June 10, 2013
Volume 20, Issue 17

by Jennifer Burns and Brent Simer, Deloitte LLP

On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)¹ released an updated version of its Internal Control — Integrated Framework (the “2013 Framework”). In addition, COSO released two illustrative documents, Illustrative Tools for Assessing Effectiveness of a System of Internal Control (the “Illustrative Tools”) and Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples (the “ICEFR Compendium”), as well as an executive summary of the 2013 Framework.

Originally issued in 1992, COSO’s Internal Control — Integrated Framework (the “1992 Framework”) became one of the most widely accepted internal control frameworks in the world. COSO’s primary objective in updating and enhancing the framework is to address the significant changes to business and operating environments that have taken place over the past 20 years.

The 2013 Framework and Illustrative Tools can be purchased from the AICPA Store. An executive summary of the 2013 Framework is available for free on COSO’s Web site.

This Heads Up provides an overview of the enhancements in the 2013 Framework, a discussion of considerations for entities that use the 1992 Framework in complying with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), and information about making the transition from the 1992 Framework to the 2013 Framework, including impacts on other COSO-related documents. In addition, the appendixes to this Heads Up compare the 2013 Framework with the 1992 Framework as well as highlight some of the expanded concepts in the 2013 Framework. For additional information about the frameworks, see Deloitte’s February 6, 2012, and August 7, 2012, Heads Up newsletters.

Enhancements in the 2013 Framework

The 2013 Framework creates a more formal structure for designing and evaluating the effectiveness of internal control by:

1. Using principles to describe the components of internal control — The 2013 Framework contains 17 principles that explain the concepts associated with the five components of the COSO Framework (control environment, risk assessment, control activities, information and communication, and monitoring activities). In developing the 17 principles, COSO focused on concepts from the 1992 Framework; considered the principles that were developed and articulated in COSO’s 2006 Internal Control Over Financial Reporting — Guidance for Smaller Public Companies (“Small Business Guidance”); and considered the significant changes in business, operating environments, and governance since 1992. COSO intends the principles to help companies design effective systems of internal control and evaluate whether those systems are functioning effectively. The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities. Consequently, if a principle is not present and functioning, the associated component is not present and functioning. In rare circumstances, because of industry, regulatory, or operating matters, management may determine that a principle is not relevant to a component.

   To further describe the principles, the 2013 Framework uses points of focus, which typically are important characteristics of the principles. While the points of focus may help management design, implement, and evaluate internal control and assess whether relevant principles are present and functioning, they are not required for assessing the effectiveness of internal control. Management may determine that some of the points of focus are not suitable or relevant and may identify and consider others.

2. Creating a more formal way of designing and evaluating internal control in accordance with the principles. See discussion below under “Effective Systems of Internal Control.”

While fundamental concepts in the 2013 Framework are similar to those in the 1992 Framework, the 2013 Framework adds or expands discussions about each component and principle, including enhancements such as the detailed points of focus. For example, although the concept of identifying and responding to risks was present in the 1992 Framework, the 2013 Framework includes more detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities.

In addition, unlike the 1992 Framework, the 2013 Framework explicitly includes the concept of considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives (see Principle 8). The 2013 Framework explains that “[a]s part of the risk assessment process, the organization should identify the various ways that fraudulent [financial] reporting can occur, considering:

• Management bias, for instance in selecting accounting principles
• Degree of estimates and judgments in external reporting
• Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates
• Geographic regions where the entity does business
• Incentives that may motivate fraudulent behavior
• Nature of technology and management’s ability to manipulate information
• Unusual or complex transactions subject to significant management influence
• Vulnerability to management override and potential schemes to circumvent existing control activities”

Principle 8 also discusses considerations relating to management override, safeguarding of assets, incentives and pressures, opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify inappropriate actions. (See additional discussion of Principle 8 in Appendix A.)

Further, COSO has added considerations throughout the 2013 Framework regarding:

• Use of outsourced service providers (see Appendix B).
• Increased relevance of information technology (see Appendix C).

The table below summarizes the principles by component. Appendix A maps the principles to the topical sections in the 1992 Framework (as applicable) and summarizes, at a high level, some of the enhanced concepts in the 2013 Framework.

Control Components and Principles

Effective Systems of Internal Control

In an effective system of internal control under the 2013 Framework:

1. Each of the five components and relevant principles are required to be present and functioning. Under the 2013 Framework:

• Present is defined as “the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.”
• Functioning is defined as “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.”

1. The five components are required to operate together in an integrated manner. The 2013 Framework explains that:

• Operating together refers to “the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.”
• Management can demonstrate that components operate together when:
  • The “components are present and functioning.”
  • “Internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies exist.”

The 2013 Framework uses the terms “internal control deficiency” and “major deficiency” to describe degrees of severity of internal control deficiencies. Under the 2013 Framework, an internal control deficiency refers to a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives,” and a major deficiency refers to an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives.” Further, the 2013 Framework explains that a major deficiency exists when “a component and one or more relevant principles are not present or functioning” or when “components are not operating together.” In addition, if a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.

Importantly, the 2013 Framework recognizes that in evaluating deficiencies in internal control, regulators, standard setters, and other parties may establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies. To comply with internal control reporting requirements under SOX, management would continue to use the SEC’s significant deficiency and material weakness terminology, and auditors would continue to use the same terminology under the PCAOB’s standards. Accordingly, when a company is evaluating the design and operating effectiveness of its internal control over external financial reporting (ICEFR) (i.e., whether the principles are present and functioning) and identifies a deficiency, the company would be required to use the SEC’s definitions and guidance to assess the severity of the deficiency, and the auditor would be required to use the definitions and guidance under PCAOB standards.

COSO Transition Guidance and Impact on Other COSO Documents

During the public comment process on the exposure draft of the 2013 Framework, various stakeholders requested that COSO provide a specific date for the transition from the 1992 Framework to the 2013 Framework to be completed. On the basis of this feedback, COSO has provided some transition specifics and is encouraging users to “transition their applications and related documentation to the updated Framework as soon as is feasible under their particular circumstances.” COSO has also stated that it “will continue to make available its original Framework during the transition period extending to December 15, 2014, after which time COSO will consider it as superseded.” In addition, SEC Chief Accountant Paul Beswick has stated that the “SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future.” He further stated that at this time, he “simply refer[s] users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.”

During the transition period (May 14, 2013, through December 15, 2014), COSO suggests that any “application of its Internal Control — Integrated Framework that involves external reporting should clearly disclose whether the original or 2013 version was utilized.” As a result, when companies provide their annual assessment of ICEFR in accordance with SOX, it would be appropriate to indicate the exact COSO framework they used in performing the assessment.

COSO’s Small Business Guidance will be superseded by the ICEFR Compendium after December 15, 2014.

COSO’s Enterprise Risk Management — Integrated Framework (the “ERM Framework”) has not been superseded by the 2013 Framework. While the ERM Framework and the 2013 Framework are intended to have different focuses, the two frameworks are designed to complement one another. COSO believes that even though the ERM Framework includes portions of the text from the 1992 Framework, the ERM Framework continues to be suitable for designing, implementing, conducting, and assessing enterprise risk management.

COSO’s Guidance on Monitoring Internal Control Systems, which was written to help organizations understand and apply monitoring activities in a system of internal control, also continues to remain relevant (i.e., it has not been superseded by the 2013 Framework). Appendix F of the 2013 Framework states that the “changes to the principles in the Framework will not substantially alter the approaches developed for COSO’s Guidance on Monitoring Internal Control Systems.”

Internal Control Over External Financial Reporting

The impact of the 2013 Framework on management’s assessment of the effectiveness of ICEFR (i.e., to comply with SOX Section 404) will depend on how a company applied and interpreted the concepts in the 1992 Framework. For example, an existing system of internal control may not clearly demonstrate or document that all the relevant principles are present and functioning.

COSO developed the ICEFR Compendium to help companies apply the 2013 Framework. The approaches discussed in the document describe how organizations may apply the principles in their system of ICEFR, and its examples illustrate the application of each principle.

Companies that use COSO to report on ICEFR may wish to consider:

1. Reading the 2013 Framework and identifying new concepts and changes.
2. Assessing their training and education needs.
3. Determining how the 2013 Framework affects the design and evaluation of ICEFR by:
1. Assessing coverage of the principles by existing processes and related controls and considering the points of focus.
2. Assessing current processes, activities, and available documentation related to applying the principles.
3. Identifying any gaps in the above.
4. Identifying the steps, if any, to be performed in making the transition to the 2013 Framework, and:
1. Formulating a plan to complete the transition by December 15, 2014 (i.e., calendar-year-end companies complying with SOX Section 404 should make the transition to the 2013 Framework for reporting periods ending after December 15, 2014).
2. Considering using activities performed in 2013 (e.g., walkthroughs, testing of relevant controls, evaluation of deficiencies) to identify necessary changes and pilot or field test the application of the 2013 Framework.
3. Confirming proper disclosure of the framework used during the transition period and at the time the 2013 Framework is adopted.
5. Coordinating and communicating internally with all groups that are responsible for implementing, monitoring, and reporting on the organization’s ICEFR.
6. Discussing and coordinating activities with internal audit (if applicable) and the external auditor.

Illustrative Tools

COSO’s Illustrative Tools provides examples of how a company may apply the 2013 Framework in assessing the effectiveness of its system of internal control. The document provides illustrative templates and includes scenarios with examples of how to complete various templates. However, the Illustrative Tools are not intended to:

• Satisfy any regulatory requirements for evaluating internal control deficiencies.
• Illustrate management’s selection of controls to effect principles or address identified risks.
• Illustrate decisions about the nature, timing, or extent of testing of controls to ensure an effective system of internal control.

Appendix A — Comparison of Principles in the 2013 Framework With Related Sections in the 1992 Framework, and Summary of Enhanced Concepts in 2013 Framework

The table below maps the principles in the 2013 Framework to the topical sections in the 1992 Framework. The table demonstrates that, for the most part, the concepts represented in the principles in the 2013 Framework are similar to those in the 1992 Framework. However, the guidance that underpins the principles has been expanded, as indicated in the far right column, which summarizes at a high level some of the enhanced concepts in the 2013 Framework.

 

Appendix B — Summary of Concepts and Discussion in the 2013 Framework Related to the Use of Outsourced Service Providers

The 2013 Framework adds or expands discussions about each component and principle by including enhancements such as the detailed points of focus. One of the significant additions to the 2013 Framework is the incorporation of considerations related to OSPs. The table below presents a summary of the 2013 Framework’s concepts and discussions related to the use of OSPs. Users of the 2013 Framework should consider how these changes apply to their arrangements with OSPs.

Appendix C — Summary of Concepts and Discussion in the 2013 Framework Related to Information Technology

The 2013 Framework adds or expands discussions about each component and principle by including enhancements such as the detailed points of focus. In addition, the 2013 Framework reflects the significant changes in business and operating environments, including changes in information technology (IT), that have taken place since the 1992 Framework was written. One of the significant additions to the 2013 Framework is the expanded discussion of IT reflecting its increased relevance to organizations
and their systems of internal control. The table below provides a summary of the 2013 Framework’s concepts and discussions
related to IT.

1 COSO is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership by developing frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. The five private-sector organizations are the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors.

2 Securities Act Release No. 33-8238, File Nos. S7-40-02 and S7-06-03 (August 14, 2003).

3 PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements.

4 The addendum to “Reporting to External Parties” includes only a discussion of safeguarding of assets. Assessing the risk of fraud is not directly addressed in the 1992 Framework.

Download