Getting Familiar with the Updated COSO Framework
Posted on 09.16.13
In case you missed it, in May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control – Integrated Framework (Framework). COSO updated its framework to provide better clarity and reflect changes in business and operating environments that have occurred since the original version was issued in 1992. These changes include globalization, greater reliance on technology, and more complex businesses, laws, rules, regulations, and standards to name a few. To provide companies (specifically public companies complying with Sarbanes-Oxley) with time to implement the new framework, COSO established an effective date of December 15, 2014.
So what has changed?
- The original framework had three objectives relating to internal control: Operations, Financial Reporting, and Compliance. Under the new framework (Figure 1), Financial reporting has been broadened to Reporting, which includes internal and external financial and non-financial reporting.
- In the original framework, the Control Environment was the bottom component or foundation of all other components of internal control, providing discipline and structure. Under the new framework, the Control Environment is the top component, which can be interpreted as management and Board setting the “Tone at the Top” or taking a top-down approach to evaluating internal controls.
- The new framework explicitly defines 17 principles representing fundamental concepts of each component (Table 1 on following page). For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning.
- The new framework also provides “Points of Focus” for each of the 17 principles. The Points of Focus are not required but are provided to assist management in designing, implementing, and maintaining internal control and in assessing whether the principles are present and functioning.
- The new framework uses and defines the terms “deficiency” and “major deficiency.” However, public companies, for example, should continue to use the criteria as established by PCAOB when evaluating, and reporting internal control deficiencies.
To ensure the new framework is in place by December 15, 2014, companies should develop Transition Plans. The Transition Plans should include:
› Developing awareness throughout the organization, establishing subject matter experts, and establishing a COSO update project manager.
› Conducting a preliminary impact assessment to determine gaps between original and new frameworks and determine resources needed to implement new framework.
› Establishing timelines and milestones for implementing new framework.
› Performing a comprehensive assessment and testing to confirm the new framework has been implemented.
› For public companies, performing management’s assessment of internal controls under the new framework.
Questions regarding this topic? Contact your Keiter representative or firstname.lastname@example.org