Here is how organizations can implement the newly updated, principles-based internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which was released May 14 (visit ic.coso.org). The original 1992 framework has been sharpened and refreshed to reflect the current business environment.
Create
a team and a plan. In many cases, the CFO will oversee
implementation of the COSO framework in conjunction with the chief
compliance officer and chief risk officer. Internal auditors can play
a valuable support and evaluation role but will need to preserve their
ability to be objective for future audits. The CEO, audit committee,
and board of directors will need to be kept informed on objectives and
progress. What are the time commitments required of parties involved,
including external auditors? You need to have a plan.
Use
a building-block approach. Use the five components of the
framework (control environment, risk assessment, control activities,
information and communication, and monitoring activities) to break the
project into workable pieces. Then focus on making sure the principles
in each component are all operating together as they should. As in the
past, this requires a significant amount of judgment.
Build
off what you’re currently doing. Companies that are well
controlled can build on their internal control system already in
place. Some may need to refocus or refine control processes or just
update their documentation. Seventeen principles are specified across
the five components of internal control in the updated framework and
will guide you. Mapping the principles to your controls may be a
helpful exercise.
Pay
attention to the points of focus. Each of the 17 principles
is accompanied by points of focus to consider. Although some may not
apply in all circumstances, they provide excellent insight as a guide
to implementation and evaluation.
Use
the Illustrative Tools and Internal Control Over
External Financial Reporting: A Compendium of Approaches and
Examples documents that accompany the framework. The
examples in the Compendium should give great ideas in
applying the framework to a specific situation. The Illustrative
Tools document contains templates that you can use for evaluating
and documenting effectiveness of internal control.
Focus
on the role of IT. Changes in technology were a driving
force in the decision to update the framework. Consider how IT is
being used, focus on recent developments such as cloud computing and
social media, and take into account the implications technology has
for internal control.
Look
for added value. Don’t just approach implementation as a
necessity for compliance. Use this as an opportunity to find ways to
improve effectiveness and increase the efficiency of your control
system. Set goals for what you want to achieve in implementing the
framework beyond just compliance.
Make
the switch. COSO is not a standard setter and does not have
power to require an organization to switch from the 1992 framework to
the updated version. But after the transition period ends on Dec. 15,
2014, COSO will consider the 1992 framework to be superseded. Public
companies will have difficulty explaining why they are referencing the
prior version once the transition period ends. Meanwhile, during the
transition period, make sure you indicate which version of the
framework you are referencing.
Editor’s Note: COSO is a joint initiative of five private-sector organizations, including the AICPA, which provides thought leadership on enterprise risk management, internal control, and fraud deterrence.
—By Doug Prawitt, CPA, Ph.D. (
prawitt@byu.edu
), a Brigham Young University accountancy professor and COSO board
member, and Ken Tysiac (
ktysiac@aicpa.org
), a JofA senior editor.
