Getting Familiar with the Updated COSO Framework

Posted on 09.16.13

COSO frameworkAuthor: Scott M. McAuliffe, CPA, CISA, CFE
Risk Advisory Services Partner

In case you missed it, in May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control – Integrated Framework (Framework). COSO updated its framework to provide better clarity and reflect changes in business and operating environments that have occurred since the original version was issued in 1992. These changes include globalization, greater reliance on technology, and more complex businesses, laws, rules, regulations, and standards to name a few. To provide companies (specifically public companies complying with Sarbanes-Oxley) with time to implement the new framework, COSO established an effective date of December 15, 2014.

So what has changed?

  1. The original framework had three objectives relating to internal control: Operations, Financial Reporting, and Compliance. Under the new framework (Figure 1), Financial reporting has been broadened to Reporting, which includes internal and external financial and non-financial reporting.
  2. In the original framework, the Control Environment was the bottom component or foundation of all other components of internal control, providing discipline and structure. Under the new framework, the Control Environment is the top component, which can be interpreted as management and Board setting the "Tone at the Top" or taking a top-down approach to evaluating internal controls.
  3. The new framework explicitly defines 17 principles representing fundamental concepts of each component (Table 1 on following page). For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning.
  4. The new framework also provides "Points of Focus" for each of the 17 principles. The Points of Focus are not required but are provided to assist management in designing, implementing, and maintaining internal control and in assessing whether the principles are present and functioning.
  5. The new framework uses and defines the terms "deficiency" and "major deficiency." However, public companies, for example, should continue to use the criteria as established by PCAOB when evaluating, and reporting internal control deficiencies.

To ensure the new framework is in place by December 15, 2014, companies should develop Transition Plans. The Transition Plans should include:

›    Developing awareness throughout the organization, establishing subject matter experts, and establishing a COSO update project manager.

›    Conducting a preliminary impact assessment to determine gaps between original and new frameworks and determine resources needed to implement new framework.

›    Establishing timelines and milestones for implementing new framework.

›    Performing a comprehensive assessment and testing to confirm the new framework has been implemented.

›    For public companies, performing management’s assessment of internal controls under the new framework.

Component Principle
Control
Environment
  1.  The organization demonstrates a commitment to integrity and ethical value.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
 Risk Assessment
  1.  The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control.
Control
Activities
  1.  The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  2.  The organization selects and develops general control activities over technology to support the achievement of objectives.
  3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
 Information and
Communications
  1.  The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring
  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

 

Questions regarding this topic? Contact your Keiter representative or smcauliffe@keitercpa.com