An important development in the internal control landscape was completed Tuesday with the release of an update to the integrated framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO’s popular original internal control framework, released in 1992, was accepted by the SEC as a framework for attesting to internal control over financial reporting as required by the Sarbanes-Oxley Act of 2002 (SOX). And the five main components of the original framework—control environment, risk assessment, control activities, information and communication, and monitoring activities—remain the foundation for the updated framework.
But globalization and technology have accelerated at dizzying rates since 1992. And in a world of smartphones and cloud computing, it seemed prudent to update an original framework that was published before cellphones and email became common. “While our original framework remains fundamentally sound and broadly accepted in the marketplace, we are confident that the 2013 framework will bring added benefits to users,” COSO Chairman David Landsittel, CPA, said in a news release.
COSO is an organization of five private-sector organizations, including the AICPA, participating in a collaborative effort to provide guidance on enterprise risk management, internal control, and fraud deterrence.
The most significant new development in COSO’s new framework is the articulation of 17 specific principles spread across the five main components of internal control. As in the past, the five components need to be functioning—and functioning together—for internal control to be present.
Each principle is accompanied by explicit points of focus designed to help users evaluate whether the principle is present and functioning. Although some points of focus don’t apply to all users and all situations, they will help organizations understand with greater specificity the way the more general principles are supposed to be evaluated.
The new framework better reflects the technology and globalization that have become an increasingly important part of the current business environment. And the framework is being released with two accompanying documents that will help aid implementation.
A document titled Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples provides ideas and examples that will help companies apply the framework to their specific situation. Another document, titled Illustrative Tools, contains templates that companies can use to evaluate and document the effectiveness of internal control.
The framework is available for purchase at coso.org, where an executive summary is available free of charge. The whole package—the framework and its accompanying documents—is organized to assist understanding and increase ease of use.
COSO board member Doug Prawitt, CPA, a professor of accountancy at Brigham Young University, said companies should build on what they already are doing as they implement the new framework.
For organizations that already have effective internal control systems, that might mean just refocusing and refining their approach and changing documentation. Organizations with less robust internal control systems may have more work to do to put the framework to work effectively.
The key for all users will be focusing on the 17 principles, which Prawitt said auditors will look to as a way of evaluating the effectiveness of internal control. Prawitt said the clearly articulated principles help create an improved level of specificity and are one of the most important additions to the framework.
“These 17 principles really don’t introduce new requirements into internal control,” Prawitt said. “The 17 principles draw out of all of the guidance that was in the 1992 framework, the key things that really have to be there in order for internal control to be effective.”
Time for transition
Companies will have time to implement the new framework.
Officials with COSO say that although the new framework is an improvement, the 1992 version remains appropriate and relevant for a transition period that will end Dec. 15, 2014. At that time, COSO will consider the 1992 framework superseded.
COSO is not a standard setter or regulatory agency and does not have enforcement power. But experts believe public companies will not want to use a superseded framework for important actions such as their SOX internal control attestation.
During the transition period, according to the COSO literature, organizations should state whether they are using the 1992 framework or the updated version. Experts say that although implementing the new framework clearly is a compliance exercise, smart companies will take this opportunity to identify additional efficiencies and operations improvements.
Sonia Luna, CPA, founder and CEO of Los Angeles-based management consulting firm Aviva Spectrum, said thought leaders will recognize the extra value they can generate during the implementation.
“The light bulb clicks,” Luna said. “And they’ll say, ‘This is really pushing us. We’re not in the business just to meet some law requirement. We’re in the business to do what makes us happy here and for serving our customers and clients.’ ”
The framework’s value isn’t limited to public companies that will use it to fulfill regulatory requirements, Prawitt said. The framework contains objectives for operations and compliance as well as financial reporting, and Prawitt said any type of organization can benefit from applying the framework.
“There is a ton of benefit potential there in terms of making sure that we’re achieving our objectives, with respect to operations, with respect to compliance, with respect to financial reporting—both internal and external,” Prawitt said. “Those objectives really apply to any organization—large, small, midsize, public, or nonpublic.”
More JofA COSO resources:
Eight steps to update internal control: This high-level overview contains tips that organizations can follow as they put COSO’s internal control framework to work.
Ken Tysiac (
) is a JofA senior editor.