control, and governance
COSO 2013: A Reflection of the Times
The long-awaited Internal Control–Integrated Framework update aims to help organizations better design and implement controls, with an eye toward today’s business challenges.
It’s been more than 20 years since The Committee of Sponsoring Organizations of the Treadway Commission (COSO) began developing its landmark Internal Control–Integrated Framework. Back then, many of the developments in business and technology we take for granted today had not yet been realized. Companies were just starting to connect through electronic data interchange, smartphones did not exist, the global financial crisis was still many years away, and China had not yet committed to a modified market economy. Moreover, internal control evaluation at that time was relatively unsophisticated: Large public accounting firms maintained lists of controls for their auditors to check off, internal auditors struggled to address evolving client-server networks, and many of today’s financial reporting regulations had yet to be written. Against this backdrop, COSO developed a conceptually sound control framework that has stood the test of time.
The COSO board more recently found that some refreshing of fundamental internal control principles could make the framework even more user-friendly and applicable to today’s ever-changing environment. It undertook a two-year revision process that resulted in COSO’s 2013 Internal Control-Integrated Framework, released in May. The revised framework not only provides more guidance for implementation, but if implemented correctly it will help establish more effective internal controls at lower costs to the organization.
The updated COSO framework lists 17 principles across its five components of internal control, building on the concepts provided in the framework’s original version. Although control principles were implied in the 1992 framework, they weren’t specifically cited until the current release. The principles help codify COSO’s core parameters and provide clarity on what constitutes effective control.
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals
5. The organization holds individuals accountable for their internal control responsibilities in pursuit
6. Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. Identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. Considers the potential for fraud in assessing risks to the achievement of objectives.
9. Identifies and assesses changes that could significantly impact the system of internal control.
10. Selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. Selects and develops general control activities over technology to support the achievement of objectives.
12. Deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
14. Internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. Communicates with external parties regarding matters affecting the functioning of internal control.
16. Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. Evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
RATIONALE FOR THE UPDATE
Multiple considerations prompted the COSO board to revisit its 1992 framework. For example, numerous major organizations have failed during the last 20 years because of ineffective risk management and related internal controls. Moreover, more countries than ever — including China, Japan, and many European nations — now require public reporting on internal control over financial reporting for large, publicly listed companies.
Other factors influenced the board’s decision, including:
With these considerations in mind, COSO first sought feedback from its various global constituencies on whether the framework should be changed, and if so, what changes should be made. COSO then assembled an experienced research team and a diverse advisory group that included representatives from its primary stakeholder organizations, such as The IIA, as well as major regulators and others who might be affected by changes to the framework. The group conducted a study to examine the 1992 framework and concluded that it remained conceptually sound. But it also found that, by updating some of COSO’s fundamental principles, it could make the framework even more user-friendly and applicable to today’s organizations. Working with the advisory group, and input from public constituents, the board then created the 2013 revision.
KEY FRAMEWORK CHANGES
Because the original framework was deemed conceptually solid, a quick review of the revision might lead to the impression that little has been changed. But there are, in fact, numerous key differences between the old and new versions.
ELEMENTS OF CONTROL
Similar to its predecessor, COSO 2013 emphasizes three crucial elements related to control effectiveness: Internal control is an integrated concept that encompasses COSO’s five framework components (the control environment, risk assessment, control activities, information and communication, and monitoring); judgment on the presence and functioning of internal control is required, as is judgment on all 17 principles as they relate to the five components; and evaluation and testing of internal control starts with objectives and risks, not with controls.
As an example of internal control’s integrative nature, suppose one of the objectives of a global organization is to achieve compliance with the U.S. Foreign Corrupt Practices Act (FCPA). The process of achieving that objective can be examined along COSO’s five components of internal control.
All five components are important and necessary to achieving the FCPA objective. For example, the control activities would not be sufficient if the company did not articulate and communicate policies, monitor activities, and require meaningful reports. Overall control effectiveness is dependent on the components working together as a whole.
The need for judgment when assessing control effectiveness is emphasized throughout the document. As an example, Principle No. 4, which pertains to the framework’s control environment component, states that an organization needs to demonstrate “a commitment to attract, develop, and retain competent individuals.” Judgment would be required to determine whether the process of attracting and developing a high-quality staff is effective and has led to the employment of competent individuals throughout the organization. The need for such judgment heretofore has been implicit — now, it is required. The framework’s points of focus provide additional guidance to help address the issue of judgment as it relates to each of the framework’s 17 principles.
Control Testing and Evaluation
One central element of COSO’s updated framework is its continued emphasis on the linkage among objectives, risk, and control. Organizations seek to accomplish objectives, and those objectives need to be articulated. There are risks to achieving the objectives, whether they relate to operations, compliance, or reporting, and those risks need to be identified. The key is to link controls to risks and objectives: The only reason that controls exist is to mitigate risks and thereby increase the probability that the organization will accomplish its objectives. Control, therefore, is subservient to risk — and to the objectives they help achieve.
Organizations that conduct a thorough analysis of controls starting with objectives and risk considerations often find that many duplicative controls exist, the organization relies only on a few key controls, and not all significant risks are covered by existing controls. The approach can represent a significant change in the way controls are evaluated and tested, and it can be especially beneficial to companies that are required to report publicly on the effectiveness of internal control over financial reporting.
Consider, for example, U.S. Sarbanes-Oxley Act of 2002 compliance requirements related to financial reporting controls. Organizations complying with the act have identified important controls and most likely have added controls over time. However, they may not have reassessed the number of controls tested, resulting in some unnecessary testing activity. Some organizations that have taken risk-centric approaches to internal control, rather than control-centric approaches, have cut their control testing in half without jeopardizing the assurance management needs to assess internal controls. Many are using the reassessment to consider whether or not audit and control efficiencies can be gained through automation of controls and a commitment to ongoing control monitoring.
STRATEGIC LEADERSHIP FOR INTERNAL AUDIT
Internal auditors are often viewed as the control experts in organizations. The updated COSO framework provides a springboard to take that leadership a step further.
A growing body of research finds that organizations with better internal controls perform better, reduce uncertainty about earnings, and enjoy higher stock prices. Internal auditing should provide leadership in implementing the principles in the updated framework by:
An implicit theme runs throughout the revised framework: Organizations need internal audit leadership to leverage COSO 2013’s significant advantages. Internal audit should take a leadership role, whether it is in training, independent assessments, or consultive activities to help ensure organizations receive optimal value from the framework. Internal audit participation is key to successful application of COSO 2013 and to helping all areas across the enterprise realize its many benefits.
Larry E. Rittenberg, PHD, CIA, is emeritus professor at the University of Wisconsin in Madison, former chairman of the COSO Board of Directors, and author of COSO Internal Control–Integrated Framework: Turning Principles Into Positive Action.
Also in this issue:
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.