No organization is risk free. There have been several incidents in the past when frauds have led to the downfall of organizations as a whole. However, the global business landscape has changed over the years. Realizing the significant changes to business and operating environments that have taken place over the past 20 years, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued its updated 2013 Internal Control-Integrated Framework on May 14, 2013. The updated standards will supersede the previous framework on December 15, 2014. Adoption of the new standards is a top priority for companies as the U.S. Securities and Exchange Commission (SEC) has made it clear that it expects compliance by the end of 2014.
The COSO, an independent private-sector initiative, is established to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence to improve organizational performance and governance, and to reduce the extent of fraud in organizations. The whole purpose of updating the existing framework was to increase its relevance in the increasingly complex and global business environment so that organizations globally can better design, implement, and assess internal control.
The first edition of COSO standards, established in 1992, is the principal standard that U.S. companies use to ensure compliance to the Foreign Corrupt Practices Act (FCPA) and with Section 404 of the Sarbanes-Oxley Act of 2001 (SOX).
The new framework retains the core definition of internal control, the objectives; the five components of internal control and its seventeen principles that continues to emphasize the importance of judgment in designing, implementing and conducting a system of internal control, and in assessing its effectiveness. The new framework codifies principles that support the five components of internal control, clarifies the role of objective-setting in internal control, reflects the increased relevance of technology, incorporates an enhanced discussion of governance concepts, expands the reporting category of objectives, enhances consideration of anti-fraud expectations, and increases the focus on non-financial reporting objectives.
THE 17 PRINCIPLES TO EVALUATE INTERNAL CONTROL OVER COMPLIANCE:
The framework is very adaptable to compliance. All 17 principles, under the five components, are presumed relevant for all entities and need to be present and functioning to have effective internal control.
The new framework has outlined a certain points of focus to enhance the rigor of understanding of each principle. They are:
“In companies with formal internal audit functions (which can vary from an individual assigned with internal audit responsibilities to a formal department), the board of directors empowers the internal audit function to carry out its purpose, authority, and responsibilities with direct access to the audit committee and/or the board of directors. The board or audit committee is actively involved in reviewing the company’s risk assessment, ensuring that the internal audit plan provides adequate assurance on the adequacy of coverage of key risk areas, and overseeing internal audit compensation to ensure it is structured in a manner that supports the need for objectivity.”
The responsibility of leading the transition to the New Framework lies with internal audit department for various purposes including planning, conducting and reporting on riskbased audits. The role of internal audit can be summarized in two points:
The internal audit team has to leverage the right technology solutions and use them as enablers for greater transparency and accountability for internal control and various internal audit functions. The New Framework also provides a new opportunity for internal audit committees to take a fresh look at internal control, create value for the organization and manage elevated expectations regarding internal control.