In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated Framework, which was originally released in 1992. The framework can benefit any company, but it’s particularly relevant for public companies required under Section 404 of the Sarbanes-Oxley Act (SOX) to file annual reports on the design and operating effectiveness of their internal controls.
The SEC will have the final word on how to apply the updated framework to comply with SOX Sec. 404. Yet COSO urges companies to “transition their applications and related documentation to the updated Framework as soon as is feasible under their particular circumstances.”
Sec. 404 requires a public company’s management and external auditors to report annually on the adequacy of internal controls over financial reporting. Smaller public companies (with a public float of less than $75 million) are exempt from this requirement.
The vast majority of public companies covered by Sec. 404 have used COSO’s original framework in designing internal controls and evaluating their effectiveness. COSO is an independent body jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).
The COSO framework is built around five interrelated components:
- Control environment. This is the set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment. This is a process for identifying and assessing risks related to achievement of a company’s objectives.
- Control activities. These are actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, business performance reviews and segregation of duties.
- Information and communication. This is the flow of information necessary to support the internal control function. It includes effective upstream and downstream communication within a company as well as communication with external parties such as customers, suppliers, regulators and shareholders.
- Monitoring. This is the ongoing evaluation of the internal control system’s performance over time.
In updating its framework, COSO elected not to do a major overhaul. It concluded that the basic concepts and principles underlying the original framework — including the five components — remain sound.
The framework continues to be principles-based, allowing directors and management to exercise judgment in designing, implementing and conducting internal controls that are appropriate for the company.
But while these principles were implied in the original framework, the updated framework describes the principles explicitly, making it easier for companies to apply them. (See the sidebar “COSO framework’s 17 principles of effective internal control.”) COSO also has included detailed “points of focus” to guide companies as they incorporate the principles.
Furthermore, COSO has introduced enhancements and clarifications that bring the framework into line with changes that have occurred over the past 20 years. Since 1992, business and operating environments have become more complex, more global and more technologically driven. And today’s investors and other stakeholders demand greater transparency and accountability. In response, changes to the framework include:
- A detailed discussion of the need to consider potential fraud in assessing a company’s risks,
- Greater emphasis on globalization of markets and business operations,
- Enhanced guidance on the impact of information technology on business processes and reporting,
- Details on a company’s responsibilities when outsourcing service providers, and
- Expansion beyond external financial reporting to also include nonfinancial and internal reporting.
Under the new framework, a company’s internal control system is effective only if all five components (along with the relevant principles) are both “present” and “functioning.” It’s not enough to design and implement a system that incorporates these components and principles. Your company also must ensure that they operate together in an integrated manner and “continue to exist in the conduct of the system of internal control to achieve specified objectives.”
Making the Transition
COSO’s original framework will be available during a transition period that extends to Dec. 15, 2014. After that date, COSO will consider the original framework to be superseded. Depending on your company’s facts and circumstances, making the transition to the updated framework can take time, so it’s a good idea to begin the process as soon as possible.
Start by familiarizing yourself with the 17 principles and other guidelines. Then, evaluate the current state of your internal control system and develop a plan for correcting any weaknesses.
Note that, during the transition period, COSO recommends that companies filing external reports on internal controls clearly disclose which version of the framework they’re using.
COSO Framework’s 17 Principles of Effective Internal Control
|Internal control component
- Demonstrate commitment to integrity and ethical values.
- Ensure that board exercises oversight responsibility.
- Establish structures, reporting lines, authorities and responsibilities.
- Demonstrate commitment to a competent workforce.
- Hold people accountable.
- Specify appropriate objectives.
- Identify and analyze risks.
- Evaluate fraud risks.
- Identify and analyze changes that could significantly affect internal controls.
- Select and develop control activities that mitigate risks.
- Select and develop technology controls.
- Deploy control activities through policies and procedures.
|Information and communication
- Use relevant, quality information to support the internal control function.
- Communicate internal control information internally.
- Communicate internal control information externally.
- Perform ongoing or periodic evaluations of internal controls (or a combination of the two).
- Communicate internal control deficiencies.