The most widely-used framework for internal control assessments is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Many public companies also rely on the framework to assess the effectiveness of internal control over external financial reporting (ICEFR) under Sarbanes-Oxley (SOX) section 404.
Three factors within COSO’s Internal Control-Integrated Framework make it easier to design and evaluate the effectiveness of internal control:
- Inclusion of internal control principles. Seventeen principles explain concepts associated with the five internal control components. Each of the five components of internal control and relevant principles must be present and functioning.
- Consideration of business changes. The framework includes guidance for assessing risk and updating related controls that consider how business may have changed, particularly through outsourcing of business processes and reliance on information technology.
- Beyond financial reporting. Objectives are expanded beyond financial reporting, to include internal and non-financial external reporting.
There are seventeen COSO principles by component:
|Demonstrates commitment to integrity and ethical values||Specifies suitable objectives||Selects and develops control activities|
|Exercises oversight responsibility||Identifies and analyzes risk||Selects and develops general controls over technology|
|Establishes structure, authority, and responsibility||Assesses fraud risk||Deploys through policies and procedures|
|Demonstrates commitment to competence||Identifies and analyzes significant change|
|Information and communication||Monitoring|
|Uses relevant information||Conducts ongoing and/or separate evaluations|
|Communicates internally||Evaluates and communicates deficiencies|
Fundamental concepts remain similar to the 1992 original, but the updated framework released in 2013 also includes points of focus describing the characteristics that underlie each principle. These points are not required for assessing the effectiveness of internal control. However, management can use the points to design, implement, and evaluate internal controls. The points also help assess if relevant principles are present and functioning. The framework also explicitly considers potential sources of fraud when assessing risks to the achievement of an organization’s objectives. These sources include management override, safeguarding of assets, incentives, pressures, and opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify these acts.
COSO has encouraged users to transition their application and related documentation to the updated framework as soon as is feasible, as the updated framework will supersede the original after December 15, 2014. During the transition period, COSO also suggests that any organizations reporting externally should clearly disclose whether the original or updated framework was utilized. As a result, when companies provide their annual assessment of ICEFR in accordance with SOX, the user should indicate which framework they used to perform the assessment.
Recommended approach for adopting the framework:
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.