Introduced in 1992, the Committee of Sponsoring Organisations of the Treadway Commission’s Internal Control – Integrated Framework (COSO IC-IF, or the “Framework”) has become the most widely adopted control framework worldwide. 20 years later, in response to an increasingly complex, technologically driven, and global business environment, COSO has developed an updated Framework designed to reflect key issues for future organisational success. The new Framework, authored by PwC, was released in May 2013 and can be downloaded at www.coso.org.
While the fundamentals of the 1992 Framework remain unchanged (dealing with the definition and components of internal control, criteria used to assess effectiveness, etc.), the update released in May 2013 emphasises the importance of internal control to mitigating risk and achieving business objectives. Areas of focus include:
Today, many companies enjoy mature, tested internal control systems related to external financial reporting that will not require significant modification or enhancement under the updated Framework. The goal, then, is to apply the Framework to new challenges. That is, if organisations have been successful in having internal control over financial reporting taken seriously, why not consider how the same concepts can be applied to other major business objectives? Furthermore, why not consider how the principles of COSO IC-IF, embedded in the hearts and minds of company executives, could provide a foundation for enhanced abilities to identify, analyse, and respond to risks?
The new Framework gives management an opportunity to adopt a principles-based approach to establishing, maintaining, and evaluating internal control to address the specific risks of greatest concern to the organisation. It also provides them with an opportunity to apply a consistent, company-wide approach to internal control, embedding accountability and responsibility throughout the enterprise to reduce the likelihood of risks interfering with business objectives.
Management and other personnel in key operational roles, such as sales operations, inventory management, IT security, international expansion and others, are most important to internal control. They are closest to where risks exist and to the changes in the business that could impact risks—and therefore, they are best positioned to spot new or changing risks, or identify when an issue is likely to occur. They can best define the approach to address risks. Leveraging a common framework, they can more effectively and efficiently leverage people, process, and technology to gather and share information, establish controls to address risks, and monitor whether controls are effective. Combined with strong oversight for senior management and the board, an internal control system leveraging the IC-IF can enhance confidence and improve the likelihood that objectives will be achieved.
Chief Audit Executives (CAEs) are well positioned to help management and boards understand the unlocked potential of an expanded application of the Framework for their organisations. They should read the new IC-IF thoughtfully to help management assess whether their current application of the Framework addresses all of the principles. They should pay particular attention to the concepts clarified in the updated Framework related to the expectation that the 5 components of internal control and the 17 principles be "present and functioning" and "operating together." By understanding the principles and the importance of each of the components supporting the others, management can begin to envision the benefits of applying these concepts to: