COSO is coming out with a revision to the famous 'COSO Cube' and they have submitted a draft for public comment. The COSO Cube provides the basis for all internal control infrastructures, including Sarbanes-Oxley implementations, and it gives guidance on how to structure and audit control procedures. PwC participate in the update and they have provided a nice synopsis below of the pending change:
In brief: COSO releases updated "Internal Control -- Integrated Framework" for public comment
Author name: Assurance services
On Monday, December 19, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence – released, for public comment, an updated Internal Control – Integrated Framework (updated Framework) intended to help organizations improve performance with greater agility, confidence and clarity. Authored by PwC, theupdated Framework addresses significant changes in the business and operating environment and associated risks since COSO issued the original in 1992. This In brief provides an overview of the updated Framework.
On Monday, December 19, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence – released, for public comment, an updated Internal Control – Integrated Framework (updated Framework) intended to help organizations improve performance with greater agility, confidence and clarity. Authored by PwC, the updated Framework addresses significant changes in the business and operating environment and associated risks since COSO issued the original in 1992.
What are the key provisions of the updated Framework?
PwC authored the original 1992 Internal Control – Integrated Framework (the 1992 Framework), which is by far the most prevalent framework used to comply with SEC reporting requirements in the US and is widely used around the world. The principles implicit in the 1992 Framework remain relevant today and have withstood the test of time.
What is not changing in the updated Framework?
The updated Framework retains the familiar cube as the visual depiction of how internal controls operate within entities. What is essentially unchanged are:
- The definition of internal control, which is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations.
- The five components of internal control, namely Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
- The criteria used to assess effectiveness of systems of internal control.
- The use of judgment in evaluating the effectiveness of systems of internal control.
What factors are driving the need for updating the 1992 Framework?
In the nearly 20 years since the inception of the 1992 Framework, business and operating environments have become increasingly more complex and have changed dramatically. These changes include:
- Higher expectations for governance oversight from both regulators (such as the SEC and PCAOB in the US) and stakeholders, including increased scrutiny to prevent and detect material misstatements, loss of assets, and corruption;
- Increasing globalization of markets and operations;
- Changes in business models, such as expanded use of shared service centers and outsourced service providers; and
- The expanded role that technology plays in improving business performance, business processes, and decision making.
What are the proposed changes in the updated Framework?
The updated Framework incorporates the following changes:
- Codifying the key principles implicit in the 1992 Framework into 17 explicit statements with universal application for use in developing and evaluating the effectiveness of internal controls systems.
- Broadening the financial reporting objective to address internal and external, financial and non-financial reporting objectives.
- Increasing the focus on operations, compliance and non-financial reporting objectives.
With the expansion of the Financial Reporting objective to include other reporting aspects, how is COSO retaining the emphasis on financial reporting?
COSO has also engaged PwC to prepare a companion document that will focus on internal control over external financial reporting. Patterned after COSO's 2006 Guidance for Smaller Public Companies (which was also authored by PwC), this companion document will provide practical approaches and examples supporting the preparation of published financial statements.
All companies (public and private) as well as not-for-profit and governmental entities that use the 1992 Framework as the basis for designing and implementing their system of internal control will be affected by this update.
What’s the proposed effective date?
COSO has not specified an effective date or a transition period for adopting the updated Framework. Recognizing the importance of these considerations, COSO plans discussions with regulators and other stakeholders before making a final determination.
The comment period on the updated Framework ends on March 31, 2012. COSO expects to release for 60-day public comment the companion document on internal control over external financial reporting in the late spring or early summer of 2012. COSO plans to issue both documents together in final form in the fourth quarter of 2012.