Home > Risk > Further reflections on the updated COSO Internal Control Framework

Further reflections on the updated COSO Internal Control Framework

I think it is time for all of us to recognize that the time for criticism of the updated Framework, and the bemoaning of lost opportunities, is past.

The update has been completed and the Framework is not going to be changed anytime soon.

So, let’s not just recognize the reality but celebrate the improved guidance. Yes, it is a net improvement over the 1992 version.

Bits I like:

  • The update emphasizes that effective internal control is achieved when there is reasonable assurance that the risk of not achieving objectives is at acceptable levels.
  • The definition of internal control is essentially unchanged. The differences are minor wording changes only.
  • The need for judgment is also emphasized, not only in designing but in assessing internal control.
  • Organizations can continue to use the top-down, risk-based approach to the assessment of internal control over financial reporting discussed in SEC and PCAOB guidance (and in my book)
  • The description of Monitoring is unchanged from the 1992 edition. Although COSO has not withdrawn their guidance on Monitoring, they did not adopt the definition in that publication that includes (incorrectly in my view) the monitoring of transactions. That type of monitoring is a detective control activity.

Tell me. What do you like in the update?

  1. Hugh Penri-Williams
    May 23, 2013 at 7:41 AM

    Hi Norman, More than simply tongue-in-cheek, for me personally as a trainer/presenter the singular most appreciated modification is that – at last – the original cube has been upended to bring it in line with its ERM sister/brother, i.e. both with monitoring (agree with your view) at the bottom, although I would have preferred the latter be upended as, logically, we start with the internal/control environment and then work our way up (and out?). Cheers, Hugh.

  2. arnold schanfield
    May 23, 2013 at 7:50 AM

    some of us have not only criticized the COSO internal control framework, but as well advocated that it be shunned and instead use other internal control and risk frameworks. When something is flawed such that its basic usefulness is questionable, what logic do you use to support that it should continue to be supported? The flaws which you yourself pointed out not only in the draft document but in many ensuing communications, are serious to the point that it cannot be used just as COSO ERM cannot be used. Pointing out its successes is useless. This is not about a step by step approach to get something right.

    In the end analysis, this is all about money and trying to protect reputation. The original COSO framework was good for its time in 1992 but many of us came to realize from review of other frameworks, that it was intentionally pushed in the market place when in fact there were better frameworks. This is a travesty. Those that do not know any better will continue to use it until such time as those practitioners pushing such frameworks as ISO 31000 and its predecessor documents as well as the CoCo internal control framework from Canada of 1995 are able through the education process, to get those that do not understand one framework from the next to really appreciate what is going on. Then COSO will go the way of Kodak.

  3. Miki Wilson
    May 27, 2013 at 2:42 PM

    I like the emphasis on judgement…

  4. Beata
    May 29, 2013 at 12:13 PM

    Norman, what is your position about the SEC remaining silent on the adoption of the new framework? Should public companies transition to the new framework regardless? What could be the consequences if they don’t?

    • Norman Marks
      May 29, 2013 at 12:22 PM

      Beata, I think it is too early to say the SEC is silent. They were observers in the COSO project and you would have to assume they would have voiced any major problem with the update.

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Evangelist and Mentor for better run business

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: