Maintaining a sound control environment is a critical component of mitigating risks inherent in a continuously changing economic, technological, and regulatory environment. Organizations are expected to provide swift, effective, and socially responsible measures to safeguard against these risks.
Enter the Committee of Sponsoring Organizations of the Treadway Commission (COSO), who published Internal Control – Integrated Framework in 1992 to provide a common definition of and efficient method to analyze and evaluate internal controls. COSO’s Internal Control—Integrated Framework (COSO’s Framework) became the best-practice standard for 20 years.
While the changes to the framework will not result in substantial changes for organizations with a control environment deemed to be effective, the updates to the framework will result in a more versatile and cost-effective approach to the design and evaluation of organizational internal control systems. Additionally, this should not impact the attestation process under SOX 404. Here is a brief overview of COSO and its key changes.
The Original Framework
COSO was founded on four critical underlying concepts:
- Internal control is a process toward the achievement of organizational objectives.
- The internal control process is driven by people at all levels of the organization.
- Internal control is a means to achieve objectives within one or more separate but overlapping categories.
- Internal control can provide only reasonable assurance to the achievement of organizational objectives.
The framework further details five framework components as summarized by the updated COSO Cube for internal controls, shown below:
- Control environment: The internal organizational environment driven by the management operating philosophy, risk appetite, integrity, and ethical values.
- Risk assessment: Risks are identified and the likely impact on the organization is assessed.
- Control activities: Policies and procedures are implemented to ensure organizational objectives and risk-mitigation activities are effectively executed.
- Information and communication: Relevant information is communicated in an acceptable format and timely fashion to enable the organization to meet its objectives.
- Monitoring: The internal control process is continually monitored. Modifications are made to improve internal control activities as a result of the monitoring process.
Why Did the Framework Change?
The original Internal Control – Integrated Framework stood unchanged for 20 years. The Committee of Sponsoring Organizations elected to update the framework in to reflect the dynamic changes in the business environment by incorporating discussion on the technological advances in business processes and communication, as well as an ever increasing regulatory atmosphere that impacts an organizational control environment. The updated framework has been modified to maintain relevance with current and future business environments and will apply to public companies, privately held companies, not-for-profit agencies and governmental entities.
This does not, however change other COSO Frameworks, such as 2004’s Enterprise Risk Management – Integrated Framework but will be used alongside the forthcoming update to the Guidance on Internal Control over External Financial Reporting (ICEFR) to update the guidance set forth for Smaller Public Companies.
What Are the Key Changes to the Framework?
The original five Internal Control – Integrated Framework components remain, but 17 principles from the original framework are now explicitly listed among those five components. As a result, the framework adopts a principles-and-attributes approach, which provides more detailed guidance for designing and assessing the effectiveness of internal controls. This change is critical because the framework more clearly communicates the fundamental concepts associated with the components of internal control. The17 principles are listed below:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
Information and Communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of the other components of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Additional changes to the framework include:
- Increased discussion related to the definition of internal control, its related components, and how the components relate to objectives.
- The framework reiterates the importance of compliance and meeting operational objectives while clarifying that objective setting is a component of risk assessment and not a part of internal control
- Establishment of a specific principle related to Information Technology (IT) control with emphasis on the sophistication and complexity of online real-time transaction processing systems and the dramatic impact on the availability of and access to information. The framework notes the evolving nature of the impact of technology on the control environment and the inherent limitations of the framework when applied to emerging technological trends such as cloud computing and the use of social media.
- Expansion of the governance concepts related to the board of directors and related audit, compensation, and nomination/governance subcommittees.
- Expansion of guidance for objectives related to reporting to incorporate that which that takes place beyond annual financial reporting. The framework subdivides reporting into four sub-categories, External Financial Reporting, External Non-Financial Reporting, Internal Financial Reporting, and Internal Non-Financial Reporting, and provides discussion on the characteristics of each sub-category. The framework provides emphasizes the impact of information and communication controls on the managements objectives relating to the reliability of reporting.
- Establishment of a specific risk assessment principle that dictates that an organization must consider the potential for fraud when assessing the risks to the achievement of objectives.
- Consideration of the extended business model and organizational structures that utilize external parties for outsourcing arrangements and various types of joint venture operations. The framework emphasizes that those activities that are managed internally and externally are a critical component of internal control and management must maintain its responsibility to manage the risks associated with these activities.
While the framework reiterates that the establishment and maintenance of a sound control environment is solely the responsibility of management, the internal audit function must play a key role in its evaluation. The updated framework provides a critical tool that can assist the internal audit function maintain the role of trusted advisor to management on the actions necessary to maintain a sound control environment and effectively manage risk. The explicit listing of the 17 principles increases the usability of the framework when the internal audit function performs activities related to evaluation of the design and effectiveness of internal control testing programs. Internal audit will continue to play a critical role in providing management guidance and perform assessments on the organization’s internal control suite to ensure it satisfies the updated principles.