This is an excerpt from a recent white paper:
“The recent 2013 update of the Internal Control Framework issued by the COSO was a major event followed by standard setters and publicly held companies. The original COSO framework published in 1992 became a widely accepted internal control framework standard for meeting the requirements of a number of US regulations led by the infamous Sarbanes-Oxley Act (SOX) of 2002, introducing a formal sign-off on the effectiveness of the system of Internal Controls over Financial Reporting (ICFR). Subsequently, the COSO framework has formed the basis of best practice for financial control & governance worldwide.
Although the original COSO framework from 20 years ago was conceptually sound and even a visionary approach in the area of internal controls, it couldn’t fully anticipate the evolution of technology and the changing demands of global business environments. As a result of this, we have also seen an increase in regulatory requirements, prompting business leaders to reassess internal controls to determine whether risks are mitigated to an acceptable level.
This article will explore the latest changes brought to the 1992 COSO framework and how to get the best return on the investments involved in moving to the 2013 version.
Evolution, not Revolution
The core difference between the two models lies in widening the scope and applicability. However, the definitions of internal control, the three categories of objectives and the five components in the COSO cube (visible in the image to the left) remain unchanged, still focussing on effective, well-designed and implemented internal controls.
Further improvements have been made to accurately define each component and to link and correlate them with their associated objectives.
The enhanced applicability and ease of use of the 2013 COSO Framework is driven through the following aspects:
- Broadening the scope of the three business objective areas
- Operations – now also includes the operational and financial performance goals and is no longer limited to “effective and efficient use of entity’s resources”.
- Reporting – addresses not only financial but also non-financial reporting to various internal and external stakeholders. In the 1992 Framework, the objective scope was much narrower “relating to the preparation of reliable financial statements”.
- Compliance – considers increased demands in laws, regulations and accounting standards including SOX/ JSOX, Dodd-Frank Act, FCPA, Consumer Protection Act and Basel II.
- Clarifying requirements – 17 explicit Principles of effective internal control are articulated, each supported by optional Points of Focus that facilitate design, implementation and conduct of internal controls. These Principles are based on the 2006 Guidance for smaller public companies and represent fundamental concepts that need to be present, functioning and operating together in an integrated manner.
- Providing updated content – the new Framework is more usable for those people involved in internal control over external financial reporting (ICFR) and also addresses changes in business and operating environments. Moreover, it shares approaches and examples to illustrate how entities may apply the new Principles.
Three Key areas that will influence the transition to COSO 2013 are:
- Increased Role of Technology
- Broader Anti-Fraud focus
- More emphasis on Risk Assessment Process “
The 5 COSO Transition Opportunities
The 5 key opportunities presented by COSO 2013 are:
- Utilize automation potential in control activities
- Review automation potential in monitoring activities
- Improve Operations
- Improve Anti-Fraud measures
- Enhance risk & assurance coverage
If you would like more detail on these topics, you can get the white paper here
In applying the COSO 2013 Framework there lies a tremendous chance to bring both control and monitoring of financial processes to a next level, moving from a necessary administrative burden towards a proactive, guidance of business operations.
Thanks for reading . . .