Changes Are Coming… COSO Internal Control-Integrated Framework

Written by Sargon Youmara, Partner, Vonya Global

Introduction – COSO Internal Control-Integrated Framework

COSO CubeIn 1992, the Committee of Sponsoring Organizations of the Treadway Commission’s (“COSO’s”) Internal Control-Integrated Framework (Framework) introduced a comprehensive internal control framework currently being used by most organizations within the United States and around the world.

However, since 1992, many changes have occurred in the business and operating environments prompting COSO to “update” its Framework and make it easier to use. The business world has become more complex, technological driven and global in scale while both individuals and organizations are striving for greater transparency and accountability for the integrity of systems of internal control that support business decisions.

As a result of those changes and increased complexity in business, in December 2011, COSO released for public comment the updated Framework that is intended to help organizations to “adapt to increasing complexity and pace of change; to mitigate risks to the achievement of objectives, and to provide reliable information to support sound decision making.” Up until the close of the comment period in March 2012, 97 comment letters were received from organizations and professionals around the world.

In addition to the updated Framework, COSO also released for comment in September 2012 its proposed Internal Control over External Financial Reporting (ICEFR) which provides a compendium of approaches and examples “that illustrate how the principles set forth in the Framework can be applied in designing, implementing and conducting internal control over external financial reporting and evaluations tools for assessing effectiveness of internal control.”

COSO expects to release final copies of the Framework, ICEFR and the evaluation tools within the first quarter of 2013 prompting many Chief Audit Executives and Internal Auditors to hectically begin reviewing the proposed documents for their impact on their organization.

COSO – What is Not Changing

Quite a bit is staying the same. The definition of internal control and the basic structure of internal control, including the components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities) stayed the same. Additionally, the 17 principles, although implicitly stated in the 1992 Framework, described across five components, also did not change. Finally, the updated Framework didn’t change the importance using judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of internal control.

COSO – What is Changing

Although much is staying the same, a lot is also changing. Even though the Framework is not yet finalized, here’s a glimpse at some of the most significant changes:

  • Applies a principles-based approach – The updated Framework explicitly states and codifies the 17 core principles of internal control, which represent the fundamental concepts associated with the components of internal controls. Additionally, attributes that represent characteristics of the principles are also provided collectively comprising the criteria that will assist management in assessing whether an entity has effective internal control.
  • Highlights the important of technology –Increased sophistication, complexity and pervasiveness of technology within organizations can impact all components of internal control and are discussed thoroughly within the updated Framework. Technology is specifically identified as a principle of internal control.
  • Enhances governance concepts – Greater discussion is provided over the key governance principles, such as responsibilities of the board of directors and its committees and alignment of incentives.
  • Expands on reporting objectives – Reporting is expanded beyond external financial reporting to also consider internal reporting, both financial and non-financial and is reflected within a change in the COSO cube. Financial Reporting is changed to reporting only.
  • Enhances anti-fraud expectations – The Framework provides increased consideration related to the nature and impact of fraud on the business environment (e.g. inappropriate use of assets, intentional misrepresentation, etc.) and within the risk assessment process. Similarly to technology, fraud is identified as a specific principle of internal control.
  • Considers different business model and organizational structures – Business models and structures have evolved through increased usage of technology, globalization, and usage of third parties (outsourcing, spinoffs, joint ventures, etc.). More detailed guidance of alternative ways in which an organization might implement a component of internal control and thus accomplish effective internal control.

COSO – Preparing for 2013

Before 2013 comes around the corner, we recommend Chief Audit Executives begin preparing for the release of the updated Framework. Consider the following:

  • Read the document – Get an understanding of what is proposed and if it will have an impact on your system of internal control.
  • Review the 17 principles – Quickly assess whether your organization meets all 17 core principles of internal control and if there are gaps within your system of internal control.
  • Start dialogues – Discuss the updated Framework with the Audit Committee and Executive Management to let them know what is coming and highlight any significant changes. Additionally, discuss its impact with your external auditors.
  • Wait – Nothing is final, so wait to see the final Framework and possible additional directives provided by regulators before taking immediate action.

17 Core Principles of Internal Control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight and responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops controls over technology
12. Deploys though policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies


This post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has over 15 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-nationals. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:
– Creating “start-up” Internal Audit Departments
– Evaluating Internal Audit Department Effectiveness
   (QAR and Internal Audit Capability Maturity Model)
– Reducing risk in international operations

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

This article was also published in the Institute of Internal Auditors Chicago Chapter’s newsletter, The Innovator February 2013.