What's Up with COSO?Input Needed on New Draft Framework
If you're not already familiar with the controls framework, I should start by saying that I believe that it is the most important document on internal controls in existence. COSO is a committee of five organizations working together: the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Institute of Management Accountants, and my own organization, the Institute of Internal Auditors. The draft Framework, however, is the brainchild of a much wider group that includes participants from various industry associations, academia, non-for-profit and government entities.
COSO is important for auditors because it provides a sound basis for establishing internal control systems and determining their effectiveness. The new COSO updates are designed to adapt the framework to increasing complexity and pace of change; to mitigate risks to the achievement of objectives; and to provide reliable information to support sound decision-making.
Auditors, we need your thoughts and input on internal controls through the COSO exposure draft process.
Therefore, auditors, we need your thoughts and input on internal controls through the COSO exposure draft process. For those of you who have not yet found the time to read the exposure draft, I wanted to take this opportunity to let you know what has changed:
Expanded Focus on Governance: Given recent events, it should come as no surprise that the updated publication includes expanded discussion on governance. You'll find new information relating to the board of directors and committees of the board, including audit, compensation, nomination/governance committees.
Enhanced Consideration of Fraud: The 1992 version considered fraud, but discussion of anti-fraud expectations and the relationship between fraud and internal control was less prominent. The 2012 version contains considerably more discussion on fraud and also considers potential fraud as a "principle" of internal control.
New Principles-Based Approach: While I'm on the subject of principles, I should explain that one of the significant changes to the Framework is its principles-based approach. While the 1992 version implicitly reflected the core principles of internal control, the exposure draft explicitly lists seventeen principles that embody the fundamental concepts associated with the components of internal control.
The principles are broadly written because they are intended to apply to all organizations, regardless of whether they are for-profit companies, not-for-profits, government bodies or other organizations. But while they are broadly written, each of the 17 principles is supported by attributes that demonstrate characteristics associated with the principles. Together, the principles and attributes supply criteria, which can be used to assess whether or not your organization has effective internal control.
Expanded Financial Reporting: As an internal auditor, I think my personal favorite change is that the financial reporting category of objectives has been expanded to be called simply reporting. In the past, I was always a bit bothered by the fact that the Framework focused on external financial reporting with limited reference to other types of external reporting or to financial or non-financial internal reporting. Internal auditors almost always have a keen understanding of the fact that reporting risks and controls extend well beyond financial reports.
In summary, experienced COSO users will see quite a bit that's familiar in the new document. What's not changing? Fundamentals such as:
- Definition of internal control;
- Five components of internal control;
- Criteria used to assess effectiveness of systems of internal control;
- Use of judgment in evaluating the effectiveness of systems of internal control.
There are quite a few other changes to the Framework. The new publication clarifies the role of objective-setting as a pre-condition to internal control, and it enhances discussion about extended business models, shared services, and reliance on third parties, for example. But the question I receive most often is simply, "Will we need to change our internal controls as a result of the changes to the Framework?"
Unfortunately, I can't answer that question for you. If you already have a robust internal control system, you may find that no changes are needed. But if your organization, like many others, still has a few gaps lurking in its control systems, reviewing the system in light of the new publication may help expose the gaps.
Either way, I urge you to read the exposure draft - and to supply your comments about the exposure draft to the COSO Committee. Your input is the only way we can ensure the new Framework will meet your needs.
Chambers is the global president and CEO of The Institute of Internal Auditors.