Two Business Men Computer Cell Phone

Banks must decide if they want to use the COSO 2013 framework for this year’s financial reporting, and if not, when they should transition to it.

Reducing risk

When Should Your Bank Update Its Internal Control Framework?

  • 10/7/2014

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated Internal Control — Integrated Framework intended to help organizations design and implement internal controls that reflect the changing business operating environment since the last COSO update in 1992.

The new framework retains the core definition of internal control and the five original components: control environment, risk assessment, information and communication, monitoring, and control activities. However, it also provides an understanding of what constitutes an effective system of internal control, and states why no system of internal control can be perfect.

Organizations may continue to use the original framework through 2014, and possibly in future years. It will be used by fewer organizations in the future though, and will eventually cease to be considered a suitable, recognized framework by the Securities and Exchange Commission (SEC) and bank regulators.

Organizations must identify which version of COSO they are using in their financial reporting for 2014. The decision on whether to transition to COSO 2013 this year should be given serious thought, especially since the additional documentation requirements that come with the transition may not be feasible right now.

Which financial institutions are affected

The following financial institutions are subject to internal control requirements:

  • Publicly traded accelerated and large accelerated filers (subject to the provisions of Sarbanes Oxley 404(b) (SOX))
  • Privately held institutions with over $500 million in assets (subject to the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA))

Both SOX and FDICIA require management to assess the effectiveness of internal controls over financial reporting. In addition, privately held institutions with over $1 billion in assets and all public institutions meeting the criteria above are required to have their external auditor attest to, and report on, management’s assessment of internal control.

In order to accomplish this objective, institutions are required to select a framework to serve as the foundation for internal control — and the vast majority of organizations use the COSO framework.

Which version to use?

SOX and FDICIA require that the internal control framework selected by an organization must be a suitable, recognized framework. Therefore, institutions should assess if the COSO 1992 still satisfies these requirements for 2014, and if so, how long can it continue to be used?

Institutions must communicate and coordinate their anticipated framework selection for 2014 with their financial statement auditor in a timely manner, since certain auditing standards require the auditor’s opinion to be included in its decision on which framework to use.

Changes in the updated COSO

The critical changes that occurred in the 2013 version of the framework are:

  • Specifying 17 principles with points of focus to clarify how internal control should be addressed within the five internal control components of the COSO cube
  • Recognizing that financial reporting includes more than just annual audited financial statements, thus “financial reporting” on the COSO cube has been changed to “reporting”
  • Stressing the importance of IT controls surrounding all business units
  • Requiring specific risk assessment and response to fraud risk that may exist within the organization

The 17 principles identified in the 2013 COSO framework are meant to clarify how an effective internal control structure should look, and how organizations can improve their current internal controls. Each principle needs to be addressed in an institution’s documentation of internal control. In the event one of the principles is not addressed, note why it is not applicable to the organization.

How we can help

If you are looking for more information about the 2013 COSO framework, considering switching to this framework, or deciding which framework best suites your organization in the short-term, your CLA advisor can provide the information and tools for an effective and seamless transition.