The Committee of Sponsoring Organizations of the Treadway Commission (COSO) initially published its Internal Control — Integrated Framework (the “framework” or the “original framework”) in 1992. Since then, it has become one of the most widely accepted internal control frameworks around the world. On December 19, 2011, COSO issued an exposure draft (ED) that proposes enhancements to the framework. COSO’s primary objective in updating and enhancing the framework is to address the significant changes to business and operating environments that have taken place over the past 20 years.
This Heads Up provides (1) an overview of the ED’s enhancements, (2) information regarding feedback received and expected timing of issuance, (3) an update regarding the development of COSO guidance on internal control over external financial reporting (ICEFR), and (4) considerations for preparers of financial statements before and after release of the updated framework.
Overview of the ED
The following aspects of the framework have not changed since its original issuance in 1992:
- Definition of internal control. The framework defines internal control as
“[a] process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiencies of operations; reliability of reporting; compliance with applicable laws and regulations.”
- Five components of internal control:
- Control environment.
- Risk assessment.
- Control activities.
- Information and communication.
- Monitoring activities.
- Use of judgment in evaluating the effectiveness of systems of internal control.
The following are some of the more significant enhancements that the ED proposes making to the framework:
- Establishment of “principles” for each component of internal control. See Appendix A of this Heads Up for a comparison of the ED’s principles with related sections and concepts in the original framework.
- A more formal structure for the design and evaluation of the effectiveness of internal control (i.e., considering whether each of the principles is present and functioning on the basis of the guidance provided for each principle).
- Added and refreshed guidance within each of the components of internal control to reflect the significant changes to business and operating environments since the original framework was released. For example:
- Added discussion regarding third-party service providers.
- Reflection on the evolution and increased relevance of technology.
For a more detailed summary of the changes, see Appendix B of the ED and Appendix B of this Heads Up. In addition, see Deloitte’s February 6, 2012, Heads Up for a high-level summary of the ED.
Feedback Provided to COSO and Expected Timeline for Issuance
COSO received over 90 comment letters on the ED and over 100 responses to its online survey on the ED.
COSO is currently evaluating and considering all comments and is incorporating changes to the ED. On the basis of the feedback it has received, COSO has revised its expected timing for the release of a final version of the updated and enhanced framework from the fourth quarter of 2012 to the first quarter of 2013.
The various respondents to the ED included, but were not limited to, companies, academics, government agencies, not-for-profit organizations, and members of the accounting profession. COSO has stated that the ED and related public comments will remain available at www.ic.coso.org until the final framework is issued.
Internal Control Over External Financial Reporting — Supplementary Guidance
COSO does not expect the revised framework to change the design and assessment of the effectiveness of internal control over financial reporting. However, to help users apply the enhanced framework, COSO is continuing to work on separate guidance that will include approaches and examples illustrating how the principles in the ED can be applied to designing, implementing, and maintaining ICEFR, since COSO acknowledges that one of the more common applications of the framework is to ICEFR (e.g., in the context of meeting the requirements of Section 404 of the Sarbanes-Oxley Act). COSO expects to release an ED on the approaches and examples developed in relation to ICEFR for public comment in the early fall of 2012. All interested parties are encouraged to comment on the ICEFR draft when it is published.
Considerations Before and After Final Release of Updated Framework
Deloitte encourages all financial statement stakeholders, particularly those that are currently required to report externally on the effectiveness of an entity’s internal control over financial reporting, to monitor the activities related to the COSO update project and to consider the potential implications of the ED. Activities and considerations — both before and after the release of the final framework — may include:
Before Release
- Read the COSO ED and consider the differences between the original framework and the ED.
- Review the principles introduced in the ED.
- Consider the enhanced guidance in relation to the company’s internal control over financial reporting and whether to address any enhancements before the final framework is published.
-
|
Editor’s Note: Although the final updated COSO framework is expected to be published in the first quarter of 2013, entities may consider the enhancements to the guidance before the finalization of the updated COSO framework.
|
- Educate others within the organization regarding COSO’s update project, including the following groups:
- Audit committee.
- Executive management.
- Annual 404(a) process owner.
- Internal audit.
After Release
- Read the final updated framework and identify new concepts and changes that may be relevant.
- Determine the impacts of the final framework on the entity’s design and evaluation of internal control over financial reporting.
- Identify the steps, if any, that need to be performed to transition to the updated framework.
- Assess the training and education needs with respect to the new guidance.
- Coordinate and communicate internally with all groups that are responsible for implementing, monitoring, and reporting on the organization’s internal control.
- Discuss and coordinate activities with internal audit (if applicable) and the external auditor.
Appendix A — Comparison of the ED’s Principles With Related Sections in the Original Framework
The table below maps the principles in the ED to the topical sections in the original framework. This table demonstrates that, for the most part, the concepts represented by the principles in the ED are also present in the original framework. However, the guidance that underpins the principles has been enhanced and expanded (see Appendix B below).
|
Related Sections in the Original Framework
|
|
ED Principles
|
Chapter
|
Section
|
|
Control Environment
|
|
1. The organization demonstrates a commitment to integrity and ethical values.
|
Control Environment
|
- Integrity and Ethical Values.
- Human Resource Policies and Procedures.
|
|
2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
|
Control Environment
|
- Board of Directors or Audit Committee.
|
|
Roles and Responsibilities
|
- Management, Board of Directors.
|
|
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
|
Control Environment
|
- Management’s Philosophy and Operating Style.
- Organizational Structure.
- Assignment of Authority and Responsibility.
|
|
Roles and Responsibilities
|
- Management, Board of Directors, Internal Auditors, Other Entity Personnel.
|
|
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
|
Control Environment
|
- Commitment to Competence.
- Human Resource Policies and Practices.
|
|
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
|
Control Environment
|
- Integrity and Ethical Values.
- Human Resource Policies and Practices.
|
|
Roles and Responsibilities
|
- Management, Board of Directors, Internal Auditors, Other Entity Personnel.
|
|
Risk Assessment
|
|
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
|
Risk Assessment
|
- Categories of Objectives.
- Overlap of Objectives.
- Linkage.
- Achievement of Objectives.
|
|
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
|
Risk Assessment
|
- Risk Identification.
- Risk Analysis.
|
|
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
|
Addendum to “Reporting to External Parties”
|
|
|
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
|
Risk Assessment
|
- Circumstances Demanding Special Attention.
- Mechanisms.
- Forward-Looking.
|
|
Control Activities
|
|
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
|
Control Activities
|
- Types of Control Activities.
- Integration With Risk Assessment.
- Entity Specific.
|
|
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
|
Control Activities
|
- Controls Over Information Systems — General Controls, Application Controls, Relationship Between General and Application Controls, Evolving Issues.
|
|
12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
|
Control Activities
|
- Types of Control Activities — Policies and Procedures.
|
|
Information and Communication
|
|
13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
|
Information and Communication
|
- Strategic and Integrated Systems.
- Information Quality.
|
|
14. The organization internally communicates information, including objectives and responsibilities for internal control necessary to support the functioning of other components of internal control.
|
Information and Communication
|
- Communication — Internal.
- Means of Communication.
|
|
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
|
Information and Communication
|
- Communication — External.
- Means of Communication.
|
|
Monitoring Activities
|
|
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal controls are present and functioning.
|
Monitoring
|
- Ongoing Monitoring Activities.
- Separate Evaluations — Scope and Frequency, Who Evaluates, The Evaluation Process, Methodology, Documentation, Action Plan.
|
|
17. The organization evaluates and communicates internal control deficiencies in a timely matter to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
|
Monitoring
|
- Reporting Deficiencies — Sources of Information, What Should Be Reported, To Whom to Report, Reporting Directives.
|
Appendix B — Summary of Enhanced and Expanded Concepts in the ED by Component
The table below presents what we believe to be some of the important enhanced and expanded concepts in the ED. COSO presents its summary of key changes in Appendix B of the ED.
|
ED Chapter
|
High-Level Summary of Enhanced and Expanded Concepts in the ED
|
|
Control Environment
|
- Expanded guidance on:
- What creates and encompasses the control environment.
- Accountability for internal control.
- Integrity as a prerequisite to internal control and ethical behavior.
- Governance concepts, including oversight by the board of directors, independence considerations, and relevant skills and expertise.
- Evaluating adherence to standards of conduct.
- Differences in culture and potential impacts on control environment.
- Planning and preparing for succession.
|
|
Risk Assessment
|
- Specifically defines “risk.”
- Includes the concepts of inherent risk and assessing fraud risk.
- Clarifies that the risk assessment process includes risk identification, risk analysis, and risk response.
- Expands the discussion regarding risk tolerance and how risk may be managed, including through accepting, avoiding, and sharing risks.
- Discusses consideration of the rate of change (including with respect to the entity’s business, operations, and technology) in the determination of the frequency of a company’s risk assessment process.
- Separates the “financial reporting” objective into four categories: (1) external financial reporting, (2) external nonfinancial reporting, (3) internal financial reporting, and (4) internal nonfinancial reporting.
- Adds discussion regarding possible corruption occurring within the entity.
|
|
Control Activities
|
- Modified description of control activities as business process control activities and transaction control activities.
- Expanded discussion regarding:
- Relationship of control activities and risk assessment.
- Control activities at different levels of an organization.
- Preventive controls versus detective controls.
- Technology and related concepts, including technology infrastructure, security, acquisition and development, and the relationship between automated control activities and general controls over technology.
|
|
Information and Communications
|
- Additional guidance regarding:
- How information and communication support the functioning of the other components of internal control.
- Communication between the organization and external parties.
- Importance of direct communication between personnel and the board of directors.
- Reevaluating information needs.
- Considering security and restricted access to information as well as the costs and benefits of obtaining and managing information.
- Expanded discussion on obtaining and identifying relevant information, evaluating the quality of information, verifying sources of information, and retaining information.
|
|
Monitoring Activities
|
- Evaluating the achievement of all the principles in the ED as part of the assessment of internal control.
- Discussion regarding the distinction between control activities and monitoring activities.
- Inclusion of the concepts of:
- Using a baseline of understanding of internal control (in establishing plans for ongoing and separate evaluations).
- Using IT in the context of monitoring.
- Using monitoring to identify gaps, anomalies, root causes, and opportunities for improvement.
- Additional considerations regarding monitoring at different levels of an organization and monitoring of third-party service providers.
|
____________________
1 The discussion in the addendum to “Reporting to External Parties” includes only a discussion regarding safeguarding of assets. Assessing the risk of fraud is not directly addressed in the original framework.
