The COSO framework that forms the basis for much of Corporate America’s internal control is getting a makeover.
The Committee of Sponsoring Organizations of the Treadway Commission said it is getting started on a project to review and update its “Internal Control – Integrated Framework,” which most public companies have followed for years to establish and maintain their control environments. The COSO framework became especially important when Sarbanes-Oxley required companies to report on the effectiveness of their internal controls over financial reporting in producing reliable financial statements.
COSO has enlisted the help of Big 4 firm PwC to update the framework, with an eye toward making the framework and its related evaluation tools more relevant in an increasingly complex business environment. First developed in 1992, the basic components of the existing framework are still applicable, said COSO Chairman David Landsittel in a statement. “But the detailed guidance and examples are somewhat dated,” he said.
The project is not intended to change how internal controls are designed, assessed, or managed, nor will it change the core principles behind the framework, COSO said. Instead, it is intended to provide more comprehensive and relevant conceptual guidance and practical examples, and to facilitate better dialogue regarding internal control, the commission said.
As an example, COSO said certain concepts and guidance in the existing framework will be refined to reflect the evolution of the operating environment as well as the changed expectations of regulators and other stakeholders. Additionally, enhancements are expected to consider guidance on operations and compliance beyond financial reporting.
The existing COSO framework has long been widely accepted as the internal control standard for companies adopting and evaluating internal control related to operations, compliance and financial reporting. It took on a whole new level of significance when companies followed the same framework to establish their internal control over financial reporting in compliance with the 2002 Sarbanes-Oxley Act.
While PwC has been charged with leading and directing the framework update, COSO is forming an advisory council to represent industry, academia, government agencies and not-for-profit organizations to gain input on the update. The revised framework will be exposed for public comment before it is finalized. COSO predicts it will be published in 2012.
Miles Everson, project team leader with PwC, said the updated framework will help companies more effectively design and manage internal control, and it will better explain how the framework is related to other COSO guidance, including the Enterprise Risk Management – Integrated Framework, the Internal Control over Financial Reporting – Guidance for Smaller Public Companies, and the 2009 Guidance on Monitoring Internal Control Systems.
Tim Leech, chief methodology officer for consulting firm Risk Oversight and a longtime proponent of updating the COSO framework, said the project is a “positive development,” although he’s disheartened it won’t open up the core definition of internal control or the core framework for review. He says the update will provide a needed opportunity to emphasize some key elements that are currently “buried pretty deep” in the existing framework.