Yes, we finally have it. After several years of intense work by PwC, input from an advisory council and regulators, and ultimate approval by the COSO board, the updated Internal Control – Integrated Framework has been issued.

If you're involved in any way with financial reporting, you're well aware that the original framework has long served as the standard against which companies' measure their systems of internal control over financial reporting and report the results in annual reports to shareholders and regulatory filings. This updated report will become the standard going forward. It is an imposing work of 140 pages in the main volume, and hundreds more pages of guidance materials.

As lead project partner of the core team that conceptualized and developed the original framework, it's heartening to see that its fundamentals remain intact. The original, developed from a clean sheet of paper, has stood the test of time, and its core design, concepts, and principles have been retained. One might relate the original to a carefully crafted sailboat made of fine wood and designed for world-class racing, where the updated version has newer and better materials that make the craft faster and more maneuverable and well suited to today's rough seas. I was privileged to serve as adviser to the PwC team leading the update project.

So, let's take a look at what is carried forward from the original, and the nature of modifications in the updated version.  

Steady as She Goes

COSO said in its release that the original framework “remains fundamentally sound and broadly accepted in the marketplace.” As such, the updated framework retains the original's fundamentals, including:

The report's general organization and component chapter structure;

The formal definition of internal control;

The five components—the control environment, risk assessment, control activities, information and communication, and monitoring activities—and the concept that they operate together in an integrated manner;

Emphasis that internal control is a process, is effected by people, can provide only reasonable rather than absolute assurance, and has inherent limitations;

That internal control is geared toward achieving specified objectives;

That internal control can be applied at the entity level, or any of an entity's units;

The familiar "COSO cube," depicting the relationship between the internal control components, categories of objectives, and the entity and its units;

Concepts related to cost-benefit analysis, with the important caveat that while management needs to use judgment, cost alone is not an acceptable reason to avoid implement­ing internal control;

Discussion of appropriate documentation; and

The importance of management's judgment in designing, implementing, and conducting internal control, and assessing its effectiveness.

Also retained in the updated framework is the important distinction on the type of assurance that can be achieved related to each category of objectives. For objectives related to external reporting and compliance with laws and regulations, internal control can provide reasonable assurance that those objectives will be achieved. This is because those objectives are based largely on laws, rules, regulations, or standards established by legislators, regulators, and stan­dard setters, and their achievement depends on how activities within the entity's control are performed. Achievement of internal reporting objectives also are within an entity's control, and reasonable assurance can be gained for those objectives as well.

The most significant enhancement is the formulation of 17 “principles” of internal control. While the underlying content is inherent within the original framework, it is now formalized, with explicit principles supporting the internal control components.

Achievement of a company's operations objectives, however, may not be within the organization's control, in which case internal control can provide reasonable assurance only that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward its achievement. There is a useful refinement here for operations objectives—the updated report notes that where external events are unlikely to significantly impact achievement of operations objectives, or the organization can reasonably predict such events and mitigate their impact to acceptable levels, the entity could attain reasonable assurance that those objectives can be achieved.

The focus on safeguarding of assets category is carried forward as part of the operations category of objectives, along with the related explanation of when those controls might be relevant to another category such as reporting.

The relationship between the management process and internal control also is retained, continuing the important point that not every decision or action of management is part of internal control. The principles of internal control described in the original have been retained as well, but now are highlighted and made more explicit. More on that in a moment.

Smoother Sailing

From my perspective, saying that the updated framework is an enhancement of the original is akin to saying one's child grew up to be better than one's self. And isn't that what every parent wants for his or her offspring? Well, that's what we see here.

The most significant enhancement is the formulation of 17 “principles” of internal control. While the underlying content is inherent within the original framework, it is now formalized, with explicit principles supporting the internal control components, which together serve as the criteria for determining whether an entity's internal control is “effective.”

The reporting category of objectives has been expanded. In the original this category was confined to external reporting, with other reporting objectives implicit in the operations and compliance categories. But now all reporting objectives—internal and external, financial and non-financial—are part of the expanded category. This is another improvement. In crafting the original framework categories, the core project team was well aware of SEC proposed regulations that would require explicit assessment of and reporting on internal control over external financial reporting. So we carved that out as a separate category to position companies and auditors should that requirement come to pass—which of course it ultimately did with the Sarbanes-Oxley Act. The more complete reporting category of objectives in the updated framework makes more conceptual sense, and still allows focus on only control over external financial reporting for SOX or similar purposes. This expanded reporting category, by the way, is consistent with what we developed in the COSO Enterprise Risk Management – Integrated Framework, issued in 2004.

The original framework says establishment of objectives is a precondition to internal control. The reason for taking that tack was to avoid management or auditors from being expected to determine whether particular objectives were the “right” objectives. The updated framework retains the concept of objective-setting being a precondition, and expands the discussion by illustrating how establishing and setting objectives as part of the management process outside of internal control can form a basis for specifying and using objectives as part of internal control.

In defining internal control deficiencies, the updated framework introduces the term “major deficiency,” which is broader than “material weakness” and more applicable to objectives beyond those related to external financial reporting.

The updated framework carries over much of the substance inherent in the chapters on each of the five components, though now in addition to the explicitly stated principles, it sharpens the discussion in the form of relevant “points of focus.” Called “attributes” in the exposure draft, these points of focus are useful in determining whether the principles of a component are indeed present and functioning. And, the discussions are expanded to add substance related to advancements in technology, additional focus on fraud protection, and more attention to governance issues, among other additions.

Watch Out for Icebergs

In addition to the framework and related guidance volumes, there are a number of analyses of these documents issued by a variety of observers—some on target, like those issued by COSO and PwC, but some not. Among the misconceptions out there are such statements as: “[T]he COSO board expanded the scope of the original framework to make it applicable not just to financial reporting, but to compliance and operations as well.” Well, if this is an accurate quote, either the speaker never read the original framework, or simply didn't understand it, because the original framework very clearly addresses and applies to all three categories of objectives. Further, to get a bit picky, it wasn't the COSO board that would have done the expansion, but rather PwC under COSO's oversight.

The updated framework does a very good job of reflecting changes that have occurred since the original, including the increasingly complex, technologically driven, and global business environments. The enhancements discussed here, as well as extended discussions of the issues and business practices, provide for a framework well-suited to today's environment. I believe the PwC team, along with input from many sources, including the advisory council and observers, with guidance from the COSO board, has done an outstanding job in providing a document that will form the basis for effective internal control systems long into the future.