What should we do about the new draft COSO internal control framework?
COSO has released an updated draft of its landmark Internal Control – Integrated Framework. This is an important development for organizations around the world, in particular for those who have adopted the framework for their Sarbanes-Oxley (SOX) compliance program. A copy of the draft (including an executive summary, the complete framework, examples for SOX, and evaluation templates) can be obtained from the COSO site, at http://www.coso.org.
So what should organizations do now?
This is still a draft and no action is required per se. It is subject to change, and I understand that the plan is to issue it in final form in Q1 2013, and organizations will be encouraged to move to it in 2014.
This is what I recommend:
1, Because this is an important document and we all share a need for it to be of the highest quality, everybody is encouraged to read it and provide comments back to COSO by November 20th. You will see comments from me here and on my IIA blog (see the right-hand column of this page) that you may consider.
While it is tempting to read only the executive summary, the devil is in the detail in the main body of the framework. So, I am afraid you will need to allocate quality time for a careful and thoughtful read.
We all have an interest in getting this right, as any review of our organization’s system of internal control will likely be based on the guidance in the framework.
2. Consider the 17 principles, each of which is supported by “points of focus”. While it is debatable whether you must have all 17 perfectly addressed before your system of internal control qualifies as “effective”, they are all good practice.
I would assess whether you can say all the principles are adequately addressed. If not, why not? Can you explain why they are not necessary, perhaps because the risk to the achievement of objectives is acceptably low? When it comes to controls over financial reporting, do you think your external auditors would agree that the risk is low?
If there are areas for improvement, then consider how you can address them. While there is time before the updated framework is finalized, why not fix any issues now?
3. I believe the directives from the regulators to have a top-down and risk-based approach to internal control over financial reporting will not change. So, I doubt that you will need to make drastic changes to accommodate the updated framework. But, you should make sure you have a solid risk assessment and that each of the risks is addressed by effective internal controls.
I would also initiate conversations with the external auditors. While I.suspect some will want to move away from a risk-based approach to one based on assessing the 17 principles, I would resist such a change and press for a continuation of the approach required by the SEC guidance and Auditing Standard Number 5.
COSO has included tools specifically for SOX. As I have written in my IIA blog, I believe these to be fatally flawed and would not use them. They are inconsistent with a risk-based approach and I expect them to be replaced.
Overall, I believe there is a great deal of value in the updated framework. With your constructive comments, we can help COSO make it even better – which is in our own best interests.
I welcome your comments.