CAQ seeks more transition guidance in updated internal control framework


The Center for Audit Quality (CAQ) would like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to provide more transition guidance for users implementing COSO’s updated internal control framework.

COSO is updating its 20-year-old internal control framework to provide a fresh, modern approach with explicit advice and implementation guidance. It issued an ED of a new framework with 17 principles specifically described across the five components of internal control, plus attributes described for each principle.

The comment period for the ED ended Saturday. COSO plans to release the final framework early in 2013.

In a comment letter, the CAQ wrote that it supports COSO’s efforts to update the framework but said that without sufficient guidance on the transition from the original to the updated framework, inconsistent application and confusion could occur. The letter said that without clarity, some organizations may continue using the original framework, while others use the updated framework.

The CAQ, which is affiliated with the AICPA, encouraged COSO to work with the SEC and other regulatory agencies to consider guidance and clarification regarding the validity of the original framework following the issuance of the updated framework.

In addition, the CAQ advised COSO to provide additional considerations for how an organization should consider weaknesses in – or absence of – a principle or attribute when evaluating effectiveness. The CAQ said that including principles and attributes, including the presumption that they are present and operating effectively, could increase the complexity of the evaluation process.

The CAQ seeks more guidance and examples on the appropriate “range of acceptability” when assessing whether a principle is present and functioning effectively. And the CAQ said the two types of nonconformities described by COSO (“major” and “minor”) may not reflect the extent of variation in nonconformity that may exist. The CAQ is seeking clarification acknowledging the range of potential nonconformities and enhancements to the examples to include more background illustrating the rationale for classifying nonconformities and their effect on the organization’s assessment.

Other recommendations for COSO include:

  • Enhancing its description of Principle 11, which discusses controls over information technology. The CAQ suggested enhancing the description of attributes to include general information technology control objectives such as controls over security, change management, systems development and deployment, operations, data backup and recovery, application controls, and end-user computing.
  • Incorporating key concepts from COSO’s Guidance on Monitoring Internal Control Systems, published in 2009, some of which the CAQ said are not included in the updated framework.
  • Providing more guidance on how the principles and attributes can be applied at smaller organizations.

Ken Tysiac ( ) is a JofA senior editor.

More from the JofA:

 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos


Keeping client information safe in an age of scams and security threats

A look at the Dirty Dozen tax scams and ways to protect taxpayer information.


How to create maps in Excel 2016

Microsoft Excel 2016 has two new mapping capabilities. J. Carlton Collins, CPA, demonstrates how to make masterful 2D and 3D maps in Excel 2016.


News quiz: IRS enforcement, a hot job, and audit value

The IRS’s 2016 Data Book, a “hot job” of particular interest at this time of year, and insight into how executive and audit committees view the insights from financial statement audits received attention recently. See how much you know with this short quiz.