I have just submitted my comments. The detailed letter can be downloaded from here.
This is the first part of the letter. I welcome your comments and encourage you to submit your own to COSO at www.coso.org.
I want to extend my thanks and appreciation for the changes that COSO has made to the first draft. There was a clear desire to listen and understand the constructive comments that were received, especially those around risk management and the potential for individuals to treat the 17 Principles as a checklist.
The latest draft has some excellent content. It is rich with language that explains the various components, and the Principles reflect good practice for organizations to adopt.
While I still have reservations and believe changes are required before the Framework is published, most are fine tuning and clarification.
As I will discuss later, and have written about in my blogs (see references below), the more significant areas that I believe merit attention are these:
- What is the purpose of the Framework?
- How to assess whether the system of internal control is effective.
- The relationships between components.
- Use of the Framework in connection with an evaluation of internal control over external financial reporting (I.e., for Sarbanes-Oxley compliance purposes).
- The relationship between the Internal Control Framework and Enterprise Risk Management Frameworks and Standards.
- The need for globalization of the Framework.