Here is how organizations can implement the newly updated, principles-based internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which was released May 14 (visit ic.coso.org). The original 1992 framework has been sharpened and refreshed to reflect the current business environment.
Create a team and a plan. In many cases, the CFO will oversee implementation of the COSO framework in conjunction with the chief compliance officer and chief risk officer. Internal auditors can play a valuable support and evaluation role but will need to preserve their ability to be objective for future audits. The CEO, audit committee, and board of directors will need to be kept informed on objectives and progress. What are the time commitments required of parties involved, including external auditors? You need to have a plan.
Use a building-block approach. Use the five components of the framework (control environment, risk assessment, control activities, information and communication, and monitoring activities) to break the project into workable pieces. Then focus on making sure the principles in each component are all operating together as they should. As in the past, this requires a significant amount of judgment.
Build off what you’re currently doing. Companies that are well controlled can build on their internal control system already in place. Some may need to refocus or refine control processes or just update their documentation. Seventeen principles are specified across the five components of internal control in the updated framework and will guide you. Mapping the principles to your controls may be a helpful exercise.
Pay attention to the points of focus. Each of the 17 principles is accompanied by points of focus to consider. Although some may not apply in all circumstances, they provide excellent insight as a guide to implementation and evaluation.
Use the Illustrative Tools and Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples documents that accompany the framework. The examples in the Compendium should give great ideas in applying the framework to a specific situation. The Illustrative Tools document contains templates that you can use for evaluating and documenting effectiveness of internal control.
Focus on the role of IT. Changes in technology were a driving force in the decision to update the framework. Consider how IT is being used, focus on recent developments such as cloud computing and social media, and take into account the implications technology has for internal control.
Look for added value. Don’t just approach implementation as a necessity for compliance. Use this as an opportunity to find ways to improve effectiveness and increase the efficiency of your control system. Set goals for what you want to achieve in implementing the framework beyond just compliance.
Make the switch. COSO is not a standard setter and does not have power to require an organization to switch from the 1992 framework to the updated version. But after the transition period ends on Dec. 15, 2014, COSO will consider the 1992 framework to be superseded. Public companies will have difficulty explaining why they are referencing the prior version once the transition period ends. Meanwhile, during the transition period, make sure you indicate which version of the framework you are referencing.
Editor’s Note: COSO is a joint initiative of five private-sector organizations, including the AICPA, which provides thought leadership on enterprise risk management, internal control, and fraud deterrence.
—By Doug Prawitt, CPA, Ph.D. (
), a Brigham Young University accountancy professor and COSO board
member, and Ken Tysiac (
), a JofA senior editor.