks of fraud that may exist. The principle and its four points-of-focus are clear, but they don’t include step-by-step instructions. As with the other COSO elements, it’s up to the company, although fraud risk assessment is another area where Hirth expects efforts will eventually coalesce around some common solutions.

“Fraud risk assessment efforts vary,” he says. “For some, it might just mean completing a memorandum concerning management’s thinking. For others, it might mean holding regular meetings throughout the organization so people who are involved in financial reporting can understand the risks of fraud and can take preventive measures.”


Hirth says that the new framework’s expectations are higher than the old, in part because the advent of technology makes it possible for companies to see their financial processes more clearly, and to safeguard them more effectively. Various software tools help companies map their internal controls to the principles and their supporting points-of-focus. And process automation helps companies standardize financial reporting tasks. Automation can reduce human error and help prevent fraudulent review-approver relationships.

Hirth notes that companies should fully engage with their auditing firms for help in implementing and carrying out their COSO adoption.

“The auditors pay close attention to the Public Company Accounting Oversight Board, and the PCAOB will be determining what’s working and what’s not as they gain more experience overseeing framework adoptions,” he says.

“For one thing, the auditor can be a great help with setting expectations for entity information baselines, something that’s important because it determines the quality of subsequent controls and testing information.

“And even though companies may see a slight increase in deficiencies from their auditors, that’s to be expected with any new program. Just think of it as a bump along the road to getting the most out of the new framework.”