It’s been more than 20 years since The Committee of Sponsoring Organizations of the Treadway Commission (COSO) began developing its landmark Internal Control–Integrated Framework. Back then, many of the developments in business and technology we take for granted today had not yet been realized. Companies were just starting to connect through electronic data interchange, smartphones did not exist, the global financial crisis was still many years away, and China had not yet committed to a modified market economy. Moreover, internal control evaluation at that time was relatively unsophisticated: Large public accounting firms maintained lists of controls for their auditors to check off, internal auditors struggled to address evolving client-server networks, and many of today’s financial reporting regulations had yet to be written. Against this backdrop, COSO developed a conceptually sound control framework that has stood the test of time.
The COSO board more recently found that some refreshing of fundamental internal control principles could make the framework even more user-friendly and applicable to today’s ever-changing environment. It undertook a two-year revision process that resulted in COSO’s 2013 Internal Control-Integrated Framework, released in May. The revised framework not only provides more guidance for implementation, but if implemented correctly it will help establish more effective internal controls at lower costs to the organization.
The updated COSO framework lists 17 principles across its five components of internal control, building on the concepts provided in the framework’s original version. Although control principles were implied in the 1992 framework, they weren’t specifically cited until the current release. The principles help codify COSO’s core parameters and provide clarity on what constitutes effective control.
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals
in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in pursuit
6. Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. Identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. Considers the potential for fraud in assessing risks to the achievement of objectives.
9. Identifies and assesses changes that could significantly impact the system of internal control.
10. Selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. Selects and develops general control activities over technology to support the achievement of objectives.
12. Deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. Obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. Internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. Communicates with external parties regarding matters affecting the functioning of internal control.
16. Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. Evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Rationale for the Update
Multiple considerations prompted the COSO board to revisit its 1992 framework. For example, numerous major organizations have failed during the last 20 years because of ineffective risk management and related internal controls. Moreover, more countries than ever — including China, Japan, and many European nations — now require public reporting on internal control over financial reporting for large, publicly listed companies.
Other factors influenced the board’s decision, including:
- Changes in technology and their associated risks.
- Changes in corporate governance and expectations
- of those charged with governing.
- Increased interdependence of organizations, ranging from joint ventures to supply-chain dependencies.
- Increased demand for internal control information — some in public reports, some in contracts.
- Increased focus on risk assessment.
- An expanded demand for new forms of reporting
- on organizational performance.
- Increased importance of compliance/operations activities.
With these considerations in mind, COSO first sought feedback from its various global constituencies on whether the framework should be changed, and if so, what changes should be made. COSO then assembled an experienced research team and a diverse advisory group that included representatives from its primary stakeholder organizations, such as The IIA, as well as major regulators and others who might be affected by changes to the framework. The group conducted a study to examine the 1992 framework and concluded that it remained conceptually sound. But it also found that, by updating some of COSO’s fundamental principles, it could make the framework even more user-friendly and applicable to today’s organizations. Working with the advisory group, and input from public constituents, the board then created the 2013 revision.
Key Framework Changes
Because the original framework was deemed conceptually solid, a quick review of the revision might lead to the impression that little has been changed. But there are, in fact, numerous key differences between the old and new versions.
- Reporting Objective. One of the defined objectives of internal control from COSO 1992, reliability of financial reporting, has been changed to the broader concept of reporting to reflect major changes in how information is reported both within and outside the organization. The change reflects not only what is reported, but the media by which reports are delivered. It also encompasses both financial and nonfinancial reporting.
- Principles and Points of Focus. In 2006, COSO adopted a principles-based approach to the design and evaluation of internal controls, as reflected in its guidance document, Internal Control Over Financial Reporting–Guidance for Smaller Public Companies. Drawing from this concept, COSO 2013 includes 17 principles developed around the 1992 framework’s five components of internal control (see “Framework Principles” on page 63). Moreover, the guidance explicitly presumes that if a principle is not attained, then there is evidence that the related component is not working. The COSO framework has always presumed that, for internal control to be effective, all components must be present and functioning. If a principle is not attained, then a component is not present and functioning; hence, internal control is deficient. Other portions of the document address whether a deficiency is considered significant.
The framework also includes “points of focus” that enumerate important characteristics associated with the 17 principles. COSO states that points of focus “may assist management in designing, implementing, and conducting internal control and in assessing whether the relevant principles are, in fact, present and functioning.”
- Accountability for Internal Controls. The 17 principles place even more emphasis on individual competence and holding individuals accountable for their role in accomplishing internal control objectives. That accountability starts at the board level and extends through senior management downward as the responsibility for effective internal control cascades throughout the organization.
- Fraud Risk Consideration. Because the nature of fraud risk is so unique, one of the 17 principles states that it must be assessed as part of internal control. Fraud risk is not limited to financial statements; it should also be included in compliance and operations risk assessments.
- IT Controls. Information security risks have become ubiquitous. Companies are increasingly relying on cloud computing; interorganizational connectivity has expanded by leaps and bounds; computer hacking is commonplace; and data is often shared instantly without human review. All of these factors led to COSO’s conclusion that IT controls must be explicitly considered.
- Effective Governance. Since 1992, major stock exchanges and regulatory agencies have focused on improving corporate governance and organizational oversight. For example, regulation pertaining to board member competence and independence has grown, especially for those serving on audit committees. Organizations and internal auditors need to assess whether corporate governance is working as expected; they can no longer merely check boxes and say, “Yes, this person meets the independence regulation.” Rather, there must be a real assessment of effectiveness and independence of the governing structure. Board members must demonstrate competence and independence in action.
- Professional Judgment. Many practitioners grew up in the age of accounting and auditing when they could point to definitive right or wrong answers. If something purchased lasted more than a year, it was capitalized and depreciated. The current accounting environment requires more and different data for making estimates. Accordingly, COSO 2013 places additional emphasis on the need for judgment in evaluating whether a company achieves effective internal control.
- Compliance and Operational Objectives. Major financial failures led to the introduction of regulations on internal control over financial reporting. Shortly afterward, many internal auditors stepped in to help management assess these controls, though in some instances this led to a decreased focus on compliance and operations objectives. The updated COSO framework reasserts the importance of these two objectives and presents opportunities for internal audit to expand its value proposition by addressing these two major organizational objectives.
- Supplemental Guidance on External Financial Reporting. The framework’s supplemental guidance discusses how the 17 principles, and their corresponding points of focus, can be applied to external financial reporting. The guidance also includes numerous examples, each drawn from existing practice.
- Expanded Relationships and Globalization. The nature of organizational relationships has evolved through joint ventures, increased dependence on suppliers, and unique contractual relationships that require risk assessment and applicable controls. The updated framework explicitly considers these relationships and discusses how to achieve effective internal control in light of them.
Elements of Control
Similar to its predecessor, COSO 2013 emphasizes three crucial elements related to control effectiveness: Internal control is an integrated concept that encompasses COSO’s five framework components (the control environment, risk assessment, control activities, information and communication, and monitoring); judgment on the presence and functioning of internal control is required, as is judgment on all 17 principles as they relate to the five components; and evaluation and testing of internal control starts with objectives and risks, not with controls.
As an example of internal control’s integrative nature, suppose one of the objectives of a global organization is to achieve compliance with the U.S. Foreign Corrupt Practices Act (FCPA). The process of achieving that objective can be examined along COSO’s five components of internal control.
- Control Environment. The organization’s tone at the top regarding foreign operations is communicated through its statement of values and commitment to ethical behavior. That commitment is extended to recruiting and retaining effective personnel, including internal auditors who help monitor organizational activities.
- Risk Assessment. There are numerous risks associated with achieving the FCPA compliance objective. For example, an employee may knowingly disregard company policy, a manager may not be aware of the policy, or a foreign branch might use an agent to facilitate payments. Accordingly, the company needs to assess its risk appetite for FCPA violations, as well as its tolerances around that appetite. Does it maintain zero tolerance for violations? Does the company’s position allow for some flexibility?
- Control Activities. Based on its risk assessment, the company establishes policies and requires independent review of specific types of behaviors. Management then develops a reporting system that identifies unusual payment amounts, or payments that are reviewed regularly by those with knowledge, authority, and objectivity.
- Information and Communication. Management ensures policies are approved at the board level and communicated throughout the organization. It also establishes a whistleblower process that includes immediate reporting of any FCPA violations to senior management and the audit committee chair.
- Monitoring. Management develops effective monitoring through a combination of ongoing monitoring and separate evaluations, often with internal audit’s assistance. For its ongoing monitoring, the company uses software to identify payments for regular review that appear outside reasonable parameters. The review is supplemented by periodic internal audit evaluations of compliance with the FCPA (periodic evaluation/testing).
All five components are important and necessary to achieving the FCPA objective. For example, the control activities would not be sufficient if the company did not articulate and communicate policies, monitor activities, and require meaningful reports. Overall control effectiveness is dependent on the components working together as a whole.
The need for judgment when assessing control effectiveness is emphasized throughout the document. As an example, Principle No. 4, which pertains to the framework’s control environment component, states that an organization needs to demonstrate “a commitment to attract, develop, and retain competent individuals.” Judgment would be required to determine whether the process of attracting and developing a high-quality staff is effective and has led to the employment of competent individuals throughout the organization. The need for such judgment heretofore has been implicit — now, it is required. The framework’s points of focus provide additional guidance to help address the issue of judgment as it relates to each of the framework’s 17 principles.
Control Testing and Evaluation
One central element of COSO’s updated framework is its continued emphasis on the linkage among objectives, risk, and control. Organizations seek to accomplish objectives, and those objectives need to be articulated. There are risks to achieving the objectives, whether they relate to operations, compliance, or reporting, and those risks need to be identified. The key is to link controls to risks and objectives: The only reason that controls exist is to mitigate risks and thereby increase the probability that the organization will accomplish its objectives. Control, therefore, is subservient to risk — and to the objectives they help achieve.
Organizations that conduct a thorough analysis of controls starting with objectives and risk considerations often find that many duplicative controls exist, the organization relies only on a few key controls, and not all significant risks are covered by existing controls. The approach can represent a significant change in the way controls are evaluated and tested, and it can be especially beneficial to companies that are required to report publicly on the effectiveness of internal control over financial reporting.
Consider, for example, U.S. Sarbanes-Oxley Act of 2002 compliance requirements related to financial reporting controls. Organizations complying with the act have identified important controls and most likely have added controls over time. However, they may not have reassessed the number of controls tested, resulting in some unnecessary testing activity. Some organizations that have taken risk-centric approaches to internal control, rather than control-centric approaches, have cut their control testing in half without jeopardizing the assurance management needs to assess internal controls. Many are using the reassessment to consider whether or not audit and control efficiencies can be gained through automation of controls and a commitment to ongoing control monitoring.
Strategic Leadership for Internal Audit
Internal auditors are often viewed as the control experts in organizations. The updated COSO framework provides a springboard to take that leadership a step further.
A growing body of research finds that organizations with better internal controls perform better, reduce uncertainty about earnings, and enjoy higher stock prices. Internal auditing should provide leadership in implementing the principles in the updated framework by:
- Expanding internal audit coverage to include compliance and operations objectives.
- Working with the controller’s department and organizational process owners to evaluate controls by implementing a risk-centric approach to identify the need for controls as well as any potential control overlap.
- Taking a leadership role in understanding the key features and principles underlying the updated framework and communicating them to management, process owners, and the audit committee.
- Developing an audit plan regarding internal controls — with specific objectives, strategies, and measurable goals — and presenting it to senior management and the audit committee for discussion.
An implicit theme runs throughout the revised framework: Organizations need internal audit leadership to leverage COSO 2013’s significant advantages. Internal audit should take a leadership role, whether it is in training, independent assessments, or consultive activities to help ensure organizations receive optimal value from the framework. Internal audit participation is key to successful application of COSO 2013 and to helping all areas across the enterprise realize its many benefits.