Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Update of COSO’s Internal Control–Integrated Framework

Published byClaribel Peters Modified over 8 years ago

Similar presentations

Presentation on theme: "An Update of COSO’s Internal Control–Integrated Framework"— Presentation transcript:

1 An Update of COSO’s Internal Control–Integrated Framework
Note to users: This deck is intended to be used for what we call the “initiated” audience that is already familiar with COSO, its origin, mission and work to date. The focus of this deck is directly on the Internal Controls – Integrated Framework (ICIF) update initiative. If your audience would benefit from an introduction to COSO, please refer to and use the companion COSO Overview deck. This deck and the Overview deck are designed to have the same look and feel and can easily be merged into a single deck if you desire. December 2011

2 Internal Control-Integrated Framework
First published in 1992 Gained wide acceptance following financial control failures of early 2000’s Most widely used framework in the US Also widely used around the world For many of you – this cube will look familiar. It’s the original “COSO Cube” that was developed and published by COSO in The cube represents a depiction of the COSO Internal Control–Integrated Framework, or what we refer to as the “ICIF”. Initially, the ICIF was widely recognized and accepted in more narrow and technical accounting and auditing circles. But in the early 2000’s widespread financial control failures prompted regulatory agencies to look closely at internal controls and the role of weak internal controls in corporate failures. The resulting legislation was the Sarbanes Oxley Act of 2002 (the Act). Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual report. To do this, managers are generally adopting an internal control framework such as that described in the COSO ICIF. As a result, the ICIF is the most widely used framework of its kind in the US and is also widely used around the world. The good news is that the COSO Cube has proven the test of time and is not changing as a result of the ICIF update project. Original COSO Cube

3 Key Concepts – Timeless
A process Effected by people Provides reasonable assurance Geared to achievement of objectives related to (1)operations, (2)compliance and (3)financial reporting Five components: Control Environment Risk Assessment Control Activities Information and Communication Monitoring The cube helps capture some many key concepts of the original 1992 framework that have proven timeless: Internal control is a process Effected by people Designed to provide “reasonable” assurance – not perfect or absolute assurance That internal controls are effective in achieving operational, compliance and financial reporting objectives. All of this will be familiar to the experienced COSO ICIF user. It should because these concepts are timeless and are not proposed to change. Nor are the five components of internal control changing, except that “Monitoring” is now “Monitoring Activities”.

4 Why Update What Works ICIF works
well today COSO’s Internal Control – Integrated Framework (1992 Edition) Address significant changes to the business environment and associated risks Updated, enhanced and clarified Framework Codify criteria to use in the development and assessment of systems of internal control Principles Attributes Increase focus on operations, compliance and non-financial reporting objectives Expanded internal and non-financial reporting guidance Refresh objectives So – why update what seems to be working pretty well? Over the past 20 years, there have been lessons learned in applying the ICIF as well as changes to the business environment and significant risks. The focus of this project is not to rewrite the 1992 framework, but to update and refresh it to make it more relevant and useful in today’s business environment. The current project has two broad deliverables: Updates and enhancements to the framework designed to enhance and clarify the application of the Framework in today's business and risk environment; Codification of criteria that can be used in the development of systems of internal control and in evaluating the effectiveness of a system of internal control. Key to this codification are 17 principles that users can apply using judgment; and Expanded internal and non-financial reporting guidance designed to support increasing demands for reporting on operational, compliance and non-financial objectives. The COSO Board, the Project Team and the Advisory Committee believe these updates, refinements and clarifications will ultimately result in a more flexible, reliable and cost effective approach to the design and evaluation of systems of internal control in today’s environment. NOTE TO SPEAKER: We anticipate that at this point in the presentation your audience may be thinking and maybe asking questions like: How is this going to impact my existing SOX 404 certification process? Will this change cause us to have to revisit and re-engineer the 404 process we have worked hard to put in place and refine? Response from the Original Press Release, December, 2011: The proposed Framework retains the core definition of internal control and the five components of a system of internal control. One of the most significant enhancements is the codification of internal control concepts introduced in the original framework into 17 principles and associated attributes that further support organizations as they apply judgment in managing risk and improving performance in an increasingly complex and rapidly changing environment. COSO believes these principles and attributes will not impose additional burdens or a higher threshold for designing and maintaining an effective system of internal control, but rather, clarify internal control concepts and promote ease of use and application. Prepared Response: The 2012 Internal Control - Integrated Framework is expected to become an accepted framework for use by management and auditors applying and reporting on compliance with the Sarbanes-Oxley legislation There is an expected period for converting from the 1992 framework to the 2012 framework - however that period is not yet known and will depend in part on regulatory views The 2012 Framework is consistent with the 1992 version, and should not impose a higher level of control that before Focusing on the principles may require some organizations to strengthen areas of internal control, as the principles bring out important points of focus from the 1992 framework that some organizations may not have addressed to the extent considered in the 2012 framework. Some companies may need to update their documentation and testing strategies to align with the 2012 framework and some areas may require added consideration than in the past. Enhancements ICIF will work better tomorrow COSO’s Internal Control – Integrated Framework (Draft, 2012 Edition)

5 Project Plan & Timetable
2010 2011 2012 Sept - Jan Feb - Oct Dec - Mar Apr - Dec Assess & Survey Stakeholders Design & Build Public Exposure Finalize This is a high level overview of the project plan and timetable. We hope to have a very robust public exposure period and strongly encourage you to comment on the exposure draft with your thoughts, comments and recommendations. Beginning immediately after the comment period, the project team will begin to sort through the feedback to determine areas for revision or improvement. We hope to issue the final updated ICIF in the fourth calendar quarter of 2012.

6 Author and Project Leader
Project Participants COSO Board of Directors PwC Author and Project Leader COSO Advisory Council AICPA AAA IIA FEI IMA Regulatory Observers Public Accounting Firms Others (IFAC, GAVI Alliance, ISACA) Stakeholder Input Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework The COSO Board includes executive representatives of the five sponsoring COSO Organizations: The American Accounting Association (AAA); The American Institute of Certified Public Accountants (AICPA); Financial Executives International (FEI); The Institute of Management Accountants (IMA) and The Institute of Internal Auditors (IIA). As with past COSO initiatives, the COSO Board contracts with outside parties, in this case PwC, to serve as the project team and author. For this project, COSO has formed an Advisory Council. The Council is comprised of representatives of each COSO sponsoring organization, as well as representatives of regulatory and standard setting bodies as well as public accounting firms. The Advisory Council provides technical guidance, input and feedback to the project team and the Board as they design the project and draft materials – in this case, revisions to the original 1992 Internal Control Framework. Remember – COSO is a private sector initiative. Therefore it is critical that private sector companies and stakeholders have an active voice in the update effort. To provide that voice, a variety of companies and other stakeholders are included in the project. To initiate the project, the Project team conducted a survey of over 700 COSO stakeholders. Responses come from wide range of organizations and individuals Large, small and non-profit organizations were well represented 1 in 4 respondents were international (27%) The majority of respondents have been using the Framework for over 5 years Overall, a large majority of respondents support an updating, but not a major overhaul, of the Framework In addition to the survey, the exposure draft comment period is a primary way this diverse group of stakeholders is engaged and involved. It’s key that the COSO Board, the Project Team, and Advisory Council not work in isolation. Your feedback – positive or negative - though the exposure raft period, is CRITICAL and WELCOME.

7 Obtaining Input: Survey of Stakeholders
January 4th to September 1st of 2011 Over 700 responses Responses came from wide range of organizations and individuals Large, small and non-profit organizations well represented 1 in 4 respondents were international (27%) The majority of respondents has been using the 1992 Framework for over 5 years Overall, a large majority of respondents support updating, but not a major overhaul of the 1992 Framework Overview of Key Themes from the Survey: Reflect implications of increased use of technology and greater complexity of operational environment Incorporate lessons learned from SOX and cost / benefit considerations Capture increased ethics, compliance and anti-fraud expectations Broaden the scope of reporting beyond external financial reporting Enhance the concept of risk oversight and role of risk assessment Expand on governance roles in organizations; also consider non-US entities Demonstrate more clearly the linkages between the Framework components Clarify and simplify language Keep theories and concepts general enough to maintain universal applicability Maintain definition of internal control Update Framework, not a major overhaul Increase practical guidance to supplement the conceptual framework, particularly in the area of IT, implementation of regulatory requirements, integrity, ethical values, and competence management

8 Summary of Updates What’s changed…
The experienced reader will find much familiar in the updated Framework, which builds on what has proven effective in the original version. What is not changing... What is changing... Definition of internal control Five components of internal control The fundamental criteria used to assess effectiveness of systems of internal control Use of judgment in evaluating the effectiveness of systems of internal control Codification of principles with universal application for use in developing and evaluating the effectiveness of systems of internal control Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives Increased focus on operations, compliance and non-financial reporting objectives based on user input Here’s an overview of what’s not changing – and what is……. As discussed earlier, the definition of internal control; the components of internal control; criteria to assess effectiveness and the use of judgment to assess internal control effectiveness are NOT changing. What is changing are various updates to bring the framework current: the codification of principles and an increased focus on operations, compliance and non-financial reporting objectives. Let's take a look at the proposed changes in each of these areas….

9 Summary of Updates A changing business environment...
Drives updates to the Framework... Expectations for governance oversight Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Use and reliance on evolving technology Expectations for preventing and detecting fraud In the nearly 20 years since the inception of the original framework, business and operating environments have changed dramatically. The updates included in the Framework have considered these changes, as highlighted on this slide, to enable the Framework to remain relevant and useful for users, today. Expectations for governance oversight – Higher regulatory and stakeholder expectations have been addressed in Control Environment. Globalization of markets and operations – Implications of growth and cross-border mergers and acquisitions have been addressed in many components of internal control. Changes in business models – Significant changes to business models, including shared services, outsourced service providers and oversight over other third-parties, have been addressed in many components of internal control. Demands and complexity of rules, regulations and standards – Breadth, volume and pace of change in rules, regulations and standards have been addressed in many components of internal control. Also, financial reporting category of objective has been modified to include external non-financial reporting and internal financial and non-financial reporting. Expectations for competencies and accountabilities – Greater expectations arise as organizations grow, acquire entities, introduce new products and services, comply with complex rules and regulations, an implement new processes and technologies. Components of internal control have been updated. Use and reliance on evolving technology – Use of technology is ever more important in improving business performance, business processes, and decision making. Components of internal control updated to address controls and risks surrounding use of enterprise resource planning (ERP) and other technologies to standardize, automate and streamline business processes. Expectations for preventing and detecting fraud – Components of internal control have been updated to address higher stakeholder and regulatory scrutiny and expectations of organizations to prevent and detect material misstatements, loss of assets and corruption. In addition to updating the Framework for these changes, the original COSO Cube has also been updated to reflect (i) the expansion of the “financial reporting” objective to the “reporting” objective, as discussed on the previous slide, (ii) the applicability of the updated Framework at the entity, division, operating unit and functional levels (not only Units A and B and Activity 1 and 2), (iii) the inversion of the components to better match the flow of the Framework, and (iv) a better integration and consistency between the Framework and the COSO Enterprise Risk Management–Integrated Framework. Updated COSO Cube

10 Summary of Updates Codification of 17 principles embedded in the original Framework
Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies relevant objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change In all, there are 17 high level principles that were embedded in the original framework that are now codified in the update. While this slide provides a high level overview of the 17 principles, reviewers and users should read the full description of each principle to gain a full understanding. The codification of these principles and identification of related attributes will provide useful guidance to users seeking to exercise judgment in designing or assessing the effectiveness of a system of internal controls. Control Activities Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Information & Communication Uses relevant information Communicates internally Communicates externally Monitoring Activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies

11 Value Proposition Enhance performance with greater agility, confidence and clarity
The updated Framework better supports efforts to design and adapt systems of internal control: Agility – Adapt to increasing complexity and pace of change Confidence - Mitigate risks to achieve important objectives Clarity – Provide reliable information to support sound decision making Building on the original, the updated Framework makes it easier to adapt to changing business needs. The codification of principles and attributes embedded in the original Framework better supports organizations as they apply judgment in managing risk and improving performance in an increasingly complex and rapidly changing environment.

12 Management and Board of Directors
Benefits of the Updated Framework Management and Board of Directors Improve governance Expand use beyond financial reporting Improve quality of risk assessment Strengthen anti-fraud efforts Adapt controls to changing business needs Greater applicability for various business models Clarity Agility Use of the updated Framework will provide benefits to: management and boards of directors, external parties (such as outsourced service providers, business partners and other parties interacting with the entity…customers, vendors), and other users (such as external reviewers, independent auditors, financial analysts, bond rating agencies and the news media, and regulators). The updated Framework is expected to become an accepted framework for use by management and independent auditors in applying and reporting in accordance with the Sarbanes-Oxley Act (US legislation). Expected transition period for converting from 1992 framework to updated Framework is not yet known and will depend upon regulatory action. COSO Board believes updated Framework is consistent with 1992 framework, and therefore it should not impose a higher level of control than before. Focus on principles may require some organizations to strengthen some components of internal control, as principles bring out important points of focus from 1992 and some organizations may not have fully addressed those areas to the extent considered in the updated Framework. Some companies may need to update documentation and testing of the design and operating effectiveness of its overall system of internal control to align with updated Framework. From the original press release, December, 2011: The proposed Framework retains the core definition of internal control and the five components of a system of internal control. One of the most significant enhancements is the codification of internal control concepts introduced in the original framework into 17 principles and associated attributes that further support organizations as they apply judgment in managing risk and improving performance in an increasingly complex and rapidly changing environment. COSO believes these principles and attributes will not impose additional burdens or a higher threshold for designing and maintaining an effective system of internal control, but rather, clarify internal control concepts and promote ease of use and application. Performance External Parties Confidence Other Users

13 Public Exposure Process
Primary objective Obtain feedback about whether the updated Framework will have a positive impact on achieving effective internal control over operations, reporting and compliance objectives When to Comment December 19, 2011 to March 31, 2012 How to access Who can respond Any interested party wishing to express a point of view relevant to the updated Framework How to Respond Answer the questions and/or Provide additional feedback as you see appropriate at Access to public written comments Available online to December 31, 2012 COSO fully expects that the updated Framework will benefit organizations in achieving effective internal control. The public exposure process is the means to confirm that point of view and to solicit feedback from interested parties and those for whom the updated Framework is intended to serve. The comment period commenced December 19, 2011 and will conclude March 31, Any interested party wishing to express a point of view relevant to the updated Framework Access can respond by accessing the updated Framework and the feedback questions at Those desiring to review submitted public written comments can access them online until December 31, 2012.

14 Public Exposure Process Specific areas to provide feedback and to assist respondents in developing view points Topical Areas Specific Areas to Provide or Consider in Your Commentary General Background Information Please provide information about your company or organization Overall Impression of the updated Framework (Survey format scale of 1 – 5) Internal consistency and logic of the updated Framework Understandability and ease of use Applicability to various types of organizations Impact or burden on regulatory reporting Specific areas of interest (Survey format scale of 1 – 5) Completeness and appropriateness of the 17 Principles and associated Attributes The requirement for all 17 Principles to be present and functioning to have effective internal control Appropriateness of expanding the reporting objective category beyond financial reporting Summary General comments on any topic of interest relevant to the updated Framework The public exposure process enables COSO to gather relevant feedback in the four topical areas presented on the slide. The specific focus areas shown for each of the topical areas should help respondents in developing points of view on critical aspects associated with the updated Framework. The “General Background Information” section gathers information about respondents and their organization. The next two areas, “Overall Impression of the updated Framework” and “Specific areas of interest,” ask respondents survey-type questions on a scale of one to five and also provide comment boxes for those wanting to amplify their responses. The “Summary” area provides respondents the ability to comment on any area of their choosing.

15 Guidance on Internal Control over External Financial Reporting (ICEFR)–Published Financial Statements A supplemental document to the updated Framework Currently scheduled for public exposure in the spring of 2012 Provides guidance in applying the updated Framework to this sub-category of the Reporting objective Includes approaches and examples to assist management in designing and implementing internal control over external financial reporting A draft of the guidance will be accessible for information and reference to respondents during the public exposure of the updated Framework at Guidance will not replace or modify the updated Framework One of the changes in the updated Framework is the expansion of the original Framework’s “Financial Reporting” objective to that of “Reporting” to recognize the existence of both internal forms of reporting as well as external non-financial reporting. With the broadening of this objective, certain regulatory agencies expressed concern that the emphasis on financial reporting prevalent in the original Framework would be lost or diluted in the updated Framework and hence regulatory reporting would be negatively impacted. In response, COSO engaged PwC to prepare a companion or supplemental document currently scheduled for public exposure in the spring or early summer 2012 following the public comment period of the updated Framework. This companion document will focus specifically on providing guidance in applying the principles and attributes of the updated Framework to internal control over external financial reporting involving published financial statements. It will include practical approaches and examples to assist management in designing and implementing internal controls over this sub-category of the Reporting objective. This guidance will not replace, supersede or modify in any way the guidance in the updated Framework. COSO intends to make a draft of this companion document available to respondents early in the comment period for the updated Framework at its website at

16 Questions? Please contact

Download ppt "An Update of COSO’s Internal Control–Integrated Framework"

Similar presentations

Organizational Governance

Organizational Governance
Table of Contents COSO & Project Overview

Table of Contents COSO & Project Overview
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Updated COSO Framework & Green Book

Updated COSO Framework & Green Book
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Government Auditing Standards

Government Auditing Standards
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
What’s New in Government Internal Control Standards?

What’s New in Government Internal Control Standards?
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.

Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Purpose of the Standards

Purpose of the Standards
Agenda Framework background Reasons for change Timeline

Agenda Framework background Reasons for change Timeline

Similar presentations

Ads by Google