Comments on the Updated COSO Internal Controls Draft

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I have just submitted my comments. The detailed letter can be downloaded from here.

This is the first part of the letter. I welcome your comments and encourage you to submit your own to COSO at



I want to extend my thanks and appreciation for the changes that COSO has made to the first draft. There was a clear desire to listen and understand the constructive comments that were received, especially those around risk management and the potential for individuals to treat the 17 Principles as a checklist.

The latest draft has some excellent content. It is rich with language that explains the various components, and the Principles reflect good practice for organizations to adopt.

While I still have reservations and believe changes are required before the Framework is published, most are fine tuning and clarification.

As I will discuss later, and have written about in my blogs (see references below), the more significant areas that I believe merit attention are these:

  1. What is the purpose of the Framework?
  2. How to assess whether the system of internal control is effective.
  3. The relationships between components.
  4. Use of the Framework in connection with an evaluation of internal control over external financial reporting (I.e., for Sarbanes-Oxley compliance purposes).
  5. The relationship between the Internal Control Framework and Enterprise Risk Management Frameworks and Standards.
  6. The need for globalization of the Framework.


Posted on Nov 9, 2012 by Norman Marks

Share This Article:    

  1. The COSO framework is used as a reference framework accross the world and in fact it is globalized. We in developing countries use the framework to assess that internal control practices developed by an organization address the areas identified in the framework.

Leave a Reply