The new COSO Internal Control – Integrated Framework

Internal control guidance to help you manage risk

Introduced in 1992, the Committee of Sponsoring Organisations of the Treadway Commission’s Internal Control – Integrated Framework (COSO IC-IF, or the “Framework”) has become the most widely adopted control framework worldwide. 20 years later, in response to an increasingly complex, technologically driven, and global business environment, COSO has developed an updated Framework designed to reflect key issues for future organisational success. The new Framework, authored by PwC, was released in May 2013 and can be downloaded at www.coso.org.

While the fundamentals of the 1992 Framework remain unchanged (dealing with the definition and components of internal control, criteria used to assess effectiveness, etc.), the update released in May 2013 emphasises the importance of internal control to mitigating risk and achieving business objectives. Areas of focus include:

  • The increasing complexity in businesses, which is testing management's and boards' abilities to predict the risks of greatest concern.
  • More proactive, holistic risk assessment that identifies and evaluates new as well as existing risks, tests processes to manage them, and considers how changes could affect the company's risks.
  • Growth opportunities and risks associated with evolving technology.
  • An expansion into non-financial reporting to address increased stakeholder expectations for transparency across compliance, regulatory, contractual, security, and other areas.
  • The overlapping and often conflicting demands presented by new regulations, laws, standards, and stakeholder expectations.

Today, many companies enjoy mature, tested internal control systems related to external financial reporting that will not require significant modification or enhancement under the updated Framework. The goal, then, is to apply the Framework to new challenges. That is, if organisations have been successful in having internal control over financial reporting taken seriously, why not consider how the same concepts can be applied to other major business objectives? Furthermore, why not consider how the principles of COSO IC-IF, embedded in the hearts and minds of company executives, could provide a foundation for enhanced abilities to identify, analyse, and respond to risks?

The new Framework gives management an opportunity to adopt a principles-based approach to establishing, maintaining, and evaluating internal control to address the specific risks of greatest concern to the organisation. It also provides them with an opportunity to apply a consistent, company-wide approach to internal control, embedding accountability and responsibility throughout the enterprise to reduce the likelihood of risks interfering with business objectives.

Management and other personnel in key operational roles, such as sales operations, inventory management, IT security, international expansion and others, are most important to internal control. They are closest to where risks exist and to the changes in the business that could impact risks—and therefore, they are best positioned to spot new or changing risks, or identify when an issue is likely to occur. They can best define the approach to address risks. Leveraging a common framework, they can more effectively and efficiently leverage people, process, and technology to gather and share information, establish controls to address risks, and monitor whether controls are effective. Combined with strong oversight for senior management and the board, an internal control system leveraging the IC-IF can enhance confidence and improve the likelihood that objectives will be achieved.

Chief Audit Executives (CAEs) are well positioned to help management and boards understand the unlocked potential of an expanded application of the Framework for their organisations. They should read the new IC-IF thoughtfully to help management assess whether their current application of the Framework addresses all of the principles. They should pay particular attention to the concepts clarified in the updated Framework related to the expectation that the 5 components of internal control and the 17 principles be "present and functioning" and "operating together." By understanding the principles and the importance of each of the components supporting the others, management can begin to envision the benefits of applying these concepts to:

  • Enhance internal control across the organisation
  • Enhance the likelihood that risks to business objectives will be identified and addressed
  • Leverage to the rest of the organisation the investments they've made in applying internal control to external financial reporting.