The new COSO framework doesn’t impact me. Does it?
There has been a lot of buzz recently and rightfully so about the changes made to the internal control framework as we currently know it. On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework. COSO will consider the 1992 Internal Control—Integrated Framework as having been superseded by the 2013 framework after December 15, 2014.
If you work for a public company, you may know that Sarbanes-Oxley Act (SOX) Section 404 requires management to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of U.S. publicly-traded companies have adopted COSO’s 1992 framework to do this, and therefore, will be required to adhere to the new COSO framework.
So why should I care about COSO’s new framework if I don’t work for a public company?
Well, in the spirit of continuous improvement, organizations should continually reassess their system of internal control to identify opportunities to improve the efficiency and effectiveness of that system.
Let’s also think about the many changes occurring since 1992 that have significantly increased business risk, resulting in a much greater need for accountability, oversight, and competence than ever before. This need extends from the board of directors, all the way down to the entry level staff employees just beginning their careers.
Markets continue to globalize; business models have changed significantly; the complexity and pace of change surrounding rules, regulations, and standards have intensified the demands on organizations; and last, but definitely not least, our reliance on evolving technology continues to grow.
Finally, let’s not forget about some of the large-scale internal control breakdowns of recent history, such as Enron, WorldCom, Quest Communication, and Cendant. These breakdowns have taught us all valuable lessons around a number of items, such as the effects of management override, ineffective board or audit committee oversight, lack of segregation of duties, conflicts of interest, poor or nonexistent transparency displayed by key officials, and unbalanced compensation structures.
So, the introduction of this new COSO framework gives you the perfect excuse to reassess your organization’s system of internal control. Need more, let’s move on.
The 1992 COSO framework introduced 17 relevant principles associated with the five components of internal control, but did this conceptually. The new COSO framework not only codifies the 17 underlying principles, it streamlines the original framework; increases the focus on operations, non-external financial reporting. and compliance objectives; and enhances usability.
As COSO has explained, the 17 principles remain broad as they are intended to apply to for-profit companies (including those that are privately held), non-profit entities, governmental entities, and other organizations. COSO has also included points of focus within each of the 17 principles. These points of focus represent important characteristics associated with each principle and provide helpful guidance to assist management in designing, implementing, and assessing whether the relevant principles are present and relevant.
COSO believes this framework will provide organizations significant benefits, such as increased confidence that controls mitigate risks to acceptable levels and reliable information supporting sound decision making. The time is now to take a look at the new and improved COSO framework and consider how it can create value for your organization, regardless of how mature your organization’s system of internal control may be.
For more information contact Reggie Novak at 216-831-7171 or rnovak@cp-advisors.com.
Reggie is a Senior Manager in the Audit and Accounting Services Group. As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services including recommending internal controls and other measures to be implemented to prevent theft or misappropriation. If fraud is suspected he can investigate and present his findings and recommendations.