The Center for Audit Quality (CAQ) would like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to provide more transition guidance for users implementing COSO’s updated internal control framework.
COSO is updating its 20-year-old internal control framework to provide a fresh, modern approach with explicit advice and implementation guidance. It issued an ED of a new framework with 17 principles specifically described across the five components of internal control, plus attributes described for each principle.
The comment period for the ED ended Saturday. COSO plans to release the final framework early in 2013.
In a comment letter, the CAQ wrote that it supports COSO’s efforts to update the framework but said that without sufficient guidance on the transition from the original to the updated framework, inconsistent application and confusion could occur. The letter said that without clarity, some organizations may continue using the original framework, while others use the updated framework.
The CAQ, which is affiliated with the AICPA, encouraged COSO to work with the SEC and other regulatory agencies to consider guidance and clarification regarding the validity of the original framework following the issuance of the updated framework.
In addition, the CAQ advised COSO to provide additional considerations for how an organization should consider weaknesses in – or absence of – a principle or attribute when evaluating effectiveness. The CAQ said that including principles and attributes, including the presumption that they are present and operating effectively, could increase the complexity of the evaluation process.
The CAQ seeks more guidance and examples on the appropriate “range of acceptability” when assessing whether a principle is present and functioning effectively. And the CAQ said the two types of nonconformities described by COSO (“major” and “minor”) may not reflect the extent of variation in nonconformity that may exist. The CAQ is seeking clarification acknowledging the range of potential nonconformities and enhancements to the examples to include more background illustrating the rationale for classifying nonconformities and their effect on the organization’s assessment.
Other recommendations for COSO include:
- Enhancing its description of Principle 11, which discusses controls over information technology. The CAQ suggested enhancing the description of attributes to include general information technology control objectives such as controls over security, change management, systems development and deployment, operations, data backup and recovery, application controls, and end-user computing.
- Incorporating key concepts from COSO’s Guidance on Monitoring Internal Control Systems, published in 2009, some of which the CAQ said are not included in the updated framework.
- Providing more guidance on how the principles and attributes can be applied at smaller organizations.
—Ken Tysiac ( firstname.lastname@example.org ) is a JofA senior editor.
More from the JofA: