Further reflections on the updated COSO Internal Control Framework
I think it is time for all of us to recognize that the time for criticism of the updated Framework, and the bemoaning of lost opportunities, is past.
The update has been completed and the Framework is not going to be changed anytime soon.
So, let’s not just recognize the reality but celebrate the improved guidance. Yes, it is a net improvement over the 1992 version.
Bits I like:
- The update emphasizes that effective internal control is achieved when there is reasonable assurance that the risk of not achieving objectives is at acceptable levels.
- The definition of internal control is essentially unchanged. The differences are minor wording changes only.
- The need for judgment is also emphasized, not only in designing but in assessing internal control.
- Organizations can continue to use the top-down, risk-based approach to the assessment of internal control over financial reporting discussed in SEC and PCAOB guidance (and in my book)
- The description of Monitoring is unchanged from the 1992 edition. Although COSO has not withdrawn their guidance on Monitoring, they did not adopt the definition in that publication that includes (incorrectly in my view) the monitoring of transactions. That type of monitoring is a detective control activity.
Tell me. What do you like in the update?