Update Q&A Extended
From an application standpoint, what are the strengths of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) updated framework?
I see four major strengths. First, the changing of the financial reporting objective to a reporting objective, which mirrors the expansion of reporting and reporting techniques since 1992. Second, the principles/points-of-focus approach emphasizes judgment and recognizes that there are alternatives that can be used to mitigate risks effectively. There is more emphasis on the control environment and governance. Third, there's more emphasis on operations and compliance objectives, an area where internal audit is poised for leadership. And fourth, there is recognition of the increased complexity in organizational structure, governance, and other relationships.
How can the framework's illustrative tools help practitioners?
The illustrative tools are designed to stimulate thought through examples. Rather than moving to a checklist approach to designing, implementing, and evaluating controls, the updated approach makes you think about: a) what you want to accomplish, and b) how you might most efficiently design the internal control structure to accomplish your objectives.
What do you think about the evolution of the COSO framework from 1992 to 2013?
I was not on COSO when the 1992 framework was developed, but I continuously applaud those thinkers who developed it because it is based on fundamental concepts, yet it greatly expanded the concept of internal control over what existed at that time. Courageous and thoughtful leaders, such as Bill Bishop of The IIA, were responsible for expanding our discussion of internal control to include operations and compliance objectives. Because the framework was conceptually sound, the 2013 update reflects environmental changes in how organizations are organized and managed, and how technology has changed how we do things. Still, the framework remains just that: a framework. It essentially says you need to mitigate risks to accomplish organizational objectives. As risks change, so should internal control change to effectively and efficiently mitigate those risks. For example, neither the 1992 nor the 2013 framework specifies what IT control activities are needed. But both frameworks reflect the need to change, or consider changing, internal controls as technology changes. That is where the principles/points-of-focus addition to the 2013 framework will help management, directors, and auditors.