COSO's 2013 Internal Control – Integrated Framework 21 Years Later
By John Sellitto, Director, Assurance Services
The Committee of Sponsoring Organizations’ (“COSO”) was originally organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. The first chairman of the National Commission was James C. Treadway, Jr. Ths commission is commonly referred to as the “Treadway Commission”. The National Commission on Fraudulent Financial Reporting was sponsored jointly by five major professional associations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants (IMA)). In addition, the Commission included representatives from industry, public accounting, investment firms and the New York Stock Exchange. Initially COSO worked to develop recommendations for public companies and their independent auditors as well as for the SEC, other regulators and educational institutions. The Report of the National Commission on Fraudulent Financial Reporting issued in October of 1987 included certain recommendations which led to the original Internal Control – Integrated Framework issued by COSO in 1992.
The 1992 Internal Control – Integrated Framework (“Framework”) developed by COSO was widely accepted and is currently utilized by companies and organizations around the world to aid in the design, implementation, operation and evaluation of internal controls. The 1992 Framework has remained relevant for over 20 years primarily due to the flexibility in its design and application. Although the 1992 Framework has remained conceptually sound, updating of the Framework was undertaken by COSO to address the increasing complexity of today’s business environment. As described in the Foreword section of the COSO 2013 Executive Summary written by David L. Landsittel, COSO Chair;
The (1992) Framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting. Also, the Framework reflects considerations of many changes in the business and operating environments over the past several decades, including:
- Expectations for governance oversight
- Globalization of markets and operations
- Changes and greater complexities of business
- Demands and complexities in laws, rules, regulations, and standards
- Expectations for competencies and accountabilities
- Use of, and reliance on, evolving technologies
- Expectations relating to preventing and detecting fraud
While the 2013 Framework includes certain broad based changes, described in Appendix F of the Framework, the following items have remained consistent:
- The core definition of internal control
- Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
- The five components of internal control
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
- The requirement for the five components to be present for an effective system of internal control
- The role of judgment necessary in designing, implementing, and conducting internal control as well as in assessing the effectiveness of internal control
In regard to what has changed, users of the 2013 Framework will quickly become familiar with the 17 principles articulated as fundamental concepts underlying the five components of internal control described above. Although these 17 principles were embedded in the original framework they have been specifically identified and described in the 2013 Framework as the guidance has evolved into a more principles-based approach.
The 17 principles specifically identified in the Framework are summarized as follows:
Control Environment – five principles
- Commitment to integrity and ethical values.
- The board of directors demonstrates independence and exercised oversight of internal controls.
- Establishment of structure, authority and responsibility
- Commitment to competence
- Enforcement of accountability
Risk Assessment – four principles
- Specify suitable objectives for the identification and assessment of related risks
- Identify and analyze risks
- Assess the potential for fraud
- Identify and analyze significant changes
Control Activities – three principles
- Selection and development of control activities.
- Selection and development of general controls over technology
- Deployment through policies and procedures
Information and Communication – three principles
- Utilize relevant, quality information
- Communication internally includes objectives and responsibilities for internal control.
- Communication externally regarding internal control matters
Monitoring Activities – two principles
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
The Framework also includes points of focus that highlight important characteristics related to each of the 17 principles described above.These points of focus will be utilized by management in assessing whether principles relevant to their organization are present and functioning.
The upgraded 2013 Framework will officially supersede the original framework on December 15, 2014.Although COSO will continue to make the original framework available during the transition period, user organizations are encouraged to transition to the 2013 Framework as soon as is feasible.The updated Framework is presented in three publications; the Executive Summary, the Framework and Appendices and the Illustrative Tools for Assessing Effectiveness of a System of Internal Control. COSO has also published the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples related to the updated Framework. The Compendium, which applied to public, private and non-for profit entities, was developed to assist those users of the Framework who are responsible for designing, implementing and conducting a system of internal controls over external financial reporting. As stated in the Compendium, external financial reporting may include other reporting such as earnings releases, selected financial information posted to an entities website, and selected amounts reported in regulatory filings. External financial reporting objectives relating to such other financial information may not be driven directly by regulators and standard setters, but typically stakeholders expect them to align with such standards and regulations.