AICPA seeks some changes to COSO’s updated framework proposal


The AICPA is suggesting changes to the proposed, updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

In a comment letter, the AICPA wrote that the framework will be a valuable resource for practitioners. But the AICPA also described concerns, some of which are similar to those mentioned in the comment letter of the Center for Audit Quality (CAQ), which is affiliated with the AICPA. One concern focuses on how an organization should consider the “ranges of acceptability” that the updated framework describes for principles that are present and functioning.

Other points raised in the AICPA letter include:

  • Requested that in its introduction, COSO state that controls such as process activities, policies, and procedures exist across all five components of the framework rather than just the “control activity” component.
  • Asked COSO to tie together concepts such as reasonable assurance; range of acceptability; and reducing risk of not achieving an objective to an acceptable level; and provide examples of those concepts.
  • Wrote that providing examples of “major” non-conformity and “minor” non-conformity would help users better apply judgment in their own evaluations.

COSO’s 20-year-old internal control framework is being updated with explicit advice and implementation guidance to provide a fresh, modern approach. The ED of the new framework includes 17 principles specifically described across the five components of internal control, with attributes described for each principle.

COSO expects to issue an ED draft of its Internal Control over External Financial Reporting Approaches and Examples in June. The final framework, along with a practice aid and the external financial reporting approaches are scheduled to be released early in 2013. The comment period on the updated internal control framework ended Saturday.

The AICPA recommended a few changes in specific principles in the updated framework, including a request that Principle 8, which focuses on fraud, be extended to include potential errors, bias, and abuses. Failing that, the AICPA requested that an additional principle be created to address those areas.

In addition, the AICPA wrote that the updated framework may not contain enough perspective for smaller companies with regard to how the components and principles apply to their circumstances.

Like the CAQ, the AICPA wrote that the inclusion of principles and attributes in the framework could increase the complexity of internal control evaluation processes. The AICPA, like the CAQ, suggested that COSO provide additional guidance on how an organization should consider weaknesses in or absence of a principle or attribute when evaluating the effectiveness of internal control.

In addition, the AICPA asks for transition guidance for users from the original framework to the updated framework, as the CAQ did.

COSO is a joint initiative of five private sponsoring organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. The AICPA is one of the sponsoring organizations.

Ken Tysiac ( ) is a JofA senior editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.