COSO Framework Holding Strong - Getting a Polish
By J. Stephen McNally, CPA
Many accounting and finance professionals first "discovered" the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal controls framework about ten years ago, with passage of the Sarbanes-Oxley Act of 2002 (SOX).
According to Section 404 of SOX, publicly traded "accelerated filers" must attest that they have an effective system of internal control over external financial reporting. Because the Securities and Exchange Commission (SEC) has allowed such filers to use COSO in making this assessment, the framework has received significant attention ever since. Even so, COSO's Internal Control - Integrated Framework (ICIF) was actually released back in 1992.
Much has changed in twenty years, so COSO expects to release an updated ICIF in early 2013. COSO's board believes the principles embedded in the original 1992 ICIF are timeless, so an updated framework will help organizations more effectively apply internal control over operations, reporting, and compliance.
This article provides an overview of COSO and its framework and includes a perspective on how it has been leveraged by companies, such as my employer, Campbell Soup. More importantly, it provides insight into COSO's recent ICIF Refresh Project, including key drivers behind the initiative, highlights of proposed changes to the original framework, anticipated benefits, and thoughts on implementation.
The 1992 Framework
COSO is a joint initiative of five private-sector organizations: the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA). In response to the 1987 Treadway Commission Report, COSO developed and released its ICIF in 1992. The primary issue at that time was fraudulent behavior and lack of controls in the savings and loan industry.
COSO defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives." COSO's framework designates three sets of business objectives: operations, reporting, and compliance. An organization is supported in its efforts to achieve these objectives by five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring. The COSO framework is also adaptable â from the entity level to the divisional, subsidiary, operating unit, or functional level. (See the "COSO Cube" graphic above.)
The 1992 framework is the most widely used framework of its kind in the United States and is commonly used throughout the world, but it was initially narrowly recognized within technical accounting and auditing circles. Broad awareness and adoption did not come until the early 2000s, when Enron, WorldCom, and other financial debacles prompted regulatory agencies to address the impact of weak internal controls on corporate failures. The result was SOX.
Under its Section 404, management at public companies is now required to select an internal control framework and annually assess and report on the design and effectiveness of internal controls.
The SEC set four criteria for acceptable frameworks: they must (1) be free from bias, (2) permit reasonably consistent qualitative and quantitative measurements of internal control, (3) be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control are not omitted, and (4) be relevant to an evaluation of internal control over financial reporting, respectively. Most companies have since adopted COSO's framework to meet their Section 404 obligations.
As colead of Campbell Soup's original Global SOX Team, I played a key role in defining Campbell's methodology and approach for ensuring compliance with SOX requirements. To begin, we trained more than 300 cross-functional Campbell associates globally. Next, we created subsidiary and functional SOX teams, and then we had those teams begin documenting the design of Campbell's internal controls by location and business process. After the documentation phase, each team tested each of its controls and remediated identified deficiencies as needed.
Historically, Campbell Soup has consistently embraced the importance of a strong internal control environment. Thus, the Global SOX Team's primary challenge was to ensure that each team effectively documented and tested the controls it already had in place.
One aspect of the compliance effort was a bit more challenging. Specifically, SOX requires management to select an overall internal control framework and to assess the design and effectiveness of all components of the framework, not just the control activities component. To develop our methodology and approach related to the overall framework, we turned to COSO's framework, reviewed SOX, and obtained input via public accounting consultants. We successfully completed our comprehensive assessment of Campbell's company-level controls on a timely basis, but we had to sift through reams of guidance to find the kernels of applicable insight. The available guidance, moreover, often had an audit-centric bias rather than a more practical management focus.
Drivers behind the ICIF Refresh Project
Since COSO published its ICIF in 1992, stakeholder expectations have evolved and there have been significant changes in the business environment. A few examples include expectations on governance and oversight, globalization of markets and operations, changes in business models, demands and complexity of regulations and standards, expectations for competency and accountability, use and reliance on evolving technology, and expectations for detecting and preventing fraud.
There have been lessons learned over the past twenty years in applying the original framework, too. The original ICIF included lengthy discussion on internal control concepts that have become institutional knowledge. Also, although it designated three categories of business objectives, the primary focus has been on the reporting objective. Indeed, the focus has often been limited, specifically to external financial reporting vs. external nonfinancial reporting and/or internal reporting. Although the concept of internal control principles and supporting attributes was embedded in the original framework, it was hidden within the details. Thus, streamlining the original framework; codifying underlying principles and attributes; and increasing focus on operations, compliance, and nonexternal financial reporting objectives were additional drivers behind the refresh initiative.
Consensus remains that internal control is a process effected by people, designed to provide "reasonable" vs. "perfect" assurance, and effective in achieving an entity's operational, reporting, and compliance objectives. Thus, COSO's definition of internal control, the components of internal control, the criteria to assess internal control effectiveness, and the need to use judgment are not changing.
The primary goal behind the refresh project, therefore, is not to rewrite the 1992 framework. Rather, COSO wants to update and refresh it, making it more useful and relevant for today's business environment. Based on a survey of more than 700 COSO stakeholders as the project kicked off, about 85 percent of respondents opted for an update instead of a major overhaul of the existing framework.
The first effort is to codify criteria that can be used to develop internal control systems and evaluate the design and effectiveness of a specific system of internal control. Key to this codification are seventeen principles that users can apply using judgment, with each principle clarified by one or more supporting attributes. These principles and attributes, which were embedded in COSO's original framework, have universal application.
COSO's second goal is to expand internal and nonfinancial reporting guidance to support increasing demands for reporting on operational, compliance, and nonfinancial objectives. COSO had always intended that its framework be used across the three categories of business objectives, but the updated version attempts to underscore this point via more robust discussion and examples from a nonexternal financial reporting perspective, such as conformance to ISO 9001.
Reflecting changes in the business environment, the third objective is to make updates to the original framework that enhance and clarify its application in today's business and risk environment. The control environment component, for example, addresses higher regulatory and stakeholder expectations for governance oversight. Other components reflect the impact of globalization; increased use and reliance on evolving technology; higher expectations for detection and prevention of fraud; and new demands and complexity of rules, regulations, and standards. All in all, the updated framework will be much more robust.
COSO believes the refinements to the original framework will ultimately result in a more flexible, reliable, and cost-effective approach to designing and evaluating systems of internal control.
Codification of Internal Control Principles
As noted above, a key change in the update is the codification of seventeen principles that had been embedded in the original framework. These principles, by internal control component, are tentatively worded as follows:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes those risks as a basis for determining how they should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly affect the internal control system.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and via relevant procedures that bring about those policies.
Information and communication
- The organization obtains, or generates, and uses quality relevant information to support the functioning of other internal control components.
- The organization internally communicates information - including objectives and responsibilities for internal control -necessary to support the functioning of other internal control components.
- The organization communicates with external parties regarding matters affecting the functioning of other internal control components.
- The organization selects, develops, and performs ongoing and/or separate evaluations to determine whether the internal control components are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
The Value Proposition
Use of COSO's updated internal control framework will benefit multiple stakeholders, including management and boards of directors; external parties, such as key suppliers, customers, and other business partners; and other users, such as independent auditors, regulators, financial analysts, and the news media.
COSO expects the updated framework to deliver a number of benefits, including the following:
- Improved governance
- Expanded use beyond financial reporting
- Improved quality of risk assessment
- Strengthened anti-fraud efforts
- Ability to adapt controls to changing business needs
- Greater applicability for various business models
The updated framework will better support efforts to design and adapt systems of internal control by offering agility, confidence, and clarity; specifically, the agility to adapt to increasing complexity, the confidence to mitigate risks to achieve important objectives, and the clarity to provide reliable information to support sound decision making. The revised internal control guidance applies to, and can benefit, organizations of any size, any legal structure, anywhere in the world.
The 2012 Framework and SOX
The COSO board intends for the updated ICIF to remain consistent with SEC suitability criteria, and fully expects that it will be an accepted framework for use by management and independent auditors in meeting SOX requirements. For a company such as Campbell Soup, which has been effectively leveraging COSO's 1992 framework to meet SOX compliance requirements, the updated version should create little, if any, additional work. Because the updated framework represents an evolution of, but remains consistent with, the original, it should not impose a higher level of control. In fact, by codifying the principles and attributes embedded in the original, the updated framework should clarify how to more successfully apply it in designing, implementing, operating, and evaluating the effectiveness of a system of internal control.
For some organizations, the enhanced focus on principles may highlight areas they did not appropriately address before, leading them to strengthen some components of internal control. Likewise, to align with COSO's updated framework, some companies may need to update their documentation or testing of the design and operating effectiveness of their overall internal control system.
In terms of implementation timing, the COSO board is deliberating the appropriate transition plan and is expected to make a recommendation based on comments received during the public exposure period. The COSO board anticipates that regulators will provide transition and implementation guidance after release of the final draft of the updated framework.
Internal Control over External Financial Reporting
As mentioned before, the updated framework expands the original framework's financial reporting objective to more broadly represent reporting overall, recognizing the existence of external nonfinancial reporting as well as internal financial and nonfinancial reporting. Some have expressed concern that the emphasis on financial reporting prevalent in the original framework could be lost or diluted in the updated version, negatively affecting regulatory reporting.
The COSO board intends to issue a companion document to the overall ICIF, currently titled Internal Control over External Financial Reporting (ICEFR) Approaches and Examples. This companion document will provide illustrative examples of applying the principles of the updated framework to external financial reporting. These practical examples should assist management in designing and implementing internal controls over this subcategory of the overall reporting objective. The ICEFR document, however, will not replace, supersede, or modify the guidance in the updated framework.
By addressing the changes that have occurred in the business environment and the changed expectations in the marketplace, COSO's updated ICIF should help most organizations more effectively put into practice internal controls over operations, reporting, and compliance. All organizations charged with applying judgment in managing risk and improving performance in an increasingly complex and rapidly changing environment should benefit from COSO's updated ICIF.
COSO's updated ICIF was available for public exposure and comment from mid-December 2011 through March 2012. The COSO board hopes to formally release the updated framework in early 2013.
- Comments Coming into COSO on Internal Control ED
- Board Oversight and Professional Judgment: COSO's Newest Thought Paper
About the author:
J. Stephen McNally, CPA, is finance director and controller for Campbell Soup's North America Supply Chain - Napoleon Operations in Napoleon, Ohio. McNally is a member of the IMA global board of directors, IMA's representative on the COSO ICIF Refresh Project Advisory Council, and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at [email protected].
Reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants.