The Committee of Sponsoring Organizations of the Treadway Commission ("COSO") issued its new Internal Control - Integrated Framework in May 2013, updating the original Internal Control - Integrated Framework first published in 1992. The 2013 COSO Framework ("COSO 2013") sets forth the requirements for an effective system of internal control.
The 1992 COSO Framework will be superseded by the updated 2013 COSO Framework after December 15, 2014.
After the transition period, which ends December 15, 2014, the SEC has indicated that it expects registrants to use the 2013 Framework as criteria for evaluating the effectiveness of their Internal Control over Financial Reporting ("ICFR") as required by Section 404 of the Sarbanes-Oxley Act. As your independent auditor, we are required under Auditing Standard No. 5 to use the same suitable, recognized control framework to perform our audit of internal control over financial reporting as management uses for its annual evaluation.
The original five components of control-Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities-remain unchanged in COSO 2013, and the top-down, risk-based approach is retained as a foundational concept. However, significant changes have been made.
The new COSO 2013 Framework:
codifies 17 principles supporting the five components of internal control,
provides "points of focus" to help drive the 17 principles to a more granular, actionable level,
clarifies the role of objective-setting as a precursor to internal control,
increases focus on the relevance of technology,
enhances consideration of anti-fraud expectations in its own principle,
incorporates an enhanced discussion of governance concepts, and
expands the reporting category of objectives to include non-financial and internal reporting.
The COSO 2013 Framework states explicitly that: "When a major deficiency exists with respect to the presence and functioning of a component or relevant principle, or with respect to the components operating together in an integrated manner, the organization cannot conclude that it has met the requirements for an effective system of internal control."
A recently released summary of a meeting between SEC staff and the Center for Audit Quality's SEC Regulations Committee states that: "The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer's use of the 1992 framework satisfies the SEC's requirement for a suitable, recognized framework." This increased scrutiny is especially likely after the December 15, 2014 transition date.
If you have not yet transitioned to the COSO 2013 Framework, we recommend that you familiarize yourself with the updated framework and formulate a transition plan. A logical first step in transitioning to the new framework would be to map your existing key controls to the components, principles and points of focus. This "gap analysis" will evidence whether you can demonstrate that each of the five components and relevant principles is present and functioning. This will also provide an opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity's objectives.
The Internal Control - Integrated Framework (2013) and Illustrated Tools are available at http://www.coso.org/ic.htm.
Other useful guidance for registrants on maintaining effective internal control is available from the following sources:
Links to the COSO Internal Control - Integrated Framework 2013 Executive Summary, together with two recent articles from our SEC Impact newsletter series, "The New Internal Control Framework" and "Maintaining Effective Internal Control over Financial Reporting-It's the Law!" are provided below.
If you have any questions about the content of this article, please email Kevin Hyams at KHyams@FriedmanLLP.com or contact your engagement partner.