Business Team Meeting

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), issued an updated internal control framework that you should be using by December 15, 2014.

Reducing risk

Prepare for Updated Internal Control Procedures

  • 5/28/2014

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated Internal Control — Integrated Framework intended to help organizations design and implement internal controls that reflect the changing business operating environment since the last COSO update in 1992.

Users may continue to use the original framework until December 15, 2014, but COSO will consider it superseded after that date. The new framework retains the core definition of internal control and the five original components: control environment, risk assessment, information and communication, monitoring, and control activities.

It also provides an understanding of what constitutes an effective system of internal control, and states why no system of internal control can be perfect. The enhancements and clarifications are intended to ease the use and application of the framework.

One of the more significant enhancements is the expansion of the fundamental framework, which now constitutes 17 formal principles. Each principle is associated with one of the five original components. An entity can achieve effective internal control by applying all of the principles. Effective internal control provides reasonable assurance and requires that:

  • Each component and each relevant principle is present and functioning
  • The five components are operating together in an integrated manner

The five components of internal control and their associated principles

  1. Control environment
    • Demonstrates commitment to integrity and ethical values
    • Exercises oversight responsibility
    • Establishes structure, authority, and responsibility
    • Demonstrates commitment to competence
    • Enforces accountability
  2. Risk assessment
    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assesses fraud risk
    • Indentifies and analyzes significant change
  3. Control activities
    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys through policies and procedures
  4. Information and communication
    • Uses relevant information
    • Communicates internally
    • Communicates externally
  5. Monitoring activities
    • Conducts ongoing and/or separate evaluations
    • Evaluates and communicates deficiencies

What's next for you?

If you haven't already, you should be educating your key stakeholders, including your executive management team, the audit committee, and internal audit departments. If you need to, get help in establishing a process for identifying, assessing, and implementing necessary changes in controls and related documentation. Start by developing and implementing a transition plan to demonstrate that you meet the key components (e.g., applying the updated framework by December 31, 2014, for any external reporting). Finally, if there are Sarbanes Oxley compliance considerations around financial controls, be sure to coordinate and communicate efforts within your organization and with your external auditors.