Jeanette Franzel, board member of the Public Company Accounting Oversight Board (PCAOB), recently spoke at the American Accounting Association (AAA), according to The Wall Street Journal. She says audit-oversight inspections show a twenty percent increase (since 2013) in internal-control deficiencies of company audits. Inspections also indicate that 36 percent of company audits now have internal-control deficiencies, which constitutes a threefold increase from five years ago.

Franzel indicated that inadequate internal controls are the source of the most frequent problems addressed by the PCAOB. Even more concerning, more than 80 percent of restatements in 2014 came from organizations that simultaneously reported effective internal controls. This troubling trend indicates that not only do these companies have material deficiencies, but they’re either not disclosing them or are unaware of them to begin with. As a result of this trend, the PCAOB is increasingly zeroing in on internal controls.

How do the 2013 changes to the COSO framework relate to this issue?

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), updated their common internal control model with the goal of adopting an increasingly risk-based approach to internal control environments. COSO revamped these safeguards, which hadn’t been altered since 1992, in an effort to streamline and reduce costs associated with ICFR compliance. To learn more about these changes, read our blog post, “A Quick Guide to COSO Internal Controls 2013 Changes.”

COSO 2013 specifically outlines that assertions and risks must be linked to financial line items. Controls are mapped to financial line items, assertions, and risks so that their effectiveness can be evaluated. This requires collaboration between finance, compliance, and audit departments.

Many organizations, however, skip this risk exercise and simply document controls and perform tests to prove that they are being performed. Controls cannot be evaluated in isolation of the risks, financial line items, and assertions being connected. This is the root cause of the problem; the PCAOB and SEC are now considering this shortcut to be negligence, and are stepping up their inspections.

While there is no strict deadline by which companies need to transfer to the 2013 framework, the risk-based approach promoted by COSO enables faster identification of deficiencies in internal control environments. Instead of treating all controls as equal and separate, the new framework asks organizations to complete a risk assessment in order to distinguish material weaknesses from superficial ones. Additionally, adoption delays will undoubtedly increase the level of scrutiny coming from both the SEC and investors.

As required by COSO 2013, assessments prioritize which internal controls need review, and how frequently. Further risk assessments give clear guidance as long as the controls are not only documented, but effective. Controls must evolve as the risks evolve.


Learn more about how LogicManager’s risk-based approach to SOX compliance can help your organization identify key controls and prioritize resources, while staying up-to-date with the evolving requirements of the SEC and PCAOB. Then, download our eBook, “5 Characteristics of the Best ERM Programs,” to learn more about adopting a risk-based approach at your organization.


Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • I completely disagree!  Weak internal controls and a lack of accountability leads to control failures.  Read How COSO destroyed Risk Management!  This is a travesty that should not be acceptable nor ignored.  COSO has irreparably damaged the reputation and practice of risk management.  COSO is NOT an Enterprise Risk program.  It is an internal controls program which is a minor part of risk management.  COSO was designed by auditors.  Let's look at how effective external auditors have been in performing their jobs.  Here are just a few examples of audit failure:

    COSO has used risk management as the scapegoat of their failure and risk managers should not accept this claim.  It is clear that audit has failed and risk management must step up to the role that it deserves.  leadership not subservient clean up of poor COSO practice.  

    Here is something that every risk manager must learn and understand:  Risk management is the only business discipline that has its roots in the halls of Nobel Prize winners.  Not audit, compliance or accounting!  Risk management is an outgrowth of economic theory and has scientific relevance.  Not audit, compliance or accounting!  Risk management is founded on the principles of mathematics and scientific research.  Again not audit, compliance or accounting!  

    COSO is to blame for its own failures and no one else!  Here a challenge for anyone who disagrees.  Define in quantitative terms how COSO has improved or added value to an organization's bottomline?  Adding value is defined as tangible monetary, stock value, or other measurable benefit above and beyond the costs of external audit fees.  What real life measurable change can COSO point to where industries derived competitive advantage?  What change in corporate failure and decline in fraud or accounting malfeasance can COSO point to, in measurable terms?  

    Instead of COSO lecturing risk management risk managers should be asking "Where's the Beef COSO?"


This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!