Many organizations have implemented the framework established by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) in the design of their internal control structure. COSO is an organization that provides thought leadership and guidance on internal control, enterprise risk management (ERM), and fraud deterrence. In May 2013, COSO released a long-awaited update to its Internal Control – Integrated Framework. Originally established in 1992, the framework has gained broad acceptance and has been widely used in conjunction with reporting on the effectiveness of internal control over financial reporting (ICFR) by most companies.
Neither for-profits nor not-for-profits are required to follow COSO’s advice, but the commission has suggested that organizations transition to the 2013 framework by December 15, 2014. Auditors generally rely on the framework’s components when they assess internal controls. Additionally, the Single Audit Uniform Guidance (formerly OMB Circular A-133) which applies to many not-for-profit organizations that receive Federal grant awards, has required auditors to use the original framework in evaluating internal controls.
All key stakeholders, including management and members of the Board of Directors, should recognize the 2013 framework does not require an organization to redesign the system of internal control that is currently effective. However, the process of adopting the 2013 framework may identify gaps in the organization’s system of internal controls where controls and/or documentation needs to be added or improved. The transition to the 2013 framework also presents opportunities for organizations to challenge their current internal control system and make enhancements and/or rationalize approaches. Since the release of the original framework, businesses have become increasingly complex, technologically driven, and more global in scope. Stakeholders are more engaged in the business and are seeking greater transparency and accountability for the integrity of internal control that supports business decisions and governance.
COSO’s enhancements to the 2013 framework are intended to:
- Address significant changes in the business environment and associated risks;
- Specify criteria to use in the development and assessment of internal control; and
- Increase the focus on operations, compliance, and non-financial reporting objectives.
What Hasn’t Changed?
It is important to recognize that a number of the core concepts of the original framework have not changed. The 2013 framework retains the following concepts from the original framework:
- The five components that are required for an effective system of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
- The three categories of objective of internal control:
- Reporting
- Effectiveness and efficiency of operations
- Compliance with laws and regulations
What is Different?
The 2013 framework includes many enhancements and updates. One of the biggest changes is the articulation of the 17 principles that are concepts underlying the five components. While the original framework implicitly reflected these underlying principles, the 2013 framework explicitly states each principle and requires that all 17 principles be present and functioning to have effective internal control. To help organizations understand the 17 principles, COSO included “points of focus” in the 2013 framework. These points of focus are intended to help organizations design, implement, conduct, and assess whether the relevant principles are present and functioning. However, while the 2013 framework establishes that the 17 principles need to be present and functioning in the effective system of internal control, organizations are not required to demonstrate that all of the points of focus are present and functioning.
Other Enhancement to the 2013 Framework Include:
Clarifying requirements for effective internal control
The 2013 framework requires that:
- Each of the five components of internal controls and relevant principles are present and functioning.
- The five components are operating together in an integrated manner.
Clarifying the role of objective setting in internal control
The 2013 framework (like the original) states that objective setting is a management process and not part of the system of internal control. The 2013 framework clarifies the process of setting objectives is a precondition to the design and implementation of an effective internal control.
Enhances governance concepts
The 2013 framework expands the discussion of governance relating to the Board of Directors and Audit Committees.
Enhances consideration of anti-fraud expectations
The 2013 framework contains considerably more discussion on fraud and also considers the potential causes of fraud as a separate principle of internal control.
Reflects the increased relevance of technology
In recognition of technology’s pervasive impact on systems of internal control, the 2013 framework includes a principle specifically focused on the role of technology as part of an organization’s control activities. Increases the focus on non-financial reporting objectives This expended focus on operations, compliance, and non-financial reporting objectives has resulted in more robust guidance in these areas.
As with the original framework, this guidance is not a requirement for non-public entities. However, these publications should be viewed as best practices. The task force responsible for the updated framework included representatives from the not-for-profit community, so clearly not-for-profit organizations are viewed as potential users of the model. This model is a universal model, not a public company model. The 17 principles under the five elements are scalable and will lead any size organization to better footing as it tries to meet its objectives in operations, financial and non-financial reporting, and compliance.
For more information, please visit the COSO website at www.coso.org
By: Lila Leno, CPA | Senior Manager
