COSO’s Updated Framework: Now What?
Bridgepoint Consulting hosted an event for internal audit executives in which attendees shared thoughts on the updated COSO Internal Control – Integrated Framework that was issued May 2013 and becomes effective in December 2014. David Roe, Director of Risk Services at Bridgepoint Consulting, facilitated the discussion. Here’s a brief summary of the questions and answers discussed among the participants:
Why the refresh to the COSO framework?
Business has changed drastically since the 1992 COSO framework was issued. Drivers of the 2013 updated framework included:
- Globalization – impact on business markets and operations
- Technology – evolving use, reliance and pervasiveness of systems and applications in business models
- Business relationships – increased complexity of contracts, joint ventures, supply chain, outsourcing
- Regulatory compliance – increased complexity of laws, regulations, and standards, and related increased expectations of governance oversight with higher demand for accountability
- Fraud – increased sophistication and capability (e.g., cyber security) with emphasis on continued efforts to prevent and detect
What didn’t change?
Fundamental concepts of the COSO framework remain unchanged, including:
- Internal control definition – a process, effected by Board of Directors, management and personnel, designed to provide reasonable assurance that company objectives are met
- Five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities
- Judgment required to design, operate and assess effectiveness of internal controls within the framework
Updates made to the framework better address how business is conducted in today’s environment and further clarify the existing components with defined principles. Highlights discussed included:
- Broadens coverage over categories of objectives: Operations, Compliance and Reporting
- “Financial Reporting” category changed to “Reporting” and now also considers management/non-financial reporting
- Added approach and examples content for Operations, Compliance and Reporting objectives
- Emphasizes defining company objectives, identifying related risks and developing controls that mitigate those risks to acceptable levels
- Seventeen principles, each with points of focus, outlined across the five components representing fundamental concepts of effective internal control
- All principles are generally presumed relevant to all entities for purposes of assessing internal control effectiveness
- Points of focus under each principle may not all be relevant or others may be added; separate assessment of points of focus is not required
- Integrated – controls are present and functioning so that components and principles operate together to achieve objectives
- Increased accountability for internal control responsibilities (Principal #5 under Control Environment)
- Explicit need to separately assess fraud risks (Principle #8 under Risk Assessment)
- General controls over technology developed to support achieving objectives (Principle #11 under Control Activity)
What is the impact on your role within your organization?
Consensus of the participants was that Internal Audit and other groups and professionals having internal control monitoring roles within organizations will need to be significant supporters of implementing and applying the updated COSO framework. Roles and responsibilities discussed included:
- Obtain materials, attend training and get up to speed on the updated framework
- Educate Board, C-Suite and other management on the updated framework with the understanding that these personnel have ownership of defining objectives, identifying risks and designing and executing effective mitigating controls
- Support, monitor and evaluate implementation of the updated framework while remaining objective and independent for future audits
- Evaluate impact on Internal Audit function and engagement level risk assessment and planning
- Resources and skills needed (e.g., IT, data analytics/fraud, operations)
- Scope considering broadened Operations and Reporting (including non-financial reporting) objectives
- Consider overlap with enterprise risk management as applicable and alignment with Internal Audit risk assessment
What are thoughts as to practical implementation and application?
A theme of the roundtable was that the updated COSO framework provides a value add opportunity to refresh internal controls awareness, acceptance of responsibilities and effectiveness across the company, whether a compliance requirement or not. It was noted that public companies with Sarbanes-Oxley (SOX) requirements to assess internal controls over financial reporting must disclose which framework is used for their assessment; also, that the original framework (1992) will be superseded by the updated framework as of December 15, 2014. Ideas for practical implementation and application discussed included:
- Identify and gain executive sponsorship for evaluating conformance with the updated COSO framework; this may involve presenting a cost-benefit for the evaluation
- Leverage existing process and controls documentation, including entity-level controls (e.g., Control Environment component of COSO)
- Update controls documentation by mapping existing controls to the 17 principles
- Leverage COSO materials – illustrative tool enabler with approach to assess controls as present and functioning at principles level (considering relevant points of focus) by component and integrated overall, including summarizing deficiencies
- Support management action to correct any resulting control gaps and opportunities to improve control effectiveness, including a refresh of determining key versus non-key internal controls over financial reporting (optimization opportunity)
- Give adequate attention to IT, anti-fraud, international operations and regulatory compliance risks/controls applicable to your business
Following is a link to the COSO website where you can find materials related to the updated framework:
Bridgepoint’s Risk Services professionals are skilled at performing risk and internal control assessments. Our team can provide assistance with the implementation and assessment of internal controls effectiveness under the updated COSO framework.