Earlier today, COSO announced the release of an Exposure Draft of its updated Internal Control-Integrated Framework. The update was done to reflect changesin business and technology in the 20 years since the original pubication of COSO's landmark Intertnal Control-Integrated Framework (C-IF), and to better articulate the concepts that werew assumed to underly the original 5 complenent framework, by retaining those components, but breaking them down into 17 principles and additional attributes. The comment period on the Exposure Draft of the IC-IF ends March 31, 2012.
As noted in COSO's press release: "COSO originally engaged PwC to develop a framework for internal control in response to a recommendation from the Treadway Commission. Building on the success of the original framework, COSO has worked with PwC to update it for organizations: to adapt to increasing complexity and pace of change; to mitigate risks to the achievement of objectives; and to provide reliable information to support sound decision making.
"A broad range of professionals from industry as well as representatives and observers from academia, government agencies, and nonprofit organizations have provided a wealth of perspective on how the original Framework can be refreshed."
NOTE: In addition to the participation of Marie N. Hollein, President and CEO of FEI, on the COSO board, FEI member Ray Purcell of Pfizer headed up an internal FEI working group on COSO, which provided additional feedback on early drafts of thsi project, for Marie and Ray to share with the entire COSO team.
The Framework retains the core definition of internal control and the five components of a system of internal control. One of the most significant enhancements is the codification of internal control concepts introduced in the original framework into 17 principles and supporting attributes that further support organizations as they apply judgment in managing risk and improving performance in an increasingly complex and rapidly changing environment.
COSO Chairman Dave Landsittel observed, "Effective internal control allows organizations to adapt to a changing business landscape, and obtain confidence that controls mitigate risks to acceptable levels. This is key for the long-term success of any organization."
Access the Exposure Draft
To access the Exposure Draft via this link, you will be directed to complete a brief (anonymous) online questionnaire. You will then be provided links to download the:
- Executive Summary !!!!!
- Complete Exposure Draft of the Internal Control-Integrated Framework, and
- A feedback questionnaire
Sarbox-Oriented Internal Control over External Financial Reporting Will Follow in 2012
The Sarbanes-Oxley compliance crowd should take note that COSO will separately post its guidance on Internal Control over Financial Reporting (ICEFR) later this year, after which (in Spring, 2012) it will post a formal Exposure draft of that part of the publication. (The guidanceon Internal Control over External Financial Reportring, or ICEFR, is separate from, but related to, the generaI Internal Control-Integrated Framework or IC-IF.) Specifically, COSO states here:
Although not included with this exposure draft, COSO has initiated a concurrent project to develop Guidance on Internal Control over External Financial Reporting (ICEFR Guidance). This additional guidance will assist organizations by providing practical approaches and examples on how the Framework can be applied in designing and maintaining internal control over external financial reporting. COSO intends to post an overview of this guidance on www.coso.org later this year.
COSO also expects to issue an exposure draft of the complete ICEFR Guidance for public comment in the spring of 2012 and to release the final ICEFR Guidance together with the Framework in the fall of 2012.
MY TWO CENTS: Why Pay Attention to This?
You may be wondering, (1) "Why Pay Attention To This?" (1) "What is COSO?" (3) "Why Should I Care?" Or even, (4) "Is it Lunchtime Yet?"
Let me put some of this in perspecitve for you (I remind you of the disclaimer posted on the right side of this blog):
1. You should pay attention to what COSO does if you work for a public or private company, audit firm, or you are a regulator, investor, or general member of the public. COSO has been, since its 1992 framework was established, the gold standard for internal control over financial reporting. Public companies are expressly required to refer to COSO's guidance on internal control over financial reporting when they prepare their management report on the effectiveness of internal control in accorance with SEC rules implementing Section 404 of the Sarbanes-Oxley Act, and similarly, audit firms are subject to requirements under PCAOB Auditing Standard No. 5 referencing COSO. Furthermore, private companies are subject to AICPA guidance for audits of private companies which in turn refernce the COSO framework.
2. COSO is the Committee of Sponsoring Organizations of the Treadwauy Commission, formed in 1985 as an offshott of the Treadway Commission on Fraudulent Financial Reportring, by the founding organziations of that Commission: the AAA, AICPA, FEI, IIA and IMA. Individually and collectively, those five organizations include a great deal of fire power among those responsoible for credible and reliabile firnancial reporting.
3. You should care about carefully reading, underrstanding, analyizing and discussing COSO's new Exposure Draft with your peers, your audior (or client), to assess the level of understanding of the Exposure Draft itself, and how it will imapct yhour comapny and your audit. ***IMPORTANTLY - while this Exposure Draft is being characterized as an 'update' and as an articulation of underlying principles in the historical 1992 framework, there are clearly some provisioins that can be potentially be read as causing new, additive work to be done, and potentially an expansion of theoretical concepts as well. Therefore, it is very, very important, as is true for any standard-setting organization that practices good governance such as FASB, the SEC, IASB, PCAOB or COSO, to subject their proposals to the widest possible audience for public comment, so that untintended consequences which are reasonably foreseen can be headed off, and for a basic 'reality check' to be be performed by effected parties outside the drafting team and advisory group itself, to avoid the pitfalls of 'groupthink' that can happen in any organization.
FEI Working Group on COSO
FEI has had a very active Working Group on COSO in place for the past year, which has assisted in providing constructivve feedback to the COSO team, through our representiatives on the COSO board, Marie Hollein, President and CEO of FEI, and through Ray Purcell, Chair of FEI's Working Group on COSO, to assist in brining the voice and practical knowledge of financial executives to the table as COSO has endeavored, with representatives from the other five sponsoring organizations (the AAA, AICPA, IIA and IMA) to make the Exposure Draft as reasonable as possible, Nonetheless, we stronglhy encourage all of our members, and the general public, to give serious focus to the 17 principles in particular, and related attributes, and the language around how the 'effeciveness of internal control" will be determined, in reviewing the document. Any FEI member with interest in participating on our FEI working group on COSO, which will be preparing COSO's formal response to the Exposure Draft, is invited to get in touch with me directly and we would be happy to add you to our group.
Watch this space, as well as COSO's website, www.coso.org for an updated post when COSO posts additional information on the Guidance on External Financial Reporting.
Other summaries from (watch for updates):