COSO Integrated Framework
In December 2011, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued for public comment an updated Internal Control – Integrated Framework (Framework). Comments are due by March 31, 2012 and can be submitted via the COSO website at www.coso.org. After evaluating the comments received, COSO plans to release the final Framework in the Fall of 2012.
The Framework is presented in three volumes: a) Executive Summary, provides an overview of the Framework; b) the Framework, provides the various components of a system of internal controls, including principles and attributes; and c) Evaluation, which provides guidance to assess the effectiveness of internal controls. A complete draft of the exposure can be found at the COSO website noted above.
Following is a summary of the changes to the existing Framework.
Since the 1992 COSO Framework was first issued, businesses have become increasingly complex, technologically driven and global in scope. Organizations also face more regulatory compliance and oversight (for example, financial reporting compliance under the U.S. Sarbanes-Oxley Act of 2002 and similar regulatory requirements in other countries). Therefore, the system of internal controls within an organization needs to address these changing needs.
The overarching themes of the updated Framework include the following:
- Business goals and objectives are a precondition to internal controls
- A principles-based approach to internal controls is more effective than a prescriptive set of expectations. Identifies Principles and Attributes for each internal control component
- Example of a Principle – “The organization demonstrates a commitment to integrity and ethical values”
- Example of an Attribute – “Tone at the Top and throughout the Organization”
- The system of internal controls must adapt to the different business and organizational structures
- The responsibility for maintaining an effective system of internal controls involves everyone within the organization, including boards and other oversight functions; each having a different role within the system.
Point of View
Although the 1992 Framework was effective in establishing a system of internal controls, it was too complex and an update was necessary to reflect the ever changing business landscape. A principles-based approach will allow organizations to adopt a Framework that addresses their specific business and operating environments. With the updated Framework, COSO provides organizations with a Framework that can support the decision making of management with confidence and be adaptive enough to stay in line with the changing business and operating needs.
Comparison of Previous Framework and Current Framework
Items that have remained the same between the 1992 version (‘original version’) and the updated Framework include the following:
- Definition of internal control
- 5 Components of internal control, which include Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring
- Use of judgment by management is key
Enhancements to the Framework include additional guidance to address business and operating environments:
- Expectations for governance oversight
- Globalization of markets and operations
- Changes in business models
- Demands and complexities in laws, rules, regulations, and standards
- Expectations for competencies and accountabilities
- Use of, and reliance on, evolving technologies
- Expectations relating to preventing and detecting corruption
Point of View
The updated Framework states that every entity should have a process in place to identify internal and external factors that can significantly affect its ability to achieve its objectives. This process can parallel or be a part of the entity’s risk assessment process, but changes to the entity’s environment should be discussed separately as it is easy to overlook the business’ evolution since the last risk assessment.
Two examples of changes that could significantly affect an entity are business model changes and evolving technologies. For both of these types of changes, the composition of risks initially assessed as the basis for establishing internal controls may have changed. Thus, the current internal controls may no longer be sufficient. In this situation, management should assess the risks related to the change in the business model and redesign the internal control environment, as needed, to ensure the new risks are properly mitigated.
The updated Framework also states that in order to prevent and detect corruption, management should consider the incentives and pressures to achieve objectives that are faced by employees. Two examples would be 1) unrealistic performance targets and 2) conflicting objectives from different stakeholders. Management should balance these pressures with appropriate messaging and incentives/rewards to attempt to prevent corruption from occurring.
View the chart here for a summary of the changes from the original version and the related principles within each component.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.
All Enterprise Risk Management News Enterprise Risk Management Services