COSO has published the final version of its newly revised internal control framework, along with two additional resources, which should set public companies in motion to fully review their internal controls to assure they reflect the latest guidance.
The Committee of Sponsoring Organizations of the Treadway Commission has updated its Internal Control-Integrated Framework to reflect changes in business and operating environments in the past two decades. The 1992 framework was overhauled by the COSO board with the help of PwC to help organizations update the design and implementation of internal controls based on modern business conventions. The COSO board also means for the update to broaden the application of internal control in addressing operations and reporting objectives, and to clarify the requirements for determining what constitutes effective internal control.
In addition to the updated internal control framework, COSO also finalized and published two companion documents that are available for purchase with the updated framework. The Illustrative Tools for Assessing Effectiveness of a System of Internal Control is intended to help companies assess whether their particular system of internal control meets the requirements of the updated internal control framework. The second document, Internal Control over External Financial Reporting: A compendium of Approaches and Examples, provides some examples that are especially pertinent to public companies because they prepare financial statements for external reporting purposes.
COSO Chairman David Landsittel says the board chose to update the framework for three fundamental reasons. “The context of business compared with what we have today has changed significantly,” he says. “Business models have become more complex. We have more outsourcing, more joint ventures, and these kinds of things affect controls.” Governance expectations have increased, he says, especially for boards of directors, audit committees, and compensation committees, so the framework needed to be updated to reflect those newer demands. Finally, technology has changed drastically. “We may have had Internet and e-mail in 1992 but not like they are used today,” he says. “Plus we have mobile technology and cell phones, and they all impact controls.”
COSO's framework is the most widely used means of assuring compliance with Sarbanes-Oxley requirements to maintain an effective system of internal control over financial reporting, even endorsed by the Securities and Exchange Commission. The board spent more than two years drafting the updated framework and taking in feedback and comments before finalizing it.
The COSO board says it believes users should transition their applications and related documentation to reliance on the new framework as soon as possible. To facilitate transition, COSO says it will continue to make the old framework available for use through Dec. 15, 2014. However, the board says all organizations should clearly disclose which framework they are relying on in any external reporting. After Dec. 15, 2014, COSO will regard the old framework as obsolete. The new framework also supersedes COSO's internal control framework targeted specifically to smaller companies on the same date.