The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated Internal Control–Integrated Framework (Framework) and related illustrative documents on May 14, 2013. On December 15, 2014, the Framework will officially replace the original Internal Control – Integrated Framework (the original framework), which dates back to 1992. The original framework has been used by companies, non-profit organizations, governments, and regulators, becoming the global standard used to design, implement, and assess the effectiveness of a system of internal controls.
Why Introduce a New Framework?
The decision to release the Framework was focused on providing updates to the original framework to account for changes in business that have occurred over the last twenty years. The Framework does not alter the five components of internal control – (1) Control Environment, (2) Risk Assessment, (3) Control Activities, (4) Information and Communication, and (5) Monitoring Activities; rather, the Framework enhances the components of internal control by considering the following changes to the business environment:
- Expectations for governance oversight
- Globalization of markets and operations
- Increased business complexity
- Use of and reliance on new technologies
- Expectations in preventing and detecting fraud
Key Modifications to the Framework
When comparing the Framework to the original framework, there are three significant changes to note:
- The five components of internal control have been formalized through the addition of 17 principles. The principles outline the fundamental groundwork for achieving each component of internal control. While the principles formalize the framework, the principles avoid a rules-based approach, allowing a company to maintain flexibility and use of judgment when applying the framework.
- The definition of control deficiencies has been modified. Under the original framework, a control deficiency was categorized as a control deficiency, significant deficiency, or material weakness. The new Framework only uses two categories to classify control deficiencies – internal control deficiencies and major deficiency, where a major deficiency severely reduces the likelihood of an organization achieving its objectives. The updated deficiency classification aligns equally with all three objectives of the COSO Framework – Operations, Reporting, and Compliance, whereas the original framework's classifications favored the Reporting objective. While the Framework modifies the categories of control deficiencies, the Framework does recognize certain regulators and standard setters provide specific criteria for defining the severity of a deficiency.
- The Framework provides illustrative guidance through Points of Focus. When adopting the new Framework COSO has developed a compendium of approaches and illustrative documents to highlight how organizations are applying the 17 principles in achieving Operations, Reporting, and Compliance objectives. The Points of Focus do not specifically outline how the principles are to be applied in practice, as the purpose is to provide practical examples while maintain a principles based framework.
Adopting the New Framework
Organizations will have until December 15, 2014 to adopt to the Framework. At that date, the original framework will be considered superseded by COSO. However, the adoption and consideration of the Framework should begin now. When adopting the Framework organizations should review the 17 new principles and consider the adherence to each principle across all three COSO objectives – Operations, Reporting, and Compliance. If there are any shortfalls in achieving the objectives, organizations should develop a timeline with three key milestones: updating the design of the internal control system, implementing the new controls, and assessing the adherence to the new controls.
During the transitional period (May 14, 2013 through December 15, 2014), we recognize organizations may be required to report on their adherence to the original COSO framework. Based on COSO's recommendation, organizations reporting on adherence to the framework should cite the original framework as the "Internal Control – Integrated Framework (1992)" and the new Framework as the "Internal Control – Integrated Framework (2013)."
To view the Executive Summary of the new COSO Framework click here.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.
All Risk Services News