For about 20 years, the popular internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has been like a favorite tool in a craftsman’s shop.
Its guidance has held up over time with original components that have been so sound that a large majority of more than 700 stakeholders surveyed supported updating the original 1992 framework, but not conducting a major overhaul.
A new exposure draft released in December would update the original framework with a fresh, modern approach. Although the original components of internal control remain the same, the new document contains more explicit advice and implementation guidance.
Examples throughout the framework are designed to make it easy to use, clearer and relevant to a business environment that has changed considerably in 20 years.
The updated framework explicitly lists 17 principles across those five components to build on the concepts that COSO contributors believe proved useful in the original version.
Comments on the ED, which was developed in a project led by PricewaterhouseCoopers, can be submitted through March 31 at ic.coso.org. The final framework is scheduled for release late this year. In addition, a guide on applying COSO’s principles to external financial reporting is scheduled to be released in an ED this spring.
To learn more about the ED, the JofA held a telephone conference with COSO Chairman David Landsittel and three others in prominent roles with COSO. Participants were Larry Rittenberg, an accounting professor at the University of Wisconsin–Madison; Bill Schneider, AT&T director of accounting; and Chuck Landes, AICPA vice president–Professional Standards & Services.
Listen to the podcast of this discussion at jofa.podomatic.com.
- COSO Chairman David Landsittel serves on two public company corporate boards, chairing the audit committee in both cases. He also is an executive-in-residence at DePaul University.
- COSO Chairman Emeritus Larry Rittenberg chaired COSO from 2005 to 2009 and is the Ernst & Young Professor of Accounting at the University of Wisconsin–Madison.
- COSO board of directors member Chuck Landes is vice president– Professional Standards & Services for the AICPA.
- COSO Advisory Task Force member Bill Schneider is director of accounting for AT&T.
Following are excerpts from that discussion:
Tysiac: Why was it necessary to revise COSO’s Internal Control Framework, and why was now the right time?
Landsittel: We have concluded continuously that the fundamental concepts and principles continue to be effective, and as I’ve put it, are timeless. But as we’ve moved forward, the environment has changed dramatically from 1992. The context in which the document was written in 1992 was really a lot different than it is today. An obvious example is technology. There certainly wasn’t widespread use of the Internet or email in 1992. Expectations of governance were different. There were many differences.
So the board concluded that, while the 1992 framework remains effective because of the unchanging applicability of its fundamental concepts and principles, it would be helpful to have a revision that updated the document to reflect a context that’s more current.
Tysiac: What stays the same in the framework and why?
Rittenberg: What stays the same is the basic definition of internal control and essentially the components of good internal control: One, the idea that there needs to be a strong control environment; two, the idea that you select the right control activities to mitigate risk; three, the idea that you have strong information and communication systems that provide two-way communications throughout the organization, both from the top down but also from the bottom up to understand what might be going wrong; four, providing a framework for top management and those charged with oversight to provide effective monitoring of internal control over a long period of time. So those elements stay the same. And I think the other important thing to note is that it is not just a financial control framework, but it is an integrated framework that’s designed to help the organization accomplish its objectives.
Landsittel: Let me add … that one important thing that remains the same is the ability for users of the framework to use judgment in applying it.
Tysiac: What are the major changes in the document?
Landes: We have taken 17 principles (from) the original framework and have now explicitly laid them out throughout the five elements. And the other thing is the style in which the document is written. What folks will see is really a different writing style that I think will help because of the clarity of it as well as the 17 principles that we’ve now integrated into the framework. I think the other thing that has changed is the examples. David mentioned how the landscape has changed, and the examples have been updated so they are more realistic with today’s environment.
Tysiac: Why was it important to spell out the 17 principles explicitly?
Schneider: It makes it clear what’s necessary to be able to have an effective internal control framework. There’s no more debate about whether something needs to be present or not. There’s no more debate about whether there is a principle or isn’t a principle in a certain area. It’s now explicit as to what the 17 principles are, and that takes a step of contention out between auditors and preparers, and it also makes it easier to understand what it takes. So if you want to set up a framework or see if the framework you have is in compliance, it’s a much more formulaic process to be able to go there. That makes it easier for the preparers. It’s easier to see if everything is covered.
Tysiac: The document accounts for changes in technology, globalization and evolving business models. How does it do that?
Landsittel: There’s a separate principle that deals with technology, but the main way it’s accomplished in the document is in a very integrated discussion in the commentary. There are any number of examples that deal with an updated business model. For example, referencing to outsourcing is very common in the document in the examples provided and in the attributes. We accomplish the change in the context in dealing with technology and globalization throughout the document in what I consider a very integrated way.
Tysiac: What will preparers need to do differently under the updated framework?
Schneider: I think a couple things that anyone will need to do whether they’re an auditor or a preparer, they’ll need to continue to look at their control structure and see if it does line up with what is in the updated framework. Overall it should be the same, but maybe there are some nuances on an attribute or a principle that you need to pick up on or maybe perform some testing on, on an annual basis, or something along those lines. You also might want to slightly change your documentation so it aligns better. Maybe you have everything documented, but it’s not quite aligned with the 17 principles. Really it just depends on, quite honestly, how closely your understanding of the framework was with the board’s understanding of what the original framework was intended to do. If you were in line with the board’s thoughts, then you probably have very little to do. If you had some different ideas than what the board thought was in the original framework, you may have a little work to do to get things caught up.
Tysiac: What will auditors need to do differently under the updated framework?
Landes: We have two major areas where internal control shows up within our audit and attestation literature. First, in our auditing standards, an auditor, as part of his or her risk assessment, is required to have an understanding of internal control, which includes evaluating the design of controls and whether controls have been implemented. That’s a very important area that auditors are going to have to look at the change to the framework. …
And the second major area where the Auditing Standards Board is going to have to take a look at the new framework is in our attestation standards, where an auditor is engaged to provide an opinion on internal control over financial reporting. As Bill described it for members in business and industry, I think the same is pretty true for an auditor as well. We talked about the 17 principles, so I clearly expect that our auditing literature, and by that I mean our attestation literature as well, will make some changes in order to bring in, within the auditors’ understanding, how did management design their controls, and are those 17 principles present and functioning. So more than anything, I think it’s going to be some conforming changes to our literature.
Tysiac: What will audit committees need to do differently under the updated framework?
Rittenberg: I think what we’re looking for as an audit committee member is to get away from the mentality that internal control is simply a compliance activity. Good internal control is about achieving business objectives or organizational objectives in a cost-effective way. So from an audit committee (perspective), I want to understand how the organization is implementing controls to be cost-effective. … I know in our audit committee meetings we always have confidential discussions with the auditors, and this is an issue that comes up. I think auditors have got to be ready to discuss issues where they think there might be problems in the organizations. It may be accounting. It may be control or whatever, and they ought to be prepared to discuss that. … There is a principle related to fraud risk assessment that must take place by the organization. We know that auditors assess the risk of fraud in planning the audit. Those two things have to come together, and organizations need to sit down and think through that as well in terms of that new principle.
Tysiac: How important is it to take note of operations and compliance objectives as well as the reporting objective?
Landsittel: Obviously, it’s very important. I know a lot of people continue to think of internal controls and immediately think of accounting and financial reporting; but internal control is so important in a broader way, specifically in assuring the accomplishment of the organization’s objectives as Larry and others have alluded to. In the updated document, there’s an additional focus on operational and compliance controls and how they are beneficial in helping assure the accomplishment of operational and compliance objectives. In this regard, the document responds to some current concerns that in recent years some organizations haven’t been fully “under control” in a broad sense. We believe that focusing on operational controls and their positive impact on the accomplishment of operational objectives adds assurance of the longer-term success of an organization. So we think our added focus in this regard is very important.
Landes: We are seeing more and more demand in the United States relative to reporting on internal control over compliance. There has been, over the last several years, a real increase in the amount of federal funds that are being disbursed into our economy, and with that comes reporting requirements by entities. Folks who receive certain levels of federal funds must go through an audit of compliance, which also includes reporting on internal control over compliance. Therefore, there are many, many auditees from very small nonprofit organizations to major national organizations who are required to maintain pretty strict internal control over compliance as a result of receiving federal funds. Therefore, those organizations are going to be impacted by this as well.
Tysiac: Why and how has the reporting objective changed?
Schneider: I think the most noticeable change that people will see right off the bat is it’s now just reporting. It encompasses financial reporting. It encompasses nonfinancial reporting. It encompasses internal reporting. It encompasses financial and nonfinancial aspects of reporting. So external financial reporting is now a very unique subset of the whole reporting area around control, but that really fits in with where reporting is going. If you’ve been seeing what’s going on in the reporting world, you’ve been hearing about “integrated reporting.” Another term that’s used is “sustainability reporting.” There’s a lot of reporting going on beyond just the financial numbers that investors and stakeholders are very interested in, because it reflects the results of the business. It’s just as important to have an internal control structure over the reporting of that other information as over the financial information.
Tysiac: What kind of guidance can we expect from the additional guide on external financial reporting?
Landsittel: Notwithstanding the comments that Bill, Chuck and I have made on the importance of thinking of the framework broadly, it is important that there is a clear pathway to how it’s implemented as it relates to financial reporting, because after all that’s important for public companies … under SOX 404 [Sarbanes-Oxley Section 404]. We want the separate companion document to provide that pathway, dealing strictly with how the framework is applied for financial reporting. Importantly, the companion document won’t change the framework; it will just deal with implementation as it relates to financial reporting. In that context, look for the companion document to have a number of examples and a number of approaches that will bring to life to the user of the material how the framework relates specifically to the external financial reporting objective.
Landes: What this new guide will do, it will not just be put out there for public companies but for privates as well, and I think that’s going to be a tremendous benefit for private organizations who want to take a look at, how do I design my internal control over financial reporting. Before, there was this public company guidance out there, but there wasn’t anything that a private company thought applied to them.
Tysiac: Talk about the implementation, particularly from a small or midsize business perspective. Many times these people are running on small margins, and that can make it difficult for them to put this guidance into practice. How can they do it? Why is it important for them to do it?
Rittenberg: I’ll start with the second question first. We all know that we have too many business failures. And failure means that you have not accomplished your objectives. So let’s keep our eye on the endpoint. This is all about helping an organization accomplish its objectives. … And secondly, it started with the small business guidance, and it continues through here. There are different ways in which organizations can accomplish their objectives and accomplish the principles related to effective internal control. The oversight may be different. It may be from a different kind of board than you’d find at a public company, but that doesn’t mean there shouldn’t be some kind of oversight.
If you look at control activities, you may have more outside software that’s utilized, but that doesn’t mean you shouldn’t have some sort of a review to make sure that software works correctly. Because if it doesn’t, it reduces the likelihood you’re going to accomplish the objectives.
There may be different ways to communicate an ethical culture in a small business than in a larger business. But we need to understand that there are judgments that management can make that are related to the controls, all again in turn related to accomplishing their objectives. This is not an add-on. This is a fundamental way of doing business. It lays out some various principles. It lays out the attributes and encourages organizations of all size to accomplish them.
Listen to the podcast of this discussion at jofa.podomatic.com.
COSO Framework: The Basics
Here are the five main components, along with their newly articulated supporting principles, from the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) updated internal control framework:
This is the foundation for all other components of internal control, providing discipline, process and structure as established by the board and senior management. There are five principles relating to control environment:
- Commitment to integrity and ethics.
- Oversight for internal control by the board of directors, independent of management.
- Structures, reporting lines and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board.
- A commitment to attract, develop and retain competent individuals in alignment with objectives.
- Holding individuals accountable for their internal control responsibilities in pursuit of objectives.
The basis for how risks should be managed involves a dynamic process. Management must consider possible changes in the external environment and within the business that may be obstacles to its objectives. There are four principles of risk assessment:
- Specifying objectives clearly enough for risks to be identified and assessed.
- Identifying and analyzing risks to determine how they should be managed.
- Considering the potential of fraud.
- Identifying and assessing changes that could significantly impact the system of internal control.
These are established to help ensure that management’s directives to mitigate risks get carried out. Control activities are performed at all levels and at various stages within the business process and over technology. There are three principles of control activities:
- Selecting and developing controls that help mitigate risks to an acceptable level.
- Selecting and developing general control activities over technology.
- Deploying control activities as specified in policies and relevant procedures.
INFORMATION AND COMMUNICATION
Communication must occur internally and externally to provide information needed to carry out day-to-day internal control activities. All personnel must understand their responsibilities. There are three principles relating to information and communication:
- Obtaining or generating relevant, high-quality information to support internal control.
- Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control.
- Communicating relevant internal control matters to external parties.
Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. There are two principles relating to monitoring activities:
Selecting, developing and performing ongoing or separate evaluations of the components of internal control.
- Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released an exposure draft to update its 1992 internal control framework. Comments can be submitted through March 31 at ic.coso.org. The final framework is scheduled for release late in 2012.
COSO’s ED updates the framework for globalization, technological advancements and new business models, and provides examples to aid application.
The original five components of the framework —control environment, risk assessment, control activities, information and communications, and monitoring activities—remain the same.
New to the framework are 17 principles across the five components of internal control. Each principle also is described with specific attributes in the framework.
An additional ED on a guide applying COSO’s principles to external financial reporting is expected in the spring.
Ken Tysiac is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at firstname.lastname@example.org or 919-402-2112.
The AICPA is a member of the Committee of Sponsoring Organizations of the Treadway Commission, (COSO). Information and resources, including an archived Jan. 31 webinar on the proposed update, are available at tinyurl.com/7o8rfel.
COSO official website, ic.coso.org
More from the JofA: