COSO Issues Updated Internal Control Framework

By Cydney Posner

Last week, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated Internal Control–Integrated Framework (2013 Framework) and related documents. The original framework, published in 1992, is widely identified by public companies as the framework used by management to assess the effectiveness of their internal control over financial reporting. The 2013 Framework was authored by PricewaterhouseCoopers under the direction of the COSO Board. At the same time, COSO issued Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples. The Illustrative Tools are designed to provide templates and scenarios that may be useful in applying the 2013 Framework, to "assist users when assessing whether a system of internal control meets the requirements set forth in the updated Framework." The ICEFR Compendium provides practical approaches and examples that illustrate how the components and principles set forth in the 2013 Framework can be applied in preparing external financial statements and, therefore, "is particularly relevant to those who prepare financial statements for external purposes based upon requirements set forth in the updated Framework."

As indicated in the FAQs, the 2013 Framework "builds on what has proven useful in the original version. It retains the core definition of internal control and the five components of internal control – Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. The requirement that each of the five components is present and functioning for an effective system of internal control remains fundamentally unchanged. The Framework continues to emphasize the importance of management judgment in designing, implementing and conducting internal control, and in assessing its effectiveness. The COSO Board wants the core strengths of the original framework to be preserved and the enhancements and clarifications included in the Framework to ease its use and application. The Framework and related illustrative documents are intended to (i) clarify the requirements of effective internal control, (ii) update the context for applying internal control by reflecting many of the changes in business and operating environments, and (iii) broaden its application by expanding the operations and reporting objectives." For example, "[o]ne of the more significant updates is the formalization of fundamental concepts introduced in the original framework." The 2013 Framework also takes into account changes in the business environment, including evolving technologies, increased complexities and globalization.

COSO believes that, depending on each user's particular circumstances, users should transition to the updated 2013 Framework as soon as is feasible. COSO will continue to make available its original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as superseded by the 2013 Framework. COSO will also continue to make available its Guidance for Smaller Public Companies only until December 15, 2014. COSO recommends that, during the transition period, organizations reporting externally should clearly disclose whether they used the original framework or the 2013 Framework.

For the hardcore among you whose eyes didn't glaze over just reading this email, you can get more of the same in the executive summary at http://www.coso.org/documents/COSO%202013%20ICFR%20Executive_Summary.pdf.