Institut für Interne Revision Österreich Schönbrunner Str. 218-220, U4 Center, Stiege B, 3.OG, A-1120 Wien Date: 10.02.2016 From: Mag. Angela Witzany Phone:+43 (0) 501006-75272 E-Mail: angela.witzany@internerevision.at 1. Are you a member of one or more of the COSO organizations? The Institute of Internal Auditors 2. Are you responding on behalf of yourself or an organization or company? Organization 3. Where do you reside? Europe 4. Where within your organization do you apply the COSO Framework? In selected areas of the organizations only 4a. Compliance activities yes 4b. External financial reporting yes 4c. External non-financial reporting no 4d. Internal management reporting (financial or non-financial) yes 4e. Internal control reporting yes 4f. Internal audit yes 4g. Operations activities yes 4h. Other no 5. The updated Framework will help strengthen an entity’s systems of internal control Neither agree nor disagree 6. The updated Framework is internally consistent and logical Neither agree nor disagree 7. The updated Framework is written in a manner that is understandable and provides ease of use Neither agree nor disagree 8. The updated Framework is applicable to organizations of varying legal structures and sizes, and operating in various geographies and industries Somewhat agree 9. The updated Framework will impose additional burdens on entities’ reporting on internal control – e.g. reporting on internal control over external financial reporting based on Sarbanes–Oxley Act of 2002 ( SOX) requirements Somewhat disagree 9A. If you believe that there is an additional burden, is the change appropriate? If not, why not? --10. Compared to the 1992 framework, the updated Framework creates a higher threshold for attaining effectiveness of internal control Neither the treshold is the same 11. The 17 principles set out in the updated Framework a complete set of principles Somewhat agree 12. The 17 principles with related attributes are helpful in describing important considerations of an effective system of internal control * Soemwhat agree 13. There are necessary changes to the principles Soemwhat agree 14. An entity can conclude that it has effective internal control if one or more of the 17 principles are not present and functioning Neither agree nor disagree Seite 2 von 3 15. The updated Framework appropriately expands the reporting objective category (i.e. internal and external reporting, financial and non-financial reporting) Somewhat agree 16. The expanded reporting objective, and the manner in which this objective category is presented in the Framework, does not diminish our ability to apply the Framework when reporting on internal control over external financial reporting Strongly agree 17. The updated Framework provides an appropriate balances of reporting, operations, and compliance related approaches and examples Somewhat agree 18. Are there any other general comments that you would like to provide? Knowledge in management not widespread and in ‚competition‘ with ISO and COBIT hard to argue with management Change from ‚financial reporting‘ to ‚reporting‘ means covering many areas not yet covered because of to narrow view in original version 1992 Status of ‚compliant with COSO‘ can not be independently and objectively stated Parallel existence of COSO IC-IF and COSO ERM could/should be transformed to either a merged new framework or transformed to a two steps of development (simplified – expert) Exact differences between the old and new document are hard to establish as there exists no mark-up version with the changes highlighted Institut für Interne Revision Österreich – IIA Austria Mag. Angela Witzany, CIA, CRMA President IIA Austria Seite 3 von 3