COSO's Internal Control - Integrated Framework Update Project

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has decided to update its original report Internal Control - Integrated Framework. This important document has guided government agencies and public companies since it was issued in 1992. While not required by Sarbanes Oxley, it is an appropriate framework to evaluate internal controls in publicly listed companies.

The federal government requires all agencies to use the framework as it is embodied in the US Comptroller General’s guidance on internal controls for federal agencies.

Finally, many states, such as New York, have laws requiring internal control systems for state agencies and the guidance provided mirrors the COSO concepts. There are other internal control frameworks around the world that are worth examining, including:

• Canada – Criteria of Control (CoCo)
• UK – Turnbull Commission
• South Africa – The King III Report
• INTOSAI -  Internal Control Standards for the Public Sector

In 2004, COSO issued another document called Enterprise Risk Management — Integrated Framework. This report though fogged up the concepts, so most people reading it, give up. I can’t find many people who have read, and are implementing, the concepts. That’s too bad.

Plans for the New Document

COSO says it plans to “Mak[e] more crisp and concise those areas of lengthy discussion in the original Framework that have become institutional knowledge.” If they do so, they should be congratulated. They have to keep it simple if they want it to be accepted and implemented. Here’s what else they may do:

• Reflect the increased use of IT in business operations (e.g., ERP systems, other automation tools, internet);
• Expand the financial reporting objective to include consideration of management reporting and external reporting more broadly (not intended to affect the scope of Sarbanes-Oxley compliance which remains focused on internal controls over financial reporting), (e.g., enabling reporting on sustainability and various third party standards);
• Provide more detail around key governance principles (e.g., responsibilities of the audit committee, compensation committees, and alignment of incentives);
• Explain the linkages between Internal Control and Enterprise Risk Management frameworks to enable more effective and integrated application in practice;
•  Expand the discussion on risk assessment
• Reflect changes in business models (e.g., increased use of outsource providers, increased rationalization of supply chain and infrastructure management)
• Consider the nature and broader impact of fraud in the business environment (e.g., inappropriate use of assets, intentional misrepresentation) and
• Incorporate core aspects of the 2006 Internal Control over Financial Reporting Guidance for Smaller Public Companies and the 2009 Guidance on Monitoring Internal Control Systems.

COSO supposedly has a survey for your input that remains open through September 1, 2011, but if you try to use the web site, the link is broken. But, you could write to this e-mail address and maybe someone will respond: icif@us.pwc.com – I haven’t tried it, so I don’t promise you will get through.  You could also contact Scott McCallum at  scott.mccallum@theiia.org to express your views on the internal control framework.

I did respond to the survey when it first came out. I think it is a good document that is relatively easy to understand. Mucking it up isn’t going to help.

The projected publication date of the updated Framework is mid-2012 and COSO expects the five components of the framework will remain relatively unchanged.