COSO Expanding 5 Component Internal Control Framework Into 20+ Principles; May Impact Sarbox 404 Assertions | AccountingWEB

COSO Expanding 5 Component Internal Control Framework Into 20+ Principles; May Impact Sarbox 404 Assertions

In an update provided at the March 24, 2010 PCAOB Standing Advisory Group meeting, COSO Chairman Dave Landsittel described COSO's current project to modernize and update its 1992 Internal Control- Integrated Framework. COSO plans to issue an Exposure Draft of a proposed revision later this year, followed by the release of two final documents in 2012:

1. an updated internal control framework, broadly scoped like the current framework, to include internal control over financial reporting, compliance, and operational controls, and

2. a separate document focusing on application of the guidance to internal control over financial reporting (that portion of the guidance most relevant to Sarbanes-Oxley Section 404 internal control attestations).

5 Components To Be Expanded To 20 'Principles,' Additional 'Attributes,' Potential Impact on Sarbox Assertions
Significantly, Landsittel noted that the updated framework "Will focus on 20-plus principles in total, extending over the 5 components [i.e., the 5 components of internal control over financial reporting established in the 1992 framework: control environment, risk assessment, control activities, information & communication, and monitoring], in other words, for each of the 5 components, we’ll have a specific set of principles that support those components, and in each chapter [of the updated framework], we’ll have ‘attributes’ that support those principles."


He noted that the expansion to a 20+ principle and additional attribute approach was first used in COSO's 2006 guidance for small public companies. (Later in the meeting, he noted the small business guidance would likely be superceded by the overall update to COSO's internal control framework, unless the COSO board and advisory task force become aware of a reason to have separate guidance for small companies following the incorporation of a principles based approach and certain other aspects of the 2006 small business guidance into the overall framework update.

Separately, on the question of how this may impact attestations on the effectiveness of internal control by reference to a suitable internal control framework - of which COSO's framework was specifically cited as a suitable framework by the SEC in its Sarbox 404 rulemaking - Landsittel noted, "The fundamental components have not changed, so, on an overall basis, [the Sarbox Section] 404 objectives and focus on the components will not change, but we do believe, with the articiulation of principles, particularly, there will be more guidance that will be helpful in carrying out the guidance in [Sarbox Section] 404. For example, if we have 20 principloes and a conclusion that those [principles] are relevant to any overall conclusion as to the overall effectiveness of internal control, that gives us a a little more concrete area as to what determines an effective system of internal control, and to those who test to it, to determine when it is effective, and when there are shortcomings or weaknesses."

Said another way, the core message as to the potential impact on Sarbox 404 assessments stemming from the changes coming to the COSO framework (changes resulting from the 'update' to modernize the framework to take into account changes in the business environment since the 1992 framework was written, including the advent of the internet, email, and other changes, as well as changes resulting from the expansion of the 5 core components of internal control into 20-plus 'principles' and another layer of more detailed 'attributes' supporting the 20 principles) is summed up on the following slides within the COSO slide deck circulated to PCAOB SAG members:

- slide 15: "It is generally expected that all [20+] principles will, to some extent, be present and functioning for a organization to have effective internal control, [and] When a principle is not being met, some form of internal control deficiency exists."[NOTE: Landsittel commented on this point further later in the meeting, regarding issues like the determination of material weakness, as noted further below.]

- slide 19:
"•Updated Framework intended to remain consistent with SEC suitability criteria
• Updated Framework will be an evolution from the original Framework
An appendix to the [framework] will highlight significant changes in the updated Framework as compared with the original framework
•A companion document will assist organizations in meeting financial reporting objectives
Greater clarity contemplated around the basis for determining significant deficiencies and material weaknesses
•COSO anticipates that regulators will provide any needed transition guidance to filers."

Miles Everson, a partner with audit firm PwC (PwC predecessor firm Coopers & Lybrand coordinated the publication of the original 1992 framework for COSO, and PwC is coordinating the current update of the framework, under the auspices of the COSO Board and a COSO Advisory Council), noted some of the feedback received from a survey it released earlier this year - on which over 650 responses were received - pointed out: (1) The need to create greater clarity around the role of the control environment, vs. reliance put on control activities, (2) The role of the monitoring component, and what constitutes appropriate monitoring for Sarbox 404 purposes, and (3) A general sense there is too much reliance on the control activities component.

Read additional highlights from PCAOB SAG Members Q&A with COSO's Landsittel and PwC's Everson, here.

This blog

FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI

More from this blog

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.


Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.


Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.


Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".


William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.


Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (, a software development firm of high-volume, high-productivity accounting and payroll technology.


Eva Rosenberg, MBA, EA, is the publisher of, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.


Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website:
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.


The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.


FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.


Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.


Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of a website devoted to training for governmental auditors.


AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish share their ideas, insights, and perspectives from across the pond.