On Tuesday, the Committee of SponsoringOrganizations of the Treadway Commission (COSO) released anupdated version of its Internal Control—IntegratedFramework. COSO was formed in 1985 by the AAA, AICPA, FEI, IIA, and IMA to provide thoughtleadership in three areas: enterprise risk management, internalcontrols, and fraud deterrence. The organization released itsoriginal internal controls framework in 1992. This week's update isthe first revision to that document, and it represents two and ahalf years of work by COSO and by PwC, which authored the newframework under the direction of the COSO board.

The COSO Framework is designed to be applied companywide, and itcan help managers maintain controls over a wide swath of treasuryand finance functions. “When people think of controls, they thinkof general ledgers and external financial reporting, but theFramework is intended to be applied broadly,” says DavidLandsittel, chairman of COSO. “We articulate three overallobjectives that companies can apply controls to—reporting,compliance, and operations objectives—and there's overlap betweenthem. In the treasury function, certainly there needs to be controlover hedging or trading. Depending on the nature of theorganization, that might be an operational control, but it mighthave financial reporting implications as well.”

Across the three objectives, the COSO Framework presents fivekey components of internal controls: the control environment, riskassessment, control activities, information and communication, andmonitoring activities. In the latest iteration of the Framework,the core objectives and components remain unchanged from the 1992version, but this version adds a list of principles associated witheach component. The idea is that an organization which abides bythese principles can ensure that its internal controlsinfrastructure meets the standards of the Framework.

“In the updated version of the Framework, we articulate 17principles that need to be addressed in order to conclude that thefive components are present and functioning,” Landsittel says. “Webelieve that making the principles more explicit makes the documenteasier to apply because it's easier to see what it takes to have aneffective system.” (The principles are listed on page 2 of thisarticle.)

In addition to clarifying internal control requirements byarticulating these 17 principles, the revised Framework includesbroadened operations and reporting objectives—for example, coveringinternal management reporting as well as external reporting, forboth financial and nonfinancial data. It also provides an updatedcontext that reflects the changes in the business environment overthe past two decades, including changes in technology, changes inexpectations around governance and compliance, and increasedcomplexity in companies' business models created by practices suchas outsourcing.

Still, the controls remain principles-based rather thanrules-based. “We think that one size doesn't fit all, and what isan appropriate control activity for one organization differs fromwhat might be appropriate for another,” Landsittel says. “Webelieve the Framework has universal applicability for all kinds oforganizations, so we don't get down to what specific controlactivity or procedure is appropriate in a particularinstance. The use of judgment is emphasized throughout. TheFramework is relevant to the treasury function, but it isn't astraitjacket that treasury managers need to worry about.”

An organization that abides by the following 17 principles canconclude that the five key components of its internal controlsstructure are functioning effectively:

Control Environment

1. The organization demonstrates acommitment to integrity and ethical values.

2. The board of directorsdemonstrates independence from management and exercises oversightof the development and performance of internal control.

3. Management establishes—with boardoversight—structures, reporting lines, and appropriate authoritiesand responsibilities in the pursuit of objectives.

4. The organization demonstrates acommitment to attract, develop, and retain competent individuals inalignment with objectives.

5. The organization holds individualsaccountable for their internal control responsibilities in thepursuit of objectives.

Risk Assessment

6. The organization specifiesobjectives with sufficient clarity to enable the identification andassessment of risks relating to objectives.

7. The organization identifies risksto the achievement of its objectives across the entity and analyzesrisks as a basis for determining how the risks should bemanaged.

8. The organization considers thepotential for fraud in assessing risks to the achievement ofobjectives.

9. The organization identifies andassesses changes that could significantly impact the system ofinternal control.

Control Activities

10. The organization selects anddevelops control activities that contribute to the mitigation ofrisks to the achievement of objectives to acceptable levels.

11. The organization selects anddevelops general control activities over technology to support theachievement of objectives.

12. The organization deploys controlactivities through policies that establish what is expected andprocedures that put policies into action.

Information and Communication

13. The organization obtains orgenerates and uses relevant, quality information to support thefunctioning of internal control.

14. The organization internallycommunicates information, including objectives and responsibilitiesfor internal control, necessary to support the functioning ofinternal control.

15. The organization communicateswith external parties regarding matters affecting the functioningof internal control.

Monitoring Activities

16. The organization selects,develops, and performs ongoing and/or separate evaluations toascertain whether the components of internal control are presentand functioning.

17. The organization evaluates andcommunicates internal control deficiencies in a timely manner tothose parties responsible for taking corrective action, includingsenior management and the board of directors, as appropriate.

These principles come from the updated COSO InternalControl—Integrated Framework. For more information about thecurrent version of the COSO Framework, COSO has made a Q&A andExecutive Summary available free of charge.