COSO to Release Revised Internal Control FrameworkPosted: May 12, 2013
On May 15, COSO (the Committee of Sponsoring Organizations) will release its long awaited revision to its Internal Control Integrated Framework. It has been over 20 years since COSO released its 1992 Internal Control Integrated Framework model and lot has changed over that time, but in a true testimonial to the great work that went into the 1992 Framework, that framework is still very relevant today.
The continued relevance of the 1992 Framework shows in the continued use of the five components of internal control initially outlined in that framework. One of the updates in the 2013 framework is to explicitly outline seventeen principles that make-up the five components and generally need to be in place and appropriately functioning in order to have an effective system of internal control. The five components and related principles are outlined below:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
COSO will continue to support both the 1992 and 2013 Frameworks through December 15, 2014 after which time COSO will consider the 1992 framework to be superseded. Until then you will need to disclose which version of the Framework you utilize in any external reporting use of the Framework. Given that many calendar year public companies have already begun their annual Sox compliance processes, I suspect most companies will utilize the 1992 Framework for 2013 reporting and then transition to the 2013 Framework in 2014.
The effort involved in the transition depends on many factors including how closely your current controls and documentation align with the 17 principles. While adoption may not happen until 2014, companies need to get started now on what will need to be done to transition to the new framework. If it will simply be a documentation exercise then most of that work can be done in 2014. On the other hand, if additional controls need to be put into place, then those controls need to be in place prior to the beginning of 2014 or you may have trouble concluding that you had an effective internal control framework for all of 2014.