COSO framework creates opportunity for effective internal controls
With the new release of a revised COSO model, there is no better time to take a fresh look at your institution’s approach to internal control evaluation and the way that your internal audit department adds value. The update to the COSO framework provides additional guidance to enhance the control environment at your financial institution, emphasize the importance of governance and information security and also provide an opportunity for you to better align your organizational strategy and effective internal control.
COSO history and background
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five sponsoring organizations formed in 1985. These five organizations include the American Accounting Association, American Institutions of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business and the Institute of Internal Auditors. These five organizations have been tasked with developing a framework that would improve organizational performance and governance, focused on reducing the extent of fraud in organizations and providing thought leadership in the areas of internal control, enterprise risk management and fraud identification. The original COSO model released in 1992 played a fundamental role in establishing a scalable framework for internal controls.
While the COSO model was established in 1992, its real claim to fame came from the subsequent release of the Sarbanes-Oxley Act of 2004. During this time, COSO became the most widely used control framework used in managements’ assessment of the internal control environment. However, that is not the model’s sole purpose, as the COSO model is relevant to all companies and institutions when establishing a solid internal control framework.
A fresh look at internal control
As technology and business environments have changed, so has the need to adapt our approach to conducting internal audits. The COSO framework released in 2013 provides an update to the existing framework to take into consideration the changes in the complex working environments of today, versus 1992. Thus, the 2013 COSO release should not be viewed as a new framework, but instead, as an enhancement to the existing framework. These enhancements consider the changes in business and operating environments with the intent to improve governance beyond financial reporting, improve the quality of the risk assessment and strengthen anti-fraud efforts.
Institutions that have not implemented a formal internal control framework should consider implanting the COSO framework for their institution. While other frameworks do exist, the COSO framework is the most widely accepted and used. The 2013 COSO framework will assist in identifying areas of weakness and opportunities for improvements to strengthen operational performance, anti-fraud efforts and adaptability for changing trends. Implementing a framework will also assist in enhancing communications between management, the board and external parties.
The enhanced model
Before discussing the changes in the 2013 framework, it is important to understand what has not changed. Much of the foundation of the 1992 framework is retained or only slightly modified in the 2013 framework. The definition of internal control has not changed. An entity’s internal controls structure is still based on its identification of objectives and need to structure a sound system to achieve those objectives.
As depicted below, the well-known COSO cube remains with a few specific changes:
The five components of internal control have not significantly changed, as illustrated by the front face of the cube. The one change to the components is the category of monitoring, which has been changed to monitoring activities. This change is intended to broaden the perception of monitoring as a series of activities undertaken individually and as a part of each of the other four components, rather than as one unique process.
Across the top of the cube, financial reporting has been changed to reporting. This change is intended to broaden the application of the framework, not only to external reporting, as it often has been applied, but also to include internal reporting as well as external reporting of nonfinancial measures.
Along the right side of the cube, the organization structure has been changed to align with COSO’s Enterprise Risk Management Integrated Framework (ERM Framework) and also better illustrate that an effective internal control structure permeates an entire organization at all functional levels, both independently and interdependently. It is also important to note that, while there was consideration of combining the Internal Control-Integrated Framework with the ERM Framework, the two remain separate, but interrelated. Internal control is an integral part of enterprise risk management; however, enterprise risk management encompasses a broader role than internal control in supporting an entity’s governance structure.
Introduction of the 17 principles
The 2013 framework introduces 17 principles that are necessary for effective internal control, unless they are not relevant to the entity. Although the framework presumes that all 17 principles are relevant for each entity, management may determine that a principle is not relevant, based on its unique circumstances. If a relevant principle is not present and functioning, a major deficiency exists in the system of internal control. The 17 principles are aligned with each of the five components and are as follows:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal controls.
- Management is established, with board oversight, structures, reporting liens and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal controls responsibilities in the pursuit of objectives.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks related to objectives.
- The organization identifies the risks to the achievement of its objectives across the entity and analyzes those risks as a basis for determining how they should be managed.
- The organization considers the potential for fraud in assessing the risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization communicates information internally, including objectives and responsibilities for internal control that are necessary to support the functioning of internal control.
- The organization communications with external parties regarding matters that affect the functions of internal controls.
- The organization selects, develops and performs ongoing and separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
In addition to the principles, the 2013 framework introduces 81 points of focus. The points of focus are typically important characteristics of principles that can be used to facilitate designing, implementing and conducting internal control. These are items management can consider to determine if the principles are present and functioning. The 2013 framework explicitly states that management is not required to separately evaluate whether each point of focus is in place to determine if the principles are present and functioning, but instead use them as a guide.
The revised COSO framework was released on May 14, 2013, but the original framework will continue to be available through the transition period ending Dec. 14, 2014. After this date, COSO will have considered the 1992 framework to be superseded by the 2013 revisions. Institutions that are currently using the 1992 COSO framework or institutions transitioning to the COSO framework should begin transitioning to the 2013 model during 2014. This will include holding discussions with external auditors and regulators on your institution’s plans to transition to the 2013 COSO framework.
As a result of the current regulatory environment, many financial institutions will find that the 17 principles outlined above are covered as part of their existing control environment and reviewed. However, most will find they need to formalize their documentation in how they have met each principle. For example, most financial institutions have a committee to monitor the credit function (loan committee, asset liability committee [ALCO], etc.); however, the roles and responsibilities of these committees have not been formally documented in a committee charter with minutes. These committees help meet multiple principles. For example, an ALCO/loan committee that has formal reporting requirements, oversight of lenders and approval thresholds could potentially meet the requirements for principles 4, 5, 7, 10, 12, 13 and 14.
Much like the process to update the COSO framework was a multiyear project; it is likely that the implementation and transition to the 2013 framework will take time and effort, both on the part of the entity’s management and its auditor. Many institutions are seeking assistance from third parties to update their processes and documentation to meet the objectives of the 2013 model, while others are leveraging internal resources to make updates. In either event, McGladrey can assist with the process.
For more information or assistance with this topic, please contact Joshua Kettler, principal, McGladrey LLP, joshua.kettler@McGladreyus.com