The COSO Internal Control Framework 2013: What are you Waiting For?

Written by Sargon Youmara, Partner, Vonya Global

COSO 2013

If more companies knew how easy the migration from the 1992 to 2013 framework can be, fewer would drag their heels.

A startling fact: a good many companies that have not migrated to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control Framework were advised not to do so by their third-party auditors.

That according to Compliance Week, which reported in April that, yes, a majority had the more than 3,000 companies on record had made the switch. But just over 500 still used the 1992 framework. And, of the 513 that did, more than half were audited by KPMG and advised to wait.

COSO issued its update in May of 2013 and sunset the ’92 framework in December of 2014. But—and this is important—COSO is not mandated as an internal control framework. Nor is an update mandated. So no law, Sarbanes-Oxley included, require you to transition from the ’92 to 2013 framework.

Still, you do not want to create your own framework. You cannot. The Securities & Exchange Commission (SEC) requires that you must use a “suitable, recognized control framework established by some body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.” And that established body or group cannot be your own company, unless you are willing to subject your internal controls to public comment.

Then why bother? This isn’t like tax evasion. The SEC won’t come knocking because you’re overdue for an update.

No—but they are far more likely to come knocking, observed COSO Chairman Robert Hirth. And barring the exercise of a transition, more likely to find deficiencies.

So it is a mistake to consider compliance “open ended” (even if it is). And, frankly, your framework is based on best practices from 1992. To put that into context, not every company at the time bothered having a website, and most companies that had email had internal email but not external. And we’ve elected three presidents since then, each for two terms.

Do not be fooled by the fact that the 17 principles of COSO internal controls from ’92 are exactly the same 17 principles are unchanged since 1992; the best practices for those controls are sorely out of date.

An update is not as drastic as you would think

Likely, you have been updating your framework all along, based on current best practices. Internal control is a process, and most businesses improve processes routinely. Does your information technology (IT) group enforce separation of duties using your enterprise applications? Do you use electronic transaction monitoring to spot risks of exposure to, for example, FCPA? Then you have updated your internal framework.

Then why not be certain it minimizes your risks to the best current practices, and prove that to yourself with a third-party audit?

Typically, Vonya Global in its consulting engagements establishes a few objectives, including:

  • Charting a company’s existing control environment
  • Mapping its entity-level controls to the 2013 framework (if needed; oftentimes, the client has done that mapping already)
  • Identifying deficiencies that require management attention

We gain an understanding of the control environment through one-on-one interviews with whichever executive is responsible for internal audit; most large companies have a dedicated executive, director or VP of that function, in other instances, it is some C-level executive, like the CFO. In addition we might conduct interviews with officers like the CFO and CEO and head of auditing (whoever holds the responsibility) for further insight into the control environment.

Then begins a self-assessment survey on entity-level controls. Typically, those surveyed include (in broad categories):

  • Finance chiefs and directors, both C-level and regional
  • Controllers
  • Operations chiefs
  • M&A chiefs
  • Corporate counsel

Finally, we would map the entity-level controls to the COSO Internal Control framework to determine if each of the five components and relevant principles is present and functioning, and 2) if the five components operate together in an integrated way.

Then come the results, and improvements

No company is without some opportunity for improvement; not even those that are already using the 2013 framework. But most findings are likely to be opportunities for improvement versus major deficiencies.

What, then is typical?

We provide detailed observations, framed using the 17 Principles.

For example, Principle 1 is “Demonstrates Commitment to Integrity and Ethical Values,” which falls under the Control Environment component. This requires a Code of Business Conduct that sets the tone at the top; establishes standards of conduct; and evaluates standards of conduct.

A simple area for improvement is that all business units, domestic and foreign, have access to that Code of Business Conduct; and that acknowledgments are obtained annually from all employees that they have read and understand the code and will adhere to it. Fairly simple.

Another example would be Principle 8, “The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives,” which falls under the Risk Assessment component. The requirements here might be simply performing a fraud risk assessment as part of annual planning and scoping for Sarbanes-Oxley compliance; also, to update control matrices to identify those controls that mitigate the risk of fraud.

Once again, straightforward fixes to fairly minor deficiencies.

The short story is that a 1992 to 2013 migration hardly like updating your 20+-year-old network. Or paying 21 years of back taxes. Presumably, your internal audit team, corporate counsel and information technology (IT) group have not been sleeping at the switch for two decades. In all likelihood, you meet the bulk of the 2013 Internal Control Framework.

And if you do not, then, join the club. The COSO Internal Control Framework is fairly detailed and complex, but manageable with a third-party assessment.


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.