The AICPA is suggesting changes to the proposed, updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
In a comment letter, the AICPA wrote that the framework will be a valuable resource for practitioners. But the AICPA also described concerns, some of which are similar to those mentioned in the comment letter of the Center for Audit Quality (CAQ), which is affiliated with the AICPA. One concern focuses on how an organization should consider the “ranges of acceptability” that the updated framework describes for principles that are present and functioning.
Other points raised in the AICPA letter include:
- Requested that in its introduction, COSO state that controls such as process activities, policies, and procedures exist across all five components of the framework rather than just the “control activity” component.
- Asked COSO to tie together concepts such as reasonable assurance; range of acceptability; and reducing risk of not achieving an objective to an acceptable level; and provide examples of those concepts.
- Wrote that providing examples of “major” non-conformity and “minor” non-conformity would help users better apply judgment in their own evaluations.
COSO’s 20-year-old internal control framework is being updated with explicit advice and implementation guidance to provide a fresh, modern approach. The ED of the new framework includes 17 principles specifically described across the five components of internal control, with attributes described for each principle.
COSO expects to issue an ED draft of its Internal Control over External Financial Reporting Approaches and Examples in June. The final framework, along with a practice aid and the external financial reporting approaches are scheduled to be released early in 2013. The comment period on the updated internal control framework ended Saturday.
The AICPA recommended a few changes in specific principles in the updated framework, including a request that Principle 8, which focuses on fraud, be extended to include potential errors, bias, and abuses. Failing that, the AICPA requested that an additional principle be created to address those areas.
In addition, the AICPA wrote that the updated framework may not contain enough perspective for smaller companies with regard to how the components and principles apply to their circumstances.
Like the CAQ, the AICPA wrote that the inclusion of principles and attributes in the framework could increase the complexity of internal control evaluation processes. The AICPA, like the CAQ, suggested that COSO provide additional guidance on how an organization should consider weaknesses in or absence of a principle or attribute when evaluating the effectiveness of internal control.
In addition, the AICPA asks for transition guidance for users from the original framework to the updated framework, as the CAQ did.
COSO is a joint initiative of five private sponsoring organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. The AICPA is one of the sponsoring organizations.
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.