The Committee of Sponsoring Organizations (COSO) is a joint initiative of five private sector organizations that is dedicated to improving organizational governance through the development of frameworks and guidance on risk management, internal control and fraud deterrence.
In 1992, COSO published Internal Control - Integrated Framework (the original framework), which became the industry standard that management at public companies subject to Sarbanes-Oxley Act (SOX) Section 404 used to design, and then assess and report on the operating effectiveness of, their internal controls. COSO defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, (3) compliance with applicable laws and regulations."
In May 2013, COSO released an updated version of Internal Control - Integrated Framework (2013 Framework). While public registrants subject to Section 404 will transition to this new framework by December 15, 2014, we believe that the internal control principles spelled out in the 2013 Framework are applicable to all organizations including not-for-profits.
While these principles may have been embedded in the original framework, and the 2013 Framework does carry forward most of the basic concepts of the original framework, the 17 internal control principles are now explicitly stated under one of the five components of internal control. Those principles, which relate to the aforementioned three objectives of internal control, are summarized as follows:
- The organization demonstrates a commitment to integrity and ethical values
- The board of directors exercises oversight responsibility
- Management establishes organizational structure, authority and responsibility
- The organization demonstrates a commitment to competence
- Individuals are held accountable for their responsibilities
- Objectives are specified with sufficient clarity
- The organization identifies and analyzes the risks to achieving its objectives
- The potential for fraud is considered
- The organization identifies and analyzes changes that could impact its internal control
- The organization selects and develops control activities
- The organization selects and develops general controls over technology
- Control activities are deployed through policies and procedures
Information and Communication
- The organization obtains or generates relevant, quality information
- The organization communicates internally
- The organization communicates externally
- The organization conducts ongoing and/or separate evaluations of internal controls
- Internal control deficiencies are evaluated and communicated to those responsible
The new framework defines an internal control deficiency as "a shortcoming in a component or components and relevant principles that reduces the likelihood of an entity achieving its objectives." Management became familiar with the Securities and Exchange Commission's definitions of "material weakness" and "significant deficiency" in complying with SOX. However, the 2013 Framework introduces a new concept: a "major deficiency" exists in the system of internal control when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together. When a major deficiency exists, management cannot conclude that its internal controls are effective.
Note that for not-for-profit organizations that have OMB Circular A-133 audits performed, compliance with each of the 5 elements of the COSO Internal Control - Integrated Framework is a specific requirement.
While an organization's particular circumstances will dictate the extent of its implementation of the above principles and the broader and more detailed aspects of the 2013 Framework, we encourage all of our clients to consider whether the 17 principles are present and functioning in their own organization and use it as an opportunity to strengthen their internal controls.
If you have questions or need assistance with implementing best practices, please contact Amish Mehta at AMehta@FriedmanLLP.com or contact your engagement partner.