The Time is Now to Upgrade Your COSO Internal Controls Framework!

For more than two decades, companies of all sizes in the U.S. and abroad have designed, implemented and assessed their internal controls using the 1992 publication of COSO’s Internal Control – Integrated Framework. To this day, it remains fundamentally sound and broadly recognized as the leading guidance for effective internal control systems. But that’s about to change. The business world has transformed over the past 20 years – technology has drastically evolved, markets have expanded, business structures have become more complex, and large-scale, highly publicized control failures have occurred. These changes have led the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to update its Integrated Framework, which will supersede the previous publication as of December 15, 2014, and become the new standard for internal controls. What’s the same in the new Framework? The new Framework is actually very similar to the 1992 version. It retains the core definition of internal control, the five components of internal control and the cube model. The requirement that all five components must be present and functioning for an effective system of internal control also remains unchanged. Furthermore, the Framework continues to emphasize the need for management to use judgment. What’s changed in the new Framework? The most prominent update to the new 2013 Framework is the clarification of fundamental concepts from the original publication. The concepts are now explicitly defined as 17 principles that form the five components of internal control (summarized below). These principles provide transparency and completeness for each component. The Framework also includes “Points of Focus” that characterize the principles. Effective internal control entails that an organization follows these 17 principles:

• Control Environment

1. 1. Demonstrates commitment to integrity and ethical values
2. 2. Board of directors demonstrates independence and exercises oversight
3. 3. Establishes structure, authority, reporting lines and responsibility
4. 4. Commitment to attract, develop, and retain competent individuals
5. 5. Enforces accountability for internal control responsibilities

• Risk Assessment

1. 6. Specifies suitable objectives with sufficient clarity
2. 7. Identifies and analyzes risk
3. 8. Assesses potential fraud risk
4. 9. Identifies and analyzes significant change

•  Control Activities

1. 10. Selects and develops control activities to mitigate risks
2. 11. Selects and develops general controls over technology
3. 12. Deploys controls through establishment of policies and procedures

•  Information and Communication

1. 13. Uses relevant, quality information to support function of internal control
2. 14. Communicates internally
3. 15. Communicates externally

•  Monitoring

1. 16. Conducts ongoing and/or separate evaluations
2. 17. Evaluates and communicates deficiencies and takes corrective action

In addition to the principles listed above, updates to the 2013 Framework include:

• Increased reliance on IT controls
• Greater expectations for governance oversight
• Explicit consideration of fraud during risk assessment
• Consideration of the effect of expanded relationships on internal controls
• Widening of the reporting objective to incorporate internal and external, as well as financial and non-financial reporting

COSO’s long-awaited Internal Control–Integrated Framework update will make it easier for companies to design and implement effective internal controls while accounting for the challenges that businesses face today. For help assessing and upgrading your company’s internal control systems, please contact me or another member of our risk advisory team.