COSO Framework
advertisement
plantemoran.com
{COSO Framework}
A higher return on experience.
Changes to
COSO framework =
more versatile and
cost effective approach.
2
I. Changes to the COSO Framework
Maintaining a sound control environment is a critical component
of mitigating risks inherent in a continuously changing economic,
technological, and regulatory environment. Organizations are
expected to provide swift, effective, and socially responsible
measures to safeguard against these risks.
Enter the Committee of Sponsoring Organizations of the
Treadway Commission (COSO), who published Internal
Control — Integrated Framework in 1992 to provide a common
definition of and efficient method to analyze and evaluate
internal controls. COSO’s Internal Control — Integrated
Framework (COSO’s Framework) became the best-practice
standard for 20 years. The final version of the updated
COSO framework was released to the public on June 6, 2013.
While the changes to the framework will not result in substantial changes for organizations with a control environment
deemed to be effective, the updates to the framework will
result in a more versatile and cost-effective approach to the
design and evaluation of organizational internal control systems.
Additionally, this should not impact the attestation process
under SOX 404. Here is a brief overview of COSO and its key
changes based on the recently issued exposure draft from
September 2012; although the changes are not final, we do
not anticipate a significant change from the exposure draft.
Why Did the Framework Change?
The original Internal Control — Integrated Framework stood
unchanged for 20 years. The Committee of Sponsoring
Organizations elected to update the framework to reflect the
dynamic changes in the business environment by incorporating
discussions on the technological advances in business processes
and communication, as well as an ever-increasing regulatory
atmosphere that impacts an organizational control environment. The updated framework has been modified to maintain
relevance with current and future business environments and
will apply to public companies, privately held companies,
not-for-profit agencies, and governmental entities.
This does not, however, change other COSO Frameworks,
such as 2004’s Enterprise Risk Management — Integrated
Framework, but will be used alongside the forthcoming update
to the Guidance on Internal Control over External Financial
Reporting (ICEFR) to update the guidance set forth for Smaller
Public Companies.
What Are the Key Changes to
the Framework?
The Framework is expected to provide users a number of
benefits, highlighted by the following:
•
Increased ease of use through revised codification structure
•
Enhanced corporate governance
The Original Framework
•
Improved breadth & scope of risk assessment
COSO was founded on four critical underlying concepts:
•
Expansion of guidance for objectives beyond periodic
financial reporting
•
Consideration of fraud prevention
•
Ability to adapt controls to changing business environments
•
Consideration of extended business models
•
Internal control is a process toward the achievement of
organizational objectives.
•
The internal control process is driven by people at all
levels of the organization.
•
Internal control is a means to achieve objectives within
one or more separate but overlapping categories.
•
Internal control can provide only reasonable assurance
to the achievement of organizational objectives.
The framework further details five framework components as
summarized by the updated COSO Cube for internal controls,
shown below:
•
Control environment
•
Risk assessment
•
Control activities
•
Information & communication
•
Monitoring activities
The original five Internal Control Integrated Framework components remain, but 17 principles from the original framework
are now explicitly listed among those five components. As
a result, the framework adopts a principles-and-attributes
approach, which provides more detailed guidance for
designing and assessing the effectiveness of internal controls.
This change is critical because the framework more clearly
communicates the fundamental concepts associated with the
components of internal control.
1
The 2012 Framework and SOX
The COSO Framework is expected to remain consistent with
SEC suitability criteria and to remain an accepted framework
for use by management and independent auditors in
meeting SOX requirements. While use of the updated
Framework will not result in substantial changes that have been
effectively leveraging COSO’s 1992 framework to meet SOX
compliance requirements, the updates to the framework will
result in a more versatile and cost-effective approach to the
design and evaluation of organizational internal control
systems. Because the updated framework represents an
evolution of, but remains consistent with, the original, it
should not impose a higher level of control and should not
impact the attestation process under SOX 404.
Organizational objectives are set by management and
represent the activities necessary to achieve that which is set
forth in the organization’s vision and mission. The Framework
categorizes entity objectives into the three basic categories:
operations, reporting, and compliance.
•
Operations objectives relate to the effectiveness and
efficiency of the entity’s operations, including operational
& financial performance goals, as well as safeguarding
assets against loss.
•
Reporting objectives relate to internal & external financial
and non-financial reporting. These objectives may concern
reliability, timeliness, transparency, or other terms as set
forth by entity policy or external regulators.
•
Compliance objectives relate to the legal & regulatory
environment within which the entity must operate. The
purpose of the internal control system is to ensure that
the organizational objectives are met. This is done
through the use of internal control components.
II. COSO Framework Structure
A direct relationship exists between organizational objectives,
control components (that which is required to meet organizational objectives), and entity structure. This relationship is
visually depicted in the form of the COSO cube:
•
The three categories of objectives are represented
by the columns.
•
The five components are represented by the rows.
•
The entity structure is represented by the third
dimension of the cube.
The COSO Framework maintains that internal control is a
highly integrated system in which the components actively
impact one another. These component activities, considered
to be relevant and suitable for all organizations, often overlap
and evolve with changes to the organization’s internal and
external environment. The components are as follows.
•
Control environment: The internal organizational
environment driven by the management operating
philosophy, risk appetite, integrity, & ethical values.
•Risk
assessment: Risks are identified & the likely impact
on the organization is assessed.
•
Control activities: Policies & procedures are implemented
to ensure organizational objectives and risk-mitigation
activities are effectively executed.
•Information
and communication: Relevant information
is communicated in an acceptable format & timely fashion
to enable the organization to meet its objectives.
•
Monitoring: The internal control process is continually
monitored. Modifications are made to improve internal
control activities as a result of the monitoring process.
Each component applies to all three categories of objectives.
Control Environment, for example, has a strong and direct
effect on the operations, reporting, and compliance objectives
through the overall attitude, awareness, and actions of
management. Entities require each of the five components
to maintain effective internal control over business activities.
2
However, the entity’s internal control system must be tailored based upon organization-specific factors such as size, risk appetite,
entity-level objectives, and operational needs, as well as environmental factors related to the industry, competitive, and
regulatory environment.
As previously discussed, the Framework is comprised of five components of internal control and an additional 17 principles
representing the fundamental concepts associated with those components. Below is a summary of each of the five components
and each related principle:
Component
Principle
Control Environment
1. The organization demonstrates a commitment to integrity & ethical values.
2. The board of directors demonstrates independence of management & exercises oversight
for the development & performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, & appropriate
authorities & responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, & retain competent
individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities
in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification &
assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity &
analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement
of objectives.
9. The organization identifies & assesses changes that could significantly impact the system
of internal control.
Control Activities
10. The organization selects & develops control activities that contribute to the mitigation of
risks to the achievement of objectives to acceptable levels.
11. The organization selects & develops general control activities over technology to support
the achievement of objectives.
12. The organization deploys control activities as manifested in policies that establish what
is expected & in relevant procedures to effect the policies.
Information & Communication
13. The organization obtains or generates & uses relevant, quality information to support
the functioning of the other components of internal control.
14. The organization internally communicates information, including objectives &
responsibilities for internal control, necessary to support the functioning of other
components of internal control.
15. The organization communicates with external parties regarding matters affecting the
functioning of other components of internal control.
Monitoring Activities
16. The organization selects, develops, & performs ongoing &/or separate evaluations to
ascertain whether the components of internal control are present & functioning.
17. The organization evaluates & communicates internal control deficiencies in a timely manner
to those parties responsible for taking corrective action, including senior management &
the board of directors, as appropriate.
3
Limitations of Internal Control and
the Framework
By design, the Framework is intended to ensure that internal
controls provide reasonable assurance of the achievement of
organizational objectives. However, the Framework specifically
notes that limitations do exist and may result from the:
•
Suitability of objectives established as a precondition
to internal control
•
Reality that human judgment in decision making
can be faulty
•
Breakdowns that can occur because of human failures
such as errors
•
Ability of management to override internal control
•
Ability of management, other personnel, and/or third
parties to circumvent controls through collusion
These limitations preclude the board and management from
having absolute assurance of the achievement of the entity’s
objectives through effective internal control.
Moreover, no matter how well internal controls are designed,
the system cannot overcome the certain limitations associated
with organizations that do not understand the purpose of
internal control or the proper procedures to remediate ineffective internal controls. Internal control cannot overcome the
limitations associated with management and employees that
do not value or support the process of internal control and
demonstrate this attitude through circumvention of policies
and procedures. Finally, internal control cannot overcome
the limitations associated with collusion by management or
employees to commit fraud.
III. Evaluate Existing System of
Internal Control
The process and methods for evaluating an organization’s
system of internal controls has not fundamentally changed
since the inception of the original COSO framework and will
continue to be familiar to those with experience in Internal
Audit and the evaluation of internal controls. The updated
framework has, however, provided more defined tools to aid
in the evaluation of a system of internal controls.
4
The updated framework provides better guidance on
performing a ‘top-down/risk-based’ approach to internal
control assessment and provides sample tools; however,
many organizations may have similarly designed tools for
internal control evaluation.
Similarly, the updated guidance suggests that the five
components and 17 principles of the framework are present
and functioning. This is prevalent in many organizations that
have adopted (or been required to adopt) Sarbanes-Oxley.
More specifically, the entity level controls assessment already
provides a path to assess the five components of the framework (control environment, risk assessment, control activities,
information and communication, and monitoring).
The updated framework’s approach and templates suggest that
organizations should prepare a variety of documentation, first,
at the principle level, noting controls and deficiencies and then
rolling this information upwards into the five components
The updated framework has provided templates that it
suggests organizations use for this assessment; however, the
crux of the discussion revolves around the following:
•
Is the component present as described by the 17 principles?
Is it functional? If so, how is this conclusion supported?
•
If a deficiency exists, identification of the deficiency that
specifically speaks to this component, describe the issue
•
If a deficiency exists, are there other compensating
controls that can be tested?
The sum of these documents allows organizations and
auditors to quickly assess the organization’s internal control
structure by using the points of focus under each of the
17 principles as guidance to ensure that internal controls
are operating effectively.
COSO has furnished sample documentation to document
these items. However, management has the ability to modify
its existing templates to ensure that it captures the principles
and components.
Therefore, as assurance auditors move forward, it will be useful
to consider the points of focus and summarize the way in which
information is reported back to the assurance auditors to place
greater reliance on the framework. This should be achieved
through minimal effort by modifying existing reporting tools
and templates to incorporate the information.
In assessing an organization’s framework, the information
should be presented to address the following:
1. What controls are tied to the principles (principles are
already tied to specific components)?
2. Beneath each principle, identify which control addresses
the points of focus.
3. If there are controls present to address the principle,
is it operating effectively?
4. If not, what controls failed, which compensating controls
are in operation & at what level is the deficiency (material
weakness, significant deficiency, or control deficiency)?
Role of Information Technology
Since the framework was rolled out in 1992, the most drastic
change in the operating environment of organizations is
information technology. The framework did not have much
structure around the IT environment. Internal audit departments,
management, and audit committees recognized these changes
and did a good job of ensuring that IT became a part of the
overall internal control structure of an organization. The
updated framework specifically supports IT within the framework through its points of focus in each of the principles.
IV. Design System of
Internal Control
The Framework asserts that the foundation of the internal
control system is the organizational operating, reporting,
and compliance objectives. Objectives may be set for the
entity as a whole, or relate to specific processes and activities.
Common entity-level objectives shared by most organizations
are maintaining a platform of ongoing success, complying
with laws and regulations, providing a working environment
that is safe and productive, and reporting relevant and timely
information to stakeholders. Management must identify
organization specific objectives within each of the three
categories and the processes that must be in place in order
to meet them. Moreover, management must identify the risks
that may prevent those objectives from being met and design
a system of internal control to mitigate those risks. The
updated COSO Framework can be used as a tool to assist in
the design of a new system of internal control. Management
may apply a systematic approach to apply the increased detail
in the codification of the framework to lay the foundation of
their organizations internal control system.
Management may view the framework as a template from
which to model the system. Each Framework component,
control environment, risk assessment, control activities, information and communication, and monitoring activities, may
serve as functional areas for which control activities must be
focused. In order to create and maintain an effective control
environment, management must ensure that each control
component is present and operating in an effective manner.
Doing so will help to ensure that the presence of risks that
act as an impediment to managements goals are properly
addressed and mitigated.
Management may elect to view the Framework components
as a top-down approach to control environment design. At the
highest level is the control environment, often thought of as
the embodiment of the “tone at the top,” management and
the board’s attitude toward the concept of internal control.
This component ensures and demonstrates that management
and the board value internal control, and have set organizational goals to ensure that a high moral and ethical standard
is upheld by both executive management and employees,
and is reflected within their behavior. The risk assessment
component provides guidance to ensure that management
engages in activities to identify, evaluate, and mitigate risks,
including those arising specifically from fraud. The control
activities framework component requires management to
implement actions that contribute to the mitigation of risks as
designed and documented in relevant policies and procedures.
The information and communication framework component
ensures that management effectively communicates the
expectations related to the control activities via relevant quality
information distributed through proven and reliable channels.
The monitoring activities framework component ensures that
the organization takes the appropriate actions to monitor the
design and effectiveness of control activities and takes the
appropriate corrective actions, when needed.
5
Selection of Controls
Integrated within each of the five Framework components are
17 principles designed to represent the fundamental concepts
to support the components. Management may adopt the
approach to specifically address each of the 17 principles by
designing and implementing an internal control activity to
ensure that the principle is met. For example, management
may wish to address the control environment framework component. In order to ensure the control environment component
is effectively operating, management should ensure that each
of the control environment principles listed below are present
and functioning via specific control activities.
Control Environment
•
The organization demonstrates a commitment to integrity
& ethical values.
•
The board of directors demonstrates independence of
management & exercises oversight for the development
& performance of internal control.
•
Management establishes, with board oversight, structures,
reporting lines, & appropriate authorities & responsibilities
in the pursuit of objectives.
•
The organization demonstrates a commitment to attract,
develop, & retain competent individuals in alignment
with objectives.
•
The organization holds individuals accountable for their
internal control responsibilities in the pursuit of objectives.
Each principle serves as an objective to be met to ensure that
the Framework component is effective. For example, management may demonstrate commitment to integrity and ethical
values by establishing an organizational code of conduct,
which executives and staff must read and acknowledge via
electronic signature on an annual basis. The board of directors
may demonstrate independence of management and exercise
oversight for the development and performance of internal
control via the formation of an internal audit committee of the
board of directors which regularly reviews the findings, recommendations, and results of the internal audit function.
When using the Framework to design a system of internal
control, management should consider the business processes
in place as there may be instances where internal control is
operating, albeit undocumented. Through direct observation,
management may note the design and operation of control
activities occurring through the normal course of business.
6
These instances should be evaluated for effectiveness of
design and operation, documented, and integrated into the
organization’s system of internal control. Controls over the
release of cash serve as examples of this type of activity.
Organizations often establish threshold amounts for which
cash disbursements may be issued without increasing levels
of approval. This organizational level of authority policy may
dictate the number of executive approvals that must be
obtained to issue cash disbursement of a certain amount.
The preventive control used in this simplified example is
assumed to be in place and firmly integrated into the
normal course of business for the organization. Outside of
documenting and communicating the activity, no further
control procedures may be necessary to mitigate the risks
associated with this portion of the business operation.
However, should management identify any areas for which a
Framework component is not present and operating, specific
controls will need to be designed to ensure the risks associated
with the relevant processes are mitigated. Revisiting the
example of the disbursement portion of the cash control
cycle, management may discover that there are unexplained
discrepancies between the general ledger cash account and
that which is reported on the bank statement. Further investigation may discover that monthly bank reconciliations are not
performed. Management must then design and implement a
monthly bank reconciliation control to ensure that the bank
account activity is monitored, valid cash transactions are
recorded in the ledger, invalid cash transactions are identified,
the ledger correctly reflects the organization’s cash position,
and that the reconciliation is performed and reviewed on a
timely basis.
Management and the board of directors must select controls
to ensure that risks that may prevent the organization from
meeting the operating, reporting, and compliance objectives
are sufficiently mitigated. In cases where the organization
must report to regulators, shareholders, creditors, or other
third parties on the design and operating effectiveness of its
overall system of internal control, management must design
and implement controls to meet the specific criteria set forth
by those who require the assertion that all components of
internal control are in place and functioning. The requirements
imposed by the third parties often determine the nature
and extent of the documentation to support the design and
operation of the internal control system.
Cost — Benefit Analysis
When using the COSO Framework to design a system of
internal control, management must evaluate the benefit
and costs of design, implementation, and operation of the
selection of controls.
Properly utilized, internal control provides management
and the board of directors with a system to efficiently and
effectively achieve goals and objectives aimed at increasing
shareholder wealth. In order to monitor the status of these
goals and objectives, management and the board must ensure
there are controls in place to ensure the delivery of operational
and administrative information to support critical decision
making related to operations, capital investment, and financing.
Further, an effective system of internal control will ensure
that there are mechanisms for timely and efficient processing
of transactions and metrics to evaluate operational data
as well as the presence of a conduit for the timely communication of reliable financial and non-financial reporting to
external stakeholders
For many organizations, certain goals and objectives are
compulsory and involve meeting regulatory requirements.
These compliance objectives may be met consistently and
efficiently through the effective use of an internal control
system, and will avoid potential costs such as fines and fees
levied due to non-compliance. The Framework provides
management with guidance to ensure that compliance
objectives are addressed and met in a satisfactory manner.
When evaluating the implementation of a system of internal
controls, it is imperative that an organization evaluate the costs
associated with the project. These costs include the easily
measurable direct and indirect costs associated with
implementing and maintaining an internal control system.
Examples may include hiring and/or training additional staff,
purchasing or upgrading an enterprise resource planning (ERP)
system, or physically securing inventory and assets. In addition,
it is also important to evaluate the opportunity costs associated
with use or redirection of resources. For instance, recruiting
and retaining staff with a higher level of competency will
require higher compensation costs. The resources used to
this end cannot be invested elsewhere in the organization.
In order to determine the full cost of implementing a system of
internal control under the updated Framework, management
must assess the efforts required to select, document, and
perform control activities. Selection of control activities
involves a thorough examination of the critical business
processes and the determination of the risk areas for which
key controls must be placed.
Once selected, the design of the process and key controls must
be captured and communicated via documentation, often in
the form of flowcharts and narratives. In order to establish and
clarify roles and responsibilities, control documentation must
be evaluated by the key process owners for acceptance and
understanding. This process helps management set standards
and communicate expectations for operational and control
performance, as well as establish the means to identify the
evidence necessary to evaluate the system of internal control.
Process owners must ensure that the control activities are
present within their processes and are operating effectively
as determined by the criteria established by management.
Often, this involves an incremental increase in the efforts
needed to effectively plan and execute the business process. However, this may be mitigated by the added leverage
provided by technology that increases the efficiency of data
collection, processing, and analysis to assist in management
decision making.
Management and the board of directors must identify and
allocate the resources necessary to monitor the system of
internal control, evaluate its effectiveness, and update the
system with any required changes or improvements found as
a result of the assessment. This may be achieved through the
development of the internal control function as a component
of the organization, or through the use of an independent
service provider. In both cases, the internal audit function must
work with management while maintaining independence in
both appearance and practice. For internal audit functions that
operate as a part of the organization, independence can be
achieved by reporting functionally to the board of directors
while reporting administratively to management.
Determining the breadth and depth of the scope of the
internal control system is a matter of judgment, and should
be done with cost-effectiveness in mind. Moreover, the
complexity of the cost-benefit analysis is intensified by the
interrelationship of controls within the ongoing business
operations. Management faces challenges in isolating costs
and benefits within a mix of controls that has been selected
to fit the needs of the organization. However, cost alone is
7
not an acceptable reason to avoid implementing a sufficient
system of internal controls. The cost and benefits considerations support management’s ability to develop and maintain
a system of internal control that balances the allocation and
deployment of resources to the areas of greatest risk, need,
or other factors relevant to the objectives set by management.
As a result, management must rely upon the COSO Framework’s integrated approach to ensure the efficient application
of internal controls by eliminating redundancies and needlessly
onerous processes. Effective internal control should meet the
needs of the organization without hindering the efficiency of
operations and management.
V. Conclusion
The 2013 COSO Framework emphasizes that the establishment
and maintenance of a sound control environment is solely the
responsibility of management. In order to help ease navigation
of this undertaking, the updated framework serves as a critical
tool that can assist management with the actions necessary
to maintain a sound control environment and effectively
manage risk. The explicit listing of the 17 principles increases
the framework’s ease of use and provides clarity for management to apply the Framework in the design, implementation,
operation, and evaluation of the effectiveness of the system
of internal control.
Use of COSO’s updated internal control framework will benefit
organizations seeking to build or improve upon their internal
control system. The Framework provides enhanced guidance
that makes it easier for management and the board of directors
to evaluate processes, identify, design, and implement controls
to ensure an effective control environment. Organizations
may leverage the Framework to better identify and mitigate
risks within a rapidly changing business environment as the
enhanced focus on principles may reveal areas not appropriately addressed. The Framework will help senior management
consider the importance of addressing the areas of control that
should better support the organizational objectives.
For more information contact:
Doug Farmer
Matthew Bohdan
Partner
312.602.3691
doug.farmer@plantemoran.com
CPA, CIA
2248.223.3619
matthew.bohdan@plantemoran.com
Jack Kristan
MBA, CPA, CIA
248.223.3605
jack.kristan@plantemoran.com
8
Changes to
COSO framework =
guidance for
risk response.
9
plantemoran.com
