November 04, 2014
Article by Robert Miller, Assurance Services Partner, "The New COSO Framework: What Changed and How It Affects Your Financial Statement Audit," Featured in HFMA Blog
A change is coming in how healthcare organizations and their auditors approach and evaluate internal controls.
In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its update to the integrated framework for internal controls, its first update since the framework was originally issued in 1992. Although the original framework remains the foundation for evaluating internal controls, the 2013 update—which must be implemented by Dec. 15, 2014—adds key principles that will affect how companies and their auditors apply the COSO’s integrated framework.
Most companies and their auditors who have been using the 1992 framework will be familiar with the “COSO Cube,” which illustrates the three key dimensions of the COSO model:
- The three broad objectives organizations generally have, relating to operations, reporting, and compliance
- The five components of internal control necessary to meet each of those objectives (i.e., control environment, risk assessment, control activities, information and communication, and monitoring)
- The relevance of the broad objectives and the five internal control components at all levels of an organization (entity level, division, operating unit, or function)
The 2013 framework maintains this model, brings changes in several areas, and most important, builds on the framework by adding 17 key principles, which are spread across the five internal control components. The principles are outlined in a June 2013 COSO document, The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition, by J. Stephen McNally.