In Praise of the COSO 1992 Internal Controls Framework​

Comments Views

​I have been a fan of the COSO Internal Control–Integrated Framework since it first appeared in draft. It's not perfect, but there is a great deal for which we should commend the authors (a team from PricewaterhouseCoopers).

  1. At that time, there was no common understanding of what internal control was. The public accounting firms used the term exclusively for financial processes and reporting, although internal auditors used it far more broadly. While it is not perfect, the definition of internal control provided a basis for a common language, which found its way into accounting and auditing rules and regulations.
  2. There was also a common misconception that internal auditors "owned" internal controls. The COSO framework set this straight, making it abundantly clear that management and the board owned internal control.
  3. The definition of internal control relates to the achievement of objectives. This takes the discussion from the detail of accounts payable to how you run the organization.
  4. It also talked about "reasonable assurance." This is an incredibly important concept, that even when you have effective internal control systems, errors can occur. (This is still something many auditors fail to understand)
  5. The framework has five components. The Control Environment is the foundation for effective internal control, shown as such in the COSO cube. Risk Assessment has to occur before you know what you need Control Activities for, and without Information and Communication, controls that rely on judgment and knowledge will founder. Monitoring, which is a more difficult concept, helps management and the board know that all the other components are working as desired.
  6. While few people have paid attention to the Control Environment other than the tone at the top aspect, I think the most important discussion in that component focuses on the people who perform the controls. You cannot expect to have effective controls, risk management, or operational performance without the right, skilled, and experienced people.

When the SEC recognized this framework for companies to use for SOX compliance, I was a little concerned. While the framework does a nice job of explaining what internal control is, it is less effective in helping assess internal control effectiveness. It was also not limited or focused exclusively on external financial reporting. However, if companies follows the COSO 1992 steps of identifying risks to financial reporting and then identifying controls to address them, then the framework can be considered useful.

Unfortunately, many ignored that Risk Assessment component and ended up with a set of controls (pre AS5) that was not based on risks to the financial statements that exceeded acceptable levels, i.e., materiality.

So now COSO is updating the framework. As I wrote in another post, I encourage everybody to review it and provide comments.

I think we should consider these questions:

  1. Will the framework, if published as drafted, guide management to design effective and efficient internal controls that provide reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
  2. Will it enable an assessment to be made of whether the system of internal control is effective: providing reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
  3. Will it enable an assessment to be made of whether the system of internal control is efficient?

I have separately commented on the SOX-specific guidance, and the way in which the framework assesses internal control effectiveness.

Overall, the new draft adds value to the 1992 framework. However, I have reservations about how it says you should evaluate internal control effectiveness, and the absence of meaningful discussion of efficiency. I would also like to see more about the interrelationship of the components, such as I explained above.

What do you think? What do we need in the 2013 framework?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
    • CIA-September-2021-Blog-2
    • Your-Voices-September-2021-Blog-3