On 14 May 2013, the committee of Sponsoring Organisation of the Treadway Commission (COSO) released an updated version of the 1992 Internal Control - Integrated Framework (referred hereto as "COSO 2013"). As such, our clients, colleagues and friends are a
The key concepts of COSO remain. The COSO2013 framework still insists that internal control is a process that is affected by people in all levels of organisation (not only policy, manuals, forms etc); that it should be designed in assisting the company achieve business objectives; and that it provides reasonable assurance, not 100%, to the board and top management.
The COSO cube is almost unscathed – and for good reasons. It remains to be a strong illustration of a company’s internal controls and how they are connected across control objectives. One major change is in renaming the objective “Financial Reporting” to “Reporting” in order to reflect the evolving nature of a company’s business. This change somehow shows that reporting comes from various forms and timings rather than just through annual financial statements. The new COSO cube highlights that each component should penetrate all levels of the organisation whether they are structured by subsidiaries, divisions, business units or functions/departments.
The most important part of the update is the standardisation of the 17 principles in line with the 5 COSO components (Control Environment, Risk Management, Control Activities, Information and Communication and Monitoring). While conceptually similar to the 1992 version, COSO 2103 adds and clarifies each component and principle, including improvements like the development of “point of focus”, which are about 70+ in total. For example, in the “Monitoring” component, principle #17 (evaluates and communicates deficiencies) expects that organisation evaluates and communicates internal control deficiencies in a timely manner to parties responsible in taking corrective action, including senior management and the board of directors, as appropriate. As such, 3 points of focus are highlighted in COSO 2013 for principle 17 which expect that organisation will have a clear process on how to 1) assess the results, 2) communicate deficiencies and, 3) monitor corrective actions.
Also, topics like considering the potential for fraud in assessing risks in attaining company objectives are now added. Specific pointers are mentioned to help organisation recognise red flags in fraudulent reporting (eg geographic regions where the entity is operating and conducting business, incentives, excessing estimates and judgments in preparing external reporting and even management preference in selecting accounting principles and treatments for some accounting transactions.)
COSO 2013 expects that all 5 components and their related principles are present and functioning in the organisation. Present in such a way that relevant principles exist in the design and implementation of the system of the internal control; and functioning so that these components and principles continue to exist in the conduct of the system of internal control in achieving the determined objectives. In short, organisation should incorporate all COSO components and principles (except on very rare occasions) in their internal controls design and ensure that they are continuously being performed to achieve the organisation’s objectives.
There are many ways the change in the framework may impact one’s organisation. If a company uses the COSO 1992 framework to comply with Sarbanes Oxley or J-SOX, its current internal controls may not clearly show and/or document that the 17 principles are present and functioning. As such, updates to the controls design and documentation may be required. To help companies apply COSO 2013, COSO developed the ICEFR Compendium. It also developed an illustrative tool that provides examples for companies as reference. These are mere examples, however; which should not simply be copied to effect the change. Auditors should ensure that audit programmes cover the 17 principles and may require companies to enhance business documentations.
With the new framework, it is easier for both auditors and management to determine what areas are lacking controls. To fully understand how your company is affected, it is highly recommended that key personnel such as the chief audit executives or risk managers to read and understand COSO 2013. They should help educate not only the C-suites but also operations and functional managers.
The change requires review and potential updates to a number of processes, activities and documentation that will make the internal controls of the company more effective and efficient. This will eventually help companies save on cost in the long run and better equip them in attaining business objectives.
Aldwin Gatchalian is a senior manager in Enterprise Risk Services at Deloitte Thailand.