Revised COSO Framework: Improved but Further Adjustments Warranted
Vincent Tophoff | Senior Technical Manager, IFAC
Jul 31, 2013 | Article for Member Bodies | English
On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the revised version of its Internal Control-Integrated Framework (the Framework). The revised Framework will help improve implementation of internal control but further adjustments are warranted to align internal control across the globe and to help organizations better manage their risks and improve their overall performance.
The Professional Accountants in Business (PAIB) Committee of the International Federation of Accountants (IFAC) has been closely involved in the revision, with two representatives on the COSO advisory council for the project. Additionally, the PAIB Committee submitted two formal comment letters to both COSO internal control exposure drafts.
Key Features of the Revised Framework
The revised Framework uses the same definition of internal control as the previous version and builds on the same five components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring activities. The Framework also continues to emphasize the importance of management judgment in designing, implementing, and conducting internal control, and in assessing its effectiveness.
So what has changed? The revised Framework now:
- articulates the fundamental concepts underlying the five components in the form of 17 guiding principles and more detailed points of focus;
- takes into account environmental changes, such as increased globalization, complexity, and regulation, the growing importance of technology, and increased expectations for better governance oversight and fraud prevention;
- expands the operations objective from “effective and efficient use of the entity’s resources” to “effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss;”
- broadens the reporting objective from “published financial statements” to “internal and external financial and non-financial reporting;” and
- provides additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives.
COSO also issued two additional publications.
- Illustrative Tools for Assessing Effectiveness of a System of Internal Control assists users when assessing effectiveness of internal control based on the requirements of the Framework.
- Internal Control over External Financial Reporting: A Compendium of Approaches and Examples assists users when applying the Framework to external financial reporting objectives.
The revised Framework will supersede the original Framework at the end of 2014, giving organizations time to transition. COSO anticipates a relatively easy transition process for those organizations that have properly applied the original Framework (1992). In fact, the new principles and points of focus should make it easier for organizations to see what is covered and where gaps may exist.
IFAC PAIB Committee’s View
The IFAC PAIB Committee commends COSO for being one of the first and foremost thought leaders in internal control, starting with the publication of the original Framework and followed by a series of related high-quality publications. The committee agrees that while many of the underlying concepts of the original Framework have proven themselves over time, global developments, including the financial crises, in recent years required a revision.
However, while the revised Framework represents a step forward in articulating principles of effective internal control and incorporating a number of considerations relevant to today’s complex business environment, there remains work to be done to advance and harmonize risk management and internal control guidelines across the globe and to better support organizations dealing with the many economic, social, and environmental challenges they face.
The PAIB Committee believes that it is in COSO’s long-term interest to continue evolving its Framework in order to make it more relevant to the broader global community and the challenges faced, and stands ready to assist COSO make progress in this area. The PAIB Committee has formulated a number of recommendations for further development.
- For the Framework to remain relevant in an environment of greater global integration, COSO should further integrate its Internal Control Framework with its Enterprise Risk Management (ERM) Framework, released in 2004, as well as better align it with the concepts and terminology in other frameworks, standards, and guidelines on governance, risk management, and internal control from across the globe. This will enable organizations to make internal control a natural and integrated part of their overall risk management and governance arrangements.
- The Framework should embrace a wider perspective than its current limited application to internal control over reporting, operations, and compliance, for example, by broadening the definition of internal control so as to permit the inclusion of other areas, such as business strategy and finance, in which internal control also plays a crucial role. Before the string of financial crises, many organizations were overly focused on financial reporting controls. These crises highlighted the fact that many, if not most, of the risks that affected organizations derived from external circumstances. This includes the increasing social and environmental risks that organizations encounter, such as mitigating the threats and taking advantage of the opportunities related to global warming.
- As the achievement of objectives is at the heart of the COSO definition of internal control, objective setting should be included in the components of internal control. This would assure better alignment with the related COSO ERM Framework, which includes objective setting as a separate component, and emphasize that strengthening an entity’s systems of internal control can only be done from the perspective of the organization’s objectives.
- The Framework should further align the various concepts and terminology in relation to risk management and internal control with the other standards, guidance, and frameworks that have been issued since the conception of the original Framework. This includes the definitions of risk and internal control, balancing the positive and negative sides of risk, and rethinking of difficult to understand concepts such as risk appetite and inherent controls.
IFAC is well-positioned to facilitate a constructive dialogue with the issuers of standards, guidance, and frameworks in the area of governance, risk management, and internal control across the world on how the terminology, various concepts, and guidelines could be better aligned in the future.
Further international alignment is an ambitious and challenging goal, but the potential benefits are significant. It is up to all those responsible for developing, implementing, using, and enforcing requirements and guidelines on governance, risk management, and internal control to work together to produce globally-aligned terminology, concepts, and guidelines that are relevant to all. IFAC and the PAIB Committee look forward to contributing to this collaborative effort.
Additional IFAC Guidance
Despite the existence of sound internal control guidelines, such as the revised COSO Framework, it is often theapplication of such guidelines that fails or could be further improved in many organizations. With the International Good Practice Guidance, Evaluating and Improving Internal Control in Organizations (IFAC, 2012), the PAIB Committee provides a practical guide focused on how professional accountants in business can support their organization in evaluating and improving internal control as an integral part of its governance system and risk management. The guidance is complementary to existing internal control guidelines and is based on those internal control matters that often cause difficulties in practice. Both the full guidance as well as an executive summary are available free of charge on the IFAC website.
 This is one of the recommendations in Global Survey on Risk Management and Internal Control (IFAC, 2011).