Nearly 20 years have passed since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the seminal report Internal Control—Integrated Framework, which—with impetus from the Sarbanes-Oxley Act in 2002—became the authoritative document on internal control both in the United States and overseas. On a personal note, it's hard for me to believe so much time elapsed, as I remember well serving as the lead project partner of the PwC team that conceptualized and developed that report.
The Framework has stood the test of time, and continues to be the standard against which companies measure the effectiveness of their systems of internal control. But with the passage of time and evolution of corporate structures, activities, and technologies, the COSO board decided that an updated version of the Framework would be useful. And once again, COSO turned to PwC to take on this important responsibility.
As with the initial Framework, the COSO board established an advisory council with experienced representatives from industry and academia, and this time it added members of government agencies and not-for-profit organizations to provide input during development.
PwC established a four-stage project approach:
Assess and envision. Through literature reviews, global surveys, and public forums, the project team identified challenges organizations have faced in implementing the Framework. It analyzed information, reviewed various sources of input, identified critical issues and concerns, and conducted a global survey.
Build and design. The team developed the update, which was reviewed by key users and stakeholder groups to solidify reactions and suggestions.
Preparation for public exposure. Through reviews with the general public, the COSO board and advisory council, the update was refined and prepared for broad exposure.
Finalization. The updated Framework is now being issued for public exposure (with a comment period). The project team will review and analyze comments received, identify needed modifications, and provide the update to the COSO board for final review and acceptance.
The PwC team has brought tremendous resources together, and obtained input from a wide range of companies, organizations, and individuals, resulting in a significantly enhanced document. (In the interest of full disclosure, I've been providing the core PwC team with perspective and advice on the project).
What's New
Let's begin with has been brought forward from the initial Framework. Importantly, the fundamental concepts and structure remain. The definition of internal control, the five components, and the COSO cube are unchanged. So are the three categories of objectives (with one enhancement). The chapter headings—on each of the components, limitations of internal control, and roles and responsibilities—were also brought forward from the original version. And readers will be familiar with the nature and scope of the content. But while the core remains, significant enhancements bring the document up to the 21st century.
Among the more significant changes is the reporting category of objectives. The initial Framework established this category as pertaining to the preparation of reliable published financial statements. The updated Framework expands it to include all reporting by an entity: financial and non-financial, internal and external. This enhancement makes eminent sense and brings this internal control Framework in line with how the reporting category of objectives is defined in COSO's Enterprise Risk Management—Integrated Framework issued in 2004 (again, for full disclosure, I was the lead PwC partner on that project).
The Framework has stood the test of time, and continues to be the standard against which companies measure the effectiveness of their systems of internal control.
At the same time, recognizing the critical importance of enabling companies to report on internal control relating to published financial statements—as required by SOX—the project team is developing a guidance document specifically devoted to that sub-topic. More on that in a moment.
Another important enhancement in the updated Framework is the inclusion of what are called “principles” and “attributes” of internal control. The initial Framework implicitly reflected the core principles of internal control; the updated version explicitly states the 17 principles, which represent the fundamental concepts associated with the components of internal control. Supporting the principles are attributes, representing characteristics associated with the principles.
Together the principles and attributes comprise criteria designed to assist management in designing and developing systems of internal control and assessing its effectiveness. The principles and attributes were first introduced in COSO's Internal Control over Financial Reporting—Guidance for Smaller Public Companies, published in June 2006, and enhanced and formalized in the updated Framework. Despite its title, that guidance has been quite useful by companies both large and small (disclosure: I served as adviser to the PwC team that developed that document).
Other enhancements include the following:
One relates to objective setting, which the initial Framework defines as part of the management process, with having objectives a pre-condition to internal control. The updated Framework preserves that view, though it moves the primary discussion from the risk assessment chapter to an overview chapter to further emphasize that objective-setting is not part of internal control.
The updated Framework reflects the increased relevance of technology. More companies use highly sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across many systems, organizations, processes, and technologies. The Framework reflects how technology can affect how the components of internal control are implemented.
The updated Framework includes expanded discussion on governance relating to the board of directors and their committees, including audit, compensation, and nomination/governance.
It enhances consideration of anti-fraud expectations, with expanded discussion on fraud and the relationship of fraud and internal control.
And it reflects the evolution of different business models and organizational structures, where many entities use external parties for providing products or services. The competitive landscape, globalization, dynamic industry and technological changes, evolving business models, competition for talent, cost management, and other factors have required management to look beyond internal operations to access needed resources. Organizations may use a shared service model, outsourcing to an external party, spinoff, joint venture, or other approach.
ICEFR
You may be asking, what's an ICEFR? Well, it's an acronym for internal control over external financial reporting, pronounced ice-eh-fer. This is the guidance mentioned above that deals more directly with internal control over published financial statements—although it may be helpful to users in the broader context of external financial reporting. It's organized around the five internal control components, containing approaches for and examples of their application, with direct linkage to the principles and attributes in the Framework. It's important to keep in mind that the ICEFR guidance is just that, guidance; it will neither replace nor modify the Framework.
Speak Now, or…
The updated Framework is being released for public comment about the time this column is appearing in electronic form, around Dec. 20. (The ICEFR guidance is expected to be released for public comment in spring 2012.) So, if you're involved in any way with internal control and would like to influence the Framework, now is the time to get your hands on the draft and provide input.
As often is the case, a son (or daughter) grows to be bigger, stronger, and sometimes better than the parent. In my view, that's the case here. The “son” of COSO is an improved version of the original and will serve those managements involved with designing, implementing, conducting, and evaluating internal control, as well as those reporting on internal control or attesting or using internal control reports, very well indeed.
I also want to note that PwC GRC leader Miles Everson has provided consistent leadership in developing many of these COSO published documents—the enterprise risk management Framework, the small business guidance, and now the updated internal control Framework—supported in each case by director Frank Martens. For this latest document, leadership also is provided by PwC partners Steve Soske and Chuck Harris, with a strong supporting cast.
No comments yet