FOLLOWING the enactment of the Securities Act, 2016, one of remaining areas of concern was that there was no framework for the user and practitioners to facilitate the implementation of the requirements in section 146, 147 and 149 of the Act.
As such the Securities and Exchange Commission (SEC) reacted by putting together a working group to prepare such a framework culminating in the issuing of the Securities (Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines, 2019 (The “Guidelines”) on July 1, 2019.
These Guidelines prescribes the tools for the practitioners as well as entities will employ to comply with the requirements of the aforementioned sections of the Act. They also lay out a transition period of over five years to ensure that entities will have sufficient time to bring the internal control environment to maturity in that time.
Therefore starting in the first quarter of 2020, the 1st year of the five-year transition will begin and listed, quoted and issuers of registered securities, more than just addressing the issue of having the financial statements audited for the financial year just ended, have an additional responsibility of preparing an Internal Control Gap report to be provided to the SEC.
The ultimate goal of the process for the first year is to ensure companies have understood the weaknesses in the internal control environment and have initiated remedial actions, have identified their key business processes and activities, key controls in these key business processes.
This report will analyse the existing internal control framework and document an assessment of the design effectiveness of key controls. At the same time, there is an expectation that regular reports will be provided to the Board of Directors regarding the progress made towards full implementation.
A key implementation question arising from this process is why the guidelines have deliberately not required for a specific internal control framework. It must be noted however that the guidelines have specifically mentioned the COSO Integrated Framework by the Committee of Sponsoring Organisations of the Treadway Commission framework (COSO) (This framework outlines a principles-based model to facilitate an understanding and a thought process about internal controls in an entity), as an example of the internal control framework without mandating it.
There were two specific reasons for this. One was in relation to the cost and the other was to account for proportionality. Certain frameworks such as the COSO, which lack an implementation guidance may be costly and complex for smaller companies to implement and therefore, the issue of proportionality becomes imperative.
It must however be accepted that the popularity of COSO, and for the fact COSO has stayed up with the changing times, means that most other internal control frameworks have been subdued and thus it is likely that a number of entities will invariably default to COSO as their selected framework.
Having addressed this issue, the second question becomes, what are the alternative internal control frameworks available that meet the SEC’s criteria of enabling an appropriate conclusion on the effectiveness of internal controls over financial reporting.
There are a number of good alternative internal control frameworks, notwithstanding that the most popular is the COSO Framework. There are also those other frameworks that are specifically suited for IT environment which we have also highlighted in this article.
First, there is the Canadian Criteria of Control Committee’s (CoCo) framework which is second in popularity to the COSO.
The CoCO was developed by the CPA Canada and outlines 20 control criteria that management can use to manage company performance and improve its decision-making. It further outlines four criteria for effective control viz Commitment, capability, monitoring and learning.
Second is the Internal Control and Financial Reporting Framework which was issued in 1994 as part of the guidance for directors of listed companies in the United Kingdom and was for a long time a global internal control model.
The model however defaults on the criteria set out by the COSO and so it is was not necessary a departure from the COSO other than an attempt to domesticate the framework. This framework has in time premised the development of the London Stock Exchange corporate governance rules.
For the framework particularly suited in an IT environment, there is the Electronic Systems Assurance and Controls (eSAC) issued by the Institute of Internal Auditors Research Foundations, that identifies important information technologies, specific risk associated with the specified technologies, recommends controls to mitigate risks and suggests audit procedures to validate the existence and effectiveness of those controls. It is used as a guide on controls over IT and in auditing computer-based applications by both internal and external auditors.
Another specific to IT environment is the Control Objectives for Information and Related Technology (COBIT), which is a framework issued by the Information Systems Audit and Control Association to facilitate IT governance and management and was designed to be a supportive tool for managers to bridge the crucial gap between technical issues, business risks, and control requirements.
There are four main domains of COBIT including; planning & organisation, delivering and support, acquiring & implementation and monitoring & evaluating. Its components include; the framework, process descriptions, which include planning, building, running, and monitoring of all IT processes, Control Objectives, which are a list of requirements for the management of effective IT business controls, Maturity Models which accesses the maturity and the capability of every process and Management Guidelines.
In conclusion, for those entities that have implemented various ERMs such as the OCEG Red Book, Ferma A Risk Management, BS 31100 Code of Practice for Risk Management, ISO 31000 Risk Management – Principles and Guidelines on Implementation, etc. there will be looking to select an appropriate internal control framework to supplements these tools.
However those that have implemented the COSO Enterprise Risk Management – Integrated Framework, will find it to be a natural flow to select the COSO Internal control framework.
About the Author: Kelvin Chungu is a Partner at Nolands Zambia. He can be contacted on email@example.com or on +260976-377484.