On Tuesday, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework. COSO was formed in 1985 by the AAA, AICPA, FEI, IIA, and IMA to provide thought leadership in three areas: enterprise risk management, internal controls, and fraud deterrence. The organization released its original internal controls framework in 1992. This week’s update is the first revision to that document, and it represents two and a half years of work by COSO and by PwC, which authored the new framework under the direction of the COSO board.
The COSO Framework is designed to be applied companywide, and it can help managers maintain controls over a wide swath of treasury and finance functions. “When people think of controls, they think of general ledgers and external financial reporting, but the Framework is intended to be applied broadly,” says David Landsittel, chairman of COSO. “We articulate three overall objectives that companies can apply controls to—reporting, compliance, and operations objectives—and there’s overlap between them. In the treasury function, certainly there needs to be control over hedging or trading. Depending on the nature of the organization, that might be an operational control, but it might have financial reporting implications as well.”
Across the three objectives, the COSO Framework presents five key components of internal controls: the control environment, risk assessment, control activities, information and communication, and monitoring activities. In the latest iteration of the Framework, the core objectives and components remain unchanged from the 1992 version, but this version adds a list of principles associated with each component. The idea is that an organization which abides by these principles can ensure that its internal controls infrastructure meets the standards of the Framework.
“In the updated version of the Framework, we articulate 17 principles that need to be addressed in order to conclude that the five components are present and functioning,” Landsittel says. “We believe that making the principles more explicit makes the document easier to apply because it’s easier to see what it takes to have an effective system.” (The principles are listed on page 2 of this article.)
In addition to clarifying internal control requirements by articulating these 17 principles, the revised Framework includes broadened operations and reporting objectives—for example, covering internal management reporting as well as external reporting, for both financial and nonfinancial data. It also provides an updated context that reflects the changes in the business environment over the past two decades, including changes in technology, changes in expectations around governance and compliance, and increased complexity in companies’ business models created by practices such as outsourcing.
Still, the controls remain principles-based rather than rules-based. “We think that one size doesn’t fit all, and what is an appropriate control activity for one organization differs from what might be appropriate for another,” Landsittel says. “We believe the Framework has universal applicability for all kinds of organizations, so we don’t get down to what specific control activity or procedure is appropriate in a particular instance. The use of judgment is emphasized throughout. The Framework is relevant to the treasury function, but it isn’t a straitjacket that treasury managers need to worry about.”
An organization that abides by the following 17 principles can conclude that the five key components of its internal controls structure are functioning effectively:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
These principles come from the updated COSO Internal Control—Integrated Framework. For more information about the current version of the COSO Framework, COSO has made a Q&A and Executive Summary available free of charge.