more-arw search

COSO Internal Control—Integrated Framework 1992 vs. 2013

By December 31st 2014, companies that utilize the 1992 COSO Internal Control—Integrated Framework are expected to have fully transitioned to the 2013 framework.  If you are an organization that is required to report to the Securities and Exchange Commission, this change directly impacts you.  But when you look at what the framework represents, it is obvious that both public and private organizations of all sizes could benefit from adopting elements.  The purpose of the framework is to prevent and detect fraud.  It is a standard framework for designing, implementing, and conducting internal controls; as well as assessing the effectiveness of your current internal controls. 

The standard was updated to account for the ongoing changes in the business environment, i.e. evolving technology, increased outsourcing, changing regulatory environment…  The most significant change in the 2013 framework from the 1992 framework was the addition of 17 principles and 77 focus areas.  These new items further define the five core areas – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.

Elements that would be most applicable to small and medium sized entities include –

  • Control Environment – The entity demonstrates a commitment to integrity and ethical values.  Senior Management is responsible to designate the individual(s) responsible to manage the satisfaction of reaching the entity’s internal control objectives; as well as continually developing the individual(s).
  • Risk Assessment –The entity sets its internal control objectives; as well as operations and financial goals.  Externally the entity abides by frameworks, laws and regulations.  Internally, risks are identified and their significance established.  Approaches to respond to the risks are established.  Fraud and all the potential ways it can be committed are considered. 
  • Control Activities – The entity develops control activities, which include segregation of duties, technology control activities, and policies and procedures.
  • Information & Communication – Obtain and generate information.  Communicate this information internally and externally.
  • Monitoring Activity – On an ongoing basis, evaluate internal controls to understand their presence and effectiveness.

So how do you start? 

Review the COSO Internal Control—Integrated Framework (Core areas, principles, and focus areas) to understand what elements apply to your situation; conduct an assessment of your organization, seek board/management approval on concept implementation, engage staff through training and communications, develop a transition plan, execute the plan, monitor success and adjust if required.

If you are looking to establish internal controls for the first time, it may make sense to bring in a third party that understands your industry and the common risks, which should be considered.  Team this individual up with an internal resource that understands your entity and your processes.

Comments

Lynn Fountain
Title: MBA CGMA CRMA, Past Chief Audit Executiv..
Company: Business Consultant
LinkedIn Profile
(MBA CGMA CRMA, Past Chief Audit Executive, Business Consultant) |

Regis
You've outlined some important topics. I perform significant training and work on COSO and also host webinars with the chairman if COSO. I'd like to clairfy one statement you made. You mentioned the purpose of the framework is to prevent and detect fraud. Although that is one of the "principles" that underlie the Risk Assesment component, it wouldn't be correct to say the full purpose of the framework is the prevent and detect fraud n

COSO actually felt it necessary to update the framework for reasons other than fraud. It is been 22 years since the 1992 framwork was released and many things have changed which resulted in the need to revisit the framwork. Evolving economies, increased technological advancements, increased shareholder and stakeholder transparency requirements were all components that drove the update further than just the concern for fraud.

Fraud is specifically called out in Principle 8 but as you mentioned there are 17 principles in total and 77 Ponts of focus that must all be evaluated.

I created an in depth series of COSO training modules for Proformative that review each of the components and principles that people can refer to on the Profirmative platform.

In addition, I am hosting a Webinar with the Chairman of COSO on Monday December 8 that is sponsored by the Institute of Internal Auditors on how the COSO changes have or have not impacted ethics evaluations. Below is the link to the registration

https://na.theiia.org/training/eLearning/Pages/eWorkshop-COSO-2013s-Impact-on-Ethics-Evaluation.aspx

Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

All great points Lynn. Thanks for your input.

Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

WSJ (04/29/2015), "Almost three-fourths of the U.S. stock-listed companies that have filed 10Ks with the U.S. Securities and Exchange Commission since Dec. 15, 2014 have transitioned to using the updated COSO 2013 framework for reporting internal controls of their financial reporting requirements, said Bob Hirth, chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO Commission)."

Where are you in the process?

Topics: