A Quick Guide to COSO Internal Controls 2013 Changes

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its COSO Internal Control – Integrated Framework document all the way back in 1992 to assist publicly traded organizations adhere to the Sarbanes-Oxley Act (SOX) Section 404. COSO considers internal controls to be an integral part of enterprise risk management (as does LogicManager), and as such, any changes to the COSO Internal Controls best practices has a direct effect on organizations with Enterprise Risk Management programs.

It seems timely then, with the release of an updated version of COSO Internal Controls – Integrated Framework, to take a quick look at the changes made and what Risk Managers should be aware of for their own Enterprise Risk Management Programs.

Why did COSO need to update its Framework?

Besides it predating the rise of the internet?! COSO needed to update its framework for a variety of reasons, many of which you might expect. The regulatory environment is more demanding and the penalties more severe than they were in 1992. More importantly, the actual speed of business has dramatically increased. The original framework, while comprehensive, was cumbersome to both read and implement. Businesses today value operational efficiency, so the new framework has been slimmed down to cover what’s most critical to business today in the areas of financial reporting, compliance, and operations management.

OK, but how much did they actually change?

The structure of the information should look familiar. There are three categories of objectives – Financial Reporting, Operations, and Compliance – and 5 components of internal controls – control environment, risk assessments, control activity, information and communication, and monitoring activities. The reporting narrative had been adapted to include more than just external financial reporting, and the introduction of 17 codified principles, or more detailed points of focus, gives the document a more detailed, step-by-step approach that may remind organizations of the Risk Maturity Model structure.

This new structure should assist organizations in applying the Internal Controls framework more broadly, and make it easier to conduct gap analysis between current and ideal adherence.

It doesn’t sound like they changed all that much, is there anything I have to do if my organization currently uses COSO?

That all depends on the specifics of your organization’s internal controls framework. COSO’s 1992 Framework was highly relational, mapping the connection between internal controls, financial statements, monitoring activities, and various organizational objectives. If your company’s internal controls have already been mapped, your adjustment might be as easy as taking those relationships one step further and mapping to the now codified principles under each of the 5 components. If you haven’t yet formalized that mapping process, you might benefit from the exploration of relational tools that can assist with that process.

That all sounds like it could be more trouble than its worth, what’s the benefit of updating our framework?

The new framework will improve how your organization identifies gaps in its internal control environment, and a well-documented procedure can pay off in the event of a control failure. Internal controls is a critical component of Enterprise Risk Management, and integrating the two functions into a single, non-silo platform can drive the continuous improvement the board is looking when they adopt guidelines like COSO. COSO recommends organizations complete their transition no later than December 15, 2014, at which point they’ll consider the original framework superseded.