Update to COSO internal control model coming in 2012
In the October/November issue of Muse, we took a fresh look at the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control model. Our article, Using COSO in a not-for-profit enterprise, examined the landmark report, Internal Control - An Integrated Framework (the Framework) and mentioned that an end-of-year update was anticipated. As expected, in December 2011, COSO issued an exposure draft of an update to the Framework to replace the earlier versions. Public comments were accepted through March 31, 2012, and a final document is expected in late 2012.
Although it was first issued two decades ago, the original Framework is still viewed by users as a highly effective approach to internal control. COSO agrees with that assessment, finding that the original model's definition of internal control and its five elements of control (control environment, risk assessment, control activities, information and communication and monitoring) are still relevant today. Nevertheless, in view of the significant changes that have occurred in the technology and governance realms in recent years, COSO believes an update to the model is warranted.
Major changes under proposal
The major changes being proposed to the Framework include:
The original Framework mentioned 17 principles for organizations to follow as they design and implement internal control systems. The proposed draft elaborates further on these 17 principles, and shows how they line up with the five key control elements. COSO believes this new and more comprehensive approach will help users put the entirety of the Framework into perspective. For example, actual selection and development of control activities are discussed in just one of the 17 principles. Many times, developers of controls put too much emphasis on control activities, and fail to focus on other elements that can lead to more effective control activities.
The stakeholders of an organization are both internal and external. For this reason, financial reporting objectives will be different for various users. The organization should identify how objectives are developed for various users and ultimately, how information is communicated to these users. The proposed Framework compels each user to think about these differences and acknowledge how messaging and communications take on different forms for different stakeholders.
In the past, users of the Framework often have focused on controls over financial reporting, rather than on controls over operations, compliance and non-financial reporting. The updated Framework is proposing to put a brighter spotlight on the latter objectives, which are critical to an organization, but often overlooked by its control system.
The proposed Framework also acknowledges the numerous advances and changes in technology, governance and fraud awareness that have transpired over the past 20 years. The 17 stated principles tackle these issues directly.
Companion document on external financial reporting
As with the original Framework, the guidance in these documents should not be viewed as requirements for non-public entities. Instead, the information should be viewed as best practices. The COSO task force that developed the proposed Framework did include representatives from the not-for-profit community. Nevertheless, the model is a universal model, not a public company model. The 17 principles under the five elements are scalable and will put any size organization on better footing as it tries to meet its objectives in operations, financial and non-financial reporting and compliance.
For more information