The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an exposure draft seeking comments on an updated internal control framework designed to help organizations perform with efficiency and confidence.
COSO Chairman David Landsittel and the JofA discussed the updated framework, which keeps the same definitions, objectives and five components of internal control, but adds 17 core principles across those five components.
Here are excerpts from the interview with Landsittel.
Q: I’m wondering if you can drill down on what’s new with the framework as opposed to the old framework?
A: Let me set the table by prefacing it by saying that the fundamental concepts are not changed. So the old framework related to three fundamental categories of objectives that dealt with operations, compliance and financial reporting, and the new framework focuses on those same three objectives. The ’92 framework was based on five components of internal control, and this framework uses those same five components.
Of course, we view internal control as something that achieves reasonable assurance, not absolute assurance. Use of judgment is very important. And so those kinds of, I want to say, timeless aspects of the document haven’t changed. And it’s kind of important when you talk about what’s changed, to keep that in the back of your mind.
Q: That this is really just an update?
A: Yes. Exactly. Internally we’ve called it a “refresh” of the framework. And before we really put pen to paper with the assistance of [PricewaterhouseCoopers], who’s the manager of the project, there was an extensive survey. We got about 700 responses to the survey. The survey was consistent with how we went forward. So we had a lot of support for going forward, but with the recognition that the timeless components are working fine. Don’t tinker with those timeless components.
So having said that, let me say I think of the changes as being in four areas.
First, the context is changed to recognize so many changes in the environment today, as compared to 1992. So for example, governance has become more important. Audit committees have become more important. I don’t think in 1992 we mentioned compensation committees. So compensation is a governance element that’s very visible today that wasn’t visible in 1992. So within the fact that the context, the environment has changed, [there are] some sub-areas.
The first is governance. The second is technology, and you can just very quickly recognize that. There was no [widely used] email or Internet in 1992. We didn’t have smart phones and laptops and social media, etc., so there are a lot of differences in technology today as opposed to 1992. Globalization is so much more important today, both in terms of the entities we deal with and the environment surrounding those entities.
And somewhat related, business models have changed, as you would recognize. They’re more complex, and it’s a reflection of more complex globalization and regulation. We have joint ventures and we have outsourcing and just more complexity in terms of business models than we recognized in 1992. … The context and environment changes have been significant, and we want to recognize those.
Secondly, the 1992 framework was principles based, but in an implicit way. In this framework, we are very explicit in recognizing principles and attributes that support the five components.
Q: So the 17 principles are all new?
A: Well, they’re all new in terms of being explicit. We spell them out. We think that will help with the efficiency and effectiveness of the document that will allow people to really recognize more quickly what’s under each of the five components and also from a top-down basis understand what’s relevant and what isn’t relevant in assessing controls and adopting the criteria underlining each of those components. And of course under the principles are, what we call “attributes” that add more color and understandability to each of the principles. So that’s something that is explicit today. How much that is a change is a bit dependent upon how people implemented the 1992 framework, but certainly the underpinning of 17 principles was in the 1992 framework.
The third area is, we wanted to focus more today on the operations and the compliance objectives. I mentioned that there are three categories of objectives—operations, compliance and financial reporting. They were recognized in 1992. But we want to emphasize the compliance and operational objectives as being important to us. Some people because of the implementation of our framework under SOX 404 and SOX (the Sarbanes-Oxley Act of 2002) think of it as a financial reporting framework that really relates to published financial statements. But it’s broader than that. We want to have the reader recognize more vividly the relevance and the opportunities to adopt the framework as it relates to operations and compliance.
The fourth area is the fact that the financial reporting area … has been expanded. Where in 1992 we did talk mostly about published financial statements and the relevance of published financial statements, now we talk about internal and external reporting. So the framework is relevant to internal reporting as well, and for external reporting we recognize the fact that there’s a lot of information that’s reported externally that goes far beyond published financial statements.
Q: Back to technology … can you take me through the spots in the framework where you tried to account for technology?
A: I don’t want to overstate that. The framework’s still … principles based and our desire to have it timeless is such that we don’t get so specific that it dates the framework or becomes prescriptive in too narrow a way. So for example, cloud computing is really hot today. We don’t want to overstate that and then have somebody say 10 years from now that you can tell it was written in 2011 because that was the era of cloud computing. So we recognize the context, but still in a principles-based way and not in a way that gets so specific that it gets so prescriptive in too much detail.
We recognize the mobility of technology, for example, without getting specific into social networking, cloud computing, smart phones, etc.
Q: The operations and compliance objectives, why was it important to focus on those?
A: COSO believes that effective internal (control is) important to the long-term success of any organization. So we believe what we preach in terms of our framework. We want to emphasize the fact that there’s an opportunity to use this framework. . .to achieve not just financial reporting objectives, but objectives relating to the operations of the business and compliance with laws and regulations as well. That was in the ’92 framework, but we just want to emphasize it more in this framework, because we do think it’s important to the success of every business organization. So there’s an opportunity here. People think of internal controls and they think of controls over books and records and accounting. They think of SOX 404. And we just want to emphasize the fact that there’s an opportunity here to apply our framework in other, broader ways as well.
Q: The financial reporting area is being expanded. You are putting out an additional guide. How much of the financial reporting material is in the ED of the updated framework that was released in December? And how much is going to be in the guide?
A: That’s a really good question. The guide, which will come out late spring, hopefully, does not change the overall framework. So for example you knew there were 17 principles when I was talking about principles and attributes. Those same 17 principles will be an introduction to what’s in the guide. But the guide is going to include a lot of approaches and examples that deal with the implementation for external financial reporting purposes. So it’s more dealing with the implementation of the framework, as it relates to that particular objective, as opposed to anything that would change the framework. So there will be some description in the guidance as to what’s different when you’re dealing with achieving objectives in the external financial reporting arena. But there will be a lot of approaches and examples that just articulate the support of the principles as it relates to external financial reporting.
—Ken Tysiac ( firstname.lastname@example.org ) is a JofA senior editor.
More from the JofA: