Setting a Higher Threshold for Internal Control System Maintenance
Proposed update to COSO framework addresses the changing business environment.
January 9, 2012
Since 1992, Internal Control — Integrated Framework (IC-IF) has provided valuable guidance for companies when developing and assessing internal control systems. In fact, it became the most widely used internal control framework in the world. But with advances in technology and business operations, the time was right for the framework to be updated so it could remain relevant and useful.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which released the original document, has now issued an exposure draft for public comments through March 31. The proposed updated framework was revised in light of changing complexity and conditions to make it easier for companies to design and assess their internal control and, ultimately, gather reliable information for sound decision making and achieve their objectives. Companies using the proposed updatedframework should be better equipped to improve their agility, confidence and clarity. However, companies that currently have effective internal control systems will not experience additional responsibilities under the clarified framework.
Built on Existing Strengths
COSO, which provides thought leadership and guidance on internal control, enterprise risk management and fraud deterrence, was built on the strengths of the original document which was first released in 1992. It added timely revisions to address the impact of significant subsequent developments and included insights and perspectives from a broad range of professionals in industry, as well as representatives and observers from academia, government agencies and not-for-profit organizations.
While the revisions represent worthwhile enhancements to the guidance, companies and their auditors should be aware of what the proposal will not change. The definition of internal control and the objectives of the framework, for example, remain the same. Internal control is still defined as a process intended to offer reasonable assurance of meeting three objectives:
The new proposal also retains the five components of a system of internal control:
The proposed updated framework is not expected to impose a higher threshold for internal control system maintenance or design. It will, however, serve as a valuable internal control resource for all organizations addressing internal control concerns.
Making Useful Updates
The proposal continues to stress the importance of management judgment in the design, application and assessment of the effectiveness of an internal control system. Changes to the document are intended to clarify concepts and make the guidance easier to understand and implement. One significant enhancement is the codification of internal control concepts introduced in the original frameworkinto 17 principles and supporting attributes that companies can use in managing risk and improving performance in an increasingly complex and fast-moving environment.
Additional enhancements help companies address:
With its principles-based approach, the proposed framework allows users to apply judgment in maintaining and improving internal control. It should offer managements and boards of directors the flexibility to expand the core framework’s use beyond financial reporting. It offers separate guidance on external reporting, addressing internal control over information not included in published financial statements. It should also allow users to apply internal control to a wide range of entities in different industries and at various organizational levels. Companies using the framework should be in a better position to spot and analyze risks and create workable approaches to them.
Details on Comments and Related Resources
The proposal is composed of three volumes:
The updated framework is a significant enhancement to an important resource. Preparers and auditors should familiarize themselves with the proposal and offer COSO any comments they may have. In a rapidly changing environment, it’s beneficial to receive timely insights into necessary adjustments to or new perspectives on the internal control process. Comments on the exposure draft are due March 31. Download the document and provide comments through ic.coso.org. Release of the final frameworkis expected in fall of 2012.
The AICPA is providing a number of resources to help CPAs understand the proposed update, including a free webinar for Institute members on January 31. The webcast is co-hosted with The Institute of Internal Auditors. Visit aicpa.org/COSO for additional information and tools on the updated framework.
Chuck Landes, CPA, is AICPA vice president — Accounting and Assurance Group, which is responsible for the technical activities of the Auditing Standards Board (ASB), the Accounting and Review Services Committee (ARSC), the Financial Reporting Executive Committee (FinREC) and the Assurance Service Executive Committee (ASEC). The group is also responsible for the AICPA’s Hotline team and providing technical A&A guidance and support to members. He is the AICPA’s representative to COSO.