COSO has published a second draft of its updated internal control framework along with some new companion guidance, looking for fresh comments on whether the entire package meets the mark in updating the framework that most public companies use to achieve compliance with internal control reporting requirements under Sarbanes-Oxley.

The Committee of Sponsoring Organizations of the Treadway Commission, more commonly known as COSO, published a proposed update to its 1992 Internal Control–Integrated Framework in April and collected about 200 comment letters and survey responses suggesting changes to the draft. Through that feedback process, the COSO board determined it would revise the framework for a second round of comments and supplement the framework with two new pieces meant to help further explain the framework.

The board developed a piece titled “Internal Control over External Financial Reporting: Compendium of Approaches and Examples,” to provide more focus on how the framework applies to external financial reporting, and another piece titled “Illustrative Tools for Assessing Effectiveness of a System of Internal Control,” to provide more guidance on how to apply the framework to determine whether controls are effective.

The compendium and illustrative tools are meant to enhance the value of the framework by adding context and demonstrating how it can be applied in various settings and to various circumstances, says COSO Chairman Dave Landsittel. “We thought it was important to provide a clear path as to how the framework can be applied to external financial reporting circumstances,” he says. “The compendium does not alter or modify the framework itself. It just focuses on how it's applied. The illustrative tools also does not change the framework at all. We thought it would be helpful to provide additional information to bring to life the discussion of effectiveness of controls.”

Revisions to the framework itself reflected a number of “very thoughtful” comments, says Landsittel. The revised framework is more clearly organized and provides a better description of what is required to reach a conclusion on the effectiveness of internal controls, he says. The board heard concerns that the first draft would promote a checklist mentality with its lists of attributes that support a list of principles, he says. So the board ditched the attributes and provided instead “points of focus” that would guide considerations on a determination of control effectiveness.

The new package also changes the language around deficiencies, says Landsittel. “We've simplified it and said there are two classes of deficiencies,” he says. “There are deficiencies, and there are major deficiencies, and if someone has a major deficiency, you can't conclude on the effectiveness of controls overall.” He acknowledged that there may be questions about how that language squares with the Securities and Exchange Commission's focus on “material weakness” and “significant deficiencies.” He says regulators may use different language, and companies need to use that language rather than COSO's for compliance purposes. “Our document is an overall framework, so we say generically that there are deficiencies and major deficiencies,” he says.

The new package is open for comment through Nov. 22 with revisions and a final document targeted for the first quarter of 2013.

Topics