The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) issued the 2013 Internal Control – Integrated Framework (the “2013 Framework”) and related illustrative documents in May 2013 to replace the original 1992 Internal Control - Integrated Framework (the “1992 Framework”).
The following frequently asked questions (“FAQs”) address the more significant provisions of the 2013 Framework that auditors and companies need to understand – particularly as it relates to public entities subject to Sarbanes-Oxley (“SOX”) Section 404.
1. Why did COSO decide to update the 1992 Framework?
According to recent COSO statements, “The COSO Board wants the core strengths of the original framework to be preserved and the enhancements and clarifications included in the  Framework to ease its use and application… [Further,] the  Framework and related illustrative documents are intended to (i) clarify the requirements of effective internal control, (ii) update the context for applying internal control by reflecting many of the changes in business and operating environments, and (iii) broaden its application by expanding the operations and reporting objectives.
The experienced reader will find much that is familiar in the updated Framework, which builds on what has proven useful in the original version. It retains the core definition of internal control and the five components of internal control – Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
The requirement that each of the five components is present and functioning for an effective system of internal control remains fundamentally unchanged.”
2. Where can I find the 2013 Framework?
For company management, E-book (for tablet use) and paper-bound versions of the 2013 Framework and related illustrative documents are available for purchase through the AICPA website here. An “Executive Summary” of the 2013 Framework is available free of charge through the COSO website here.
In addition to the Framework itself, companies are encouraged to obtain the “Internal Control over External Financial Reporting: A Compendium of Approaches and Examples” (the “ICEFR Compendium”) as it provides illustrative approaches and examples of how the principles codified within the 2013 Framework may be applied in a system of internal control that supports the preparation of financial statements.
3. What are the key changes from the 1992 Framework?
While the fundamental concepts are largely consistent with the 1992 Framework, the 2013 Framework has been refreshed to reflect the changes in business and operating environments that have occurred since the initial release of the COSO Framework. The more important enhancements include:
- Establishment of 17 principles that support the five components of internal control. The 2013 Framework has introduced the concept of principles that support the components of internal control. Each principle has several underlying points of focus. The principles are meant to provide clarity in how to apply the COSO Framework and the points of focus are considerations for evaluating each principle.
- Consideration of changes in business and operating environments. The 2013 Framework reflects the recent changes in business and operating environments and now specifically includes discussion of: expectations for governance oversight; globalization of markets and operations; changes and greater complexities in business; demands and complexities in laws, rules, regulations, and standards; expectations for competencies and accountabilities; and use of, and reliance on, evolving technologies.
- Expansion of discussion of expectations in preventing and detecting fraud. While the 1992 Framework considered fraud, the 2013 Framework has given the discussion more prominence and included the consideration of the potential for fraud as principle #8 within the Risk Assessment component. This principle discusses types of fraud, fraudulent reporting, safeguarding of assets, corruption, management override, factors impacting fraud risk, and other considerations in fraud risk assessment.
- Recognition of the increased relevance of technology. In principle #11, the 2013 Framework specifically calls attention to the importance of technology given its role in supporting management’s objectives and controlling its activities in many organizations. It is important to note that while technology may change the way internal control is designed and implemented, the 17 principles remain suitable and relevant regardless of the extent to which technology is used.
- Expansion of the reporting category of objectives. The financial reporting objective has been expanded to incorporate both external financial and non-financial reporting, and internal financial and non-financial reporting, resulting in four types of reporting. External reporting objectives are driven primarily by regulations and standards established by standard-setting bodies, whereas, internal reporting objectives are driven by internal requirements in response to a variety of entity specific factors.
4. I understand that the updated Framework contains 17 principles. How do these principles relate to the five components of internal control from the 1992 Framework? Are the 17 principles a new concept?
The 2013 Framework has introduced 17 principles, which are new, to enhance users’ understanding of the fundamental concepts that were discussed within the original framework.
The 17 principles fit within the five components of internal control that have been retained from the original framework. The 2013 Framework explains that each of the five components and relevant principles need to be “present and functioning” and the five components must operate together in an integrated manner for the system of internal control to be considered effective.
The allocation of the 17 principles to the five components of internal control is as follows:
Control Environment (principles 1-5)
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment (principles 6-9)
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
- The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
- The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
5. What does the term “points of focus” mean in the 2013 Framework?
Points of focus are set out for each of the 17 principles and represent important characteristics of principles. For example, within the Control Environment component, the first principle, The organization demonstrates a commitment to integrity and ethical values, includes the following points of focus:
- Sets the Tone at the Top – The board of directors and management at all levels of the entity demonstrate through their directives, actions and behaviors the importance of integrity and ethical values to support the functioning of the system of internal control.
- Establishes Standards of Conduct – The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners.
- Evaluates Adherence to Standards of Conduct – Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
- Addresses Deviations in a Timely Manner – Deviations from the entity’s expected standards of conduct are identified and remediated in a consistent and timely manner.
While the points of focus (79 in all) may be helpful in evaluating whether a principle is present and functioning, the 2013 Framework does not require that each of the points of focus associated with a particular principle be in place or evaluated separately to conclude on the effectiveness of a principle. Furthermore, the 2013 Framework explains that some points of focus may not be suitable or relevant to a particular entity and that other points of focus may be identified by management that more appropriately reflect the entity’s specific circumstances.
6. When is the updated COSO guidance (2013 Framework) effective?
The COSO Board has stated that the 1992 Framework will be available for use through December 15, 2014. After that date, the 1992 Framework will be considered to be superseded. For calendar year-end companies, this means that the company must transition to the 2013 Framework no later than calendar year end 2014.
During this transition period, either version of the COSO Framework is appropriate. However, the COSO Board has indicated that any application of the Internal Control - Integrated Framework that involves external reporting should clearly disclose whether the 1992 or 2013 version of the Framework was utilized. This distinction can simply be made by adding “(1992)” or “(2013)” to the title of the Framework.
7. How will the 2013 Framework impact management’s assertion relating to internal control over financial reporting for SOX 404 purposes?
In adopting the 2013 Framework, management will need to assess the applicability of the principles within each component of internal control and determine whether or not they have been adequately addressed within the current system of internal control and adequately documented.
As the principles are intended to enhance users’ understanding of the fundamental concepts that were included within the 1992 Framework, depending upon users previous interpretation of the 1992 Framework there may not be a significant impact to management’s assessment of internal control over financial reporting. Organizations that utilized the Internal Control over Financial Reporting -- Guidance for Smaller Public Companies (2006) previously issued by COSO should find many similarities with the 2013 Framework and therefore may find transition to be easier. Still, additional documentation may be necessary to address these principles, as well as additional documentation to address the other changes, additions and clarifications referred to in FAQ #3.
If, however, management’s interpretation of the 1992 Framework was not consistent with COSO’s intent, then transition to the 2013 Framework may have a greater impact. Therefore, entities are highly encouraged to begin the comparison of the 17 principles and other new or clarified items to the current documentation of their system of internal control regardless of whether or not the 2013 Framework is expected to be adopted in advance of the December 2014 deadline.
Current information indicates that very few entities are likely to early adopt the 2013 Framework in conjunction with their 2013 controls assessment and reporting cycle.
8. Does the 2013 Framework impact how control findings are evaluated and classified for purposes of SOX 404?
For a system of internal control to be effective, the 2013 Framework requires that:
- Each of the five components and relevant principles is present and functioning; and
- The five components operate together in an integrated manner.
The 2013 Framework defines “internal control deficiencies” and “major deficiencies” for use in classifying internal control findings, as follows:
- Internal Control Deficiency – A shortcoming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objective.
- Major Deficiency – An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives. Essentially, a “major deficiency” indicates that a component and/or principle are not present or not functioning.
The 2013 Framework also recognizes and accommodates the authority and responsibility as established through laws, rules, regulations, and external standards, for regulators, standard-setting bodies, and other relevant third parties to establish criteria for evaluating and classifying internal control deficiencies. Therefore, for external financial reporting purposes, the classification of the severity of internal control deficiencies for financial statement audit and internal control evaluation and reporting purposes remains as a control deficiency, significant deficiency or material weakness.
9. What are some steps management should consider during its transition to the 2013 Framework?
COSO will continue to make available the 1992 Framework during the transition period extending to December 15, 2014, after which time COSO will consider it as superseded by the 2013 Framework. The COSO Board has recommended that users complete their transition to the updated Framework “as soon as is feasible under their particular circumstances.”
Although early adoption is permitted, calendar year-end Issuers will not be required to use the 2013 Framework in connection with their assessment of the effectiveness of internal control over financial reporting for SOX 404 purposes until their assertion as of December 31, 2014. This should provide management with ample time to evaluate the 2013 Framework and implement changes, if any, to the various components of their system of internal control.
The extent of time and effort required to transition to the 2013 Framework will vary, depending on various factors such as complexity of the organization, changes in the business’ operations, and how consistent management’s interpretation of the 1992 Framework was with COSO’s intentions. Following are a few key steps that management should consider:
- Build Awareness. Those directly responsible for a company’s SOX 404 compliance efforts, whether or not there is auditor attestation thereon, should obtain and review the 2013 Framework, appendices, and related documents, with special attention to the ICEFR Compendium as it provides practical examples of how the 17 principles and underlying points of focus may be applied to internal control over financial reporting. Executive and operational management should be briefed, as appropriate, especially as the 2013 Framework also applies to objectives beyond external financial reporting.
- Board and Executive Support. The Executive Summary document may be most appropriate to assist in educating board-level constituents of the 2013 Framework and discussing the expectation of such parties to provide active governance oversight in support of an effective system of internal control. Senior management should also discuss its plan to adopt the 2013 Framework to ensure it has appropriate board and executive level support.
- Impact Analysis. Senior management needs to assess how its current system of internal control over financial reporting incorporates the 2013 Framework’s 17 principles. Results of this analysis will drive the extent of effort required to adopt the 2013 Framework; therefore, management is highly encouraged to start this assessment as soon as practicable. One way to begin an assessment would be to concurrently map controls to the 2013 Framework while performing the 2013 assessment of internal control for SOX 404 purposes under the 1992 Framework.
- Transition and Revision. After evaluating the results of the impact analysis, senior management should develop a plan to revise current controls design and/or documentation to fully incorporate the 17 principles (as needed) and test the functioning of any additional controls implemented or formalized as a result of the new framework. Where a principle is identified as not being adequately addressed by the current system of internal control, management will need to consider whether such changes to controls are significant enough to warrant disclosure in accordance with Item 308 of Regulations S-K or S-B. Significant management judgment may be required in making this assessment, as well as the assessment as to whether such omissions could have represented a Material Weakness under the previous framework.
- Testing and Reporting. Following the transition plan, management will need to ensure the revised system of internal control is functioning properly and allow adequate time for remediation, if necessary. To conclude a control is functioning properly, it is often necessary to test the operation of a control multiple times. Therefore, sufficient time between the revision of controls and the “as of” reporting date should be built into the transition plan.
For another perspective on transitioning to the 2013 Framework, management may consider the following whitepaper by J. Stephen McNally (Campbell Soup Company Finance Director/Controller and member of the COSO Advisory Council for the 2013 Framework) – The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition.