An exposure draft released Monday by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) seeks comments on an updated internal control framework designed to help organizations perform with more agility and confidence.
COSO set out to update its nearly 20-year-old framework for new technology demands and capabilities, in addition to globalization. COSO also wanted to provide greater clarity on how to design and maintain an effective system of internal control. It worked with framework author PwC to update the original internal control framework to adapt to increasing complexity, mitigate risks and support sound decision making.
The updated framework doesn’t change core objectives or definitions, but explicitly specifies 17 guiding principles divided among the five components of internal control that were put into place with the initial framework in 1992.
The reporting objective is expanded. The 1992 framework dealt mostly with published financial statements, said COSO Chairman David L. Landsittel. The new ED provides separate guidance for internal and external reporting and recognizes that much information is reported externally that goes far beyond what’s contained in published financial statements.
The final framework is scheduled for release in the fall of 2012.
“The key concepts proposed in our original framework are timeless, yet the changes we have seen in the business and operating environments have driven the need for this update,” Landsittel said in a statement. “This update should allow organizations to more effectively utilize the framework to develop and maintain systems of internal control in support of their long-term success.”
The definitions of internal control and objectives of the framework have not changed. Internal control is defined as a process designed to assure three objectives—reasonable assurance of effectiveness and efficiency of operations, reliable reporting, and compliance with laws and regulations.
The original five components of the framework—control environment, risk assessment, control activities, information and communications, and monitoring—also have remained the same. But the updated framework provides a total of 17 principles across those five components to build on the concepts that COSO contributors believe proved useful in the original version.
The principles are designed to clarify the requirements for an effective system of internal control with the goal of helping companies design and operate proper procedures. Future application guidance will use real-life examples to help users scale the framework to entities of any size, whether public or private, profit or nonprofit.
While the context of the framework has been changed to recognize changes in governance, technology and complexity related to globalization and evolving business models, Landsittel said the proposed framework avoids extensive references to particular technologies and instead provides generalized guidance.
“The framework’s still … principles based and our desire to have it timeless is such that we don’t get so specific that it dates the framework or becomes prescriptive in too narrow a way,” Landsittel said. “So for example, cloud computing is really hot today. We don’t want to overstate that and then have somebody say 10 years from now that you can tell it was written in 2011 because that was the era of cloud computing.”
COSO is a private sector initiative jointly funded by the AICPA, the American Accounting Association, Financial Executives International, the Institute of Management Accountants and The Institute of Internal Auditors. The initiative’s mission is to improve organizational performance and oversight and reduce fraud through development of comprehensive frameworks and guidance on internal control, enterprise risk management and fraud deterrence.
The AICPA will offer resources to help members understand the proposal, including a Jan. 31 webcast co-hosted with The Institute of Internal Auditors.
What follows is more on the five components of the COSO Internal Control framework:
This is the foundation for all other components of internal control, providing discipline, process and structure as established by the board and senior management. There are five principles relating to control environment:
- Commitment to integrity and ethics.
- Oversight for internal control by the board of directors, independent of management.
- Structures, reporting lines and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board.
- A commitment to attract, develop and retain competent individuals in alignment with objectives.
- Holding individuals accountable for their internal control responsibilities in pursuit of objectives.
The basis for how risks should be managed involves a dynamic process. Management must consider possible changes in the external environment and within the business that may be obstacles to its objectives. There are four principles of risk assessment:
- Specifying objectives clearly enough for risks to be identified and assessed.
- Identifying and analyzing risks in order to determine how they should be managed.
- Considering the potential of fraud.
- Identifying and assessing changes that could significantly impact the system of internal control.
These are established to help ensure management’s directives to mitigate risks get carried out. Control activities are performed at all levels and at various stages within the business process and over technology. There are three principles of control activities:
- Selecting and developing controls that help mitigate risks to an acceptable level.
- Selecting and developing general control activities over technology.
- Deploying control activities as specified in policies and relevant procedures.
Information and Communication
Communication must occur internally and externally to provide information needed to carry out day-to-day internal control activities. All personnel must understand their responsibilities. There are three principles relating to information and communication:
- Obtaining or generating relevant, high-quality information to support internal control.
- Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control.
- Communicating relevant internal control matters to external parties.
Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. There are two principles relating to monitoring activities:
- Selecting, developing and performing ongoing or separate evaluations of the components of internal control.
- Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate.
More from the JofA: