COSO Internal Control Integrated Framework Proposed Updates

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission is a voluntary private-sector organization dedicated to providing thought leadership to executive management and governance entities.  COSO consults on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. 

In 1992, COSO and PricewaterhouseCoopers (PWC) established a common internal control model called the Internal Control Integrated Framework (ICIF), used by companies and organizations to assess their internal control systems.  The ICIF gained popularity in the early 2000’s after meltdowns of several U.S. corporations including Enron, WorldCom, Global Crossing, and Tyco.  This article will address the proposed updates to the ICIF and how the framework applies to local campus internal controls.

Twenty years after its inception, COSO and PWC are updating and improving the existing ICIF, emphasizing a series of updates to the original document, not changes. This project is COSO’s effort to align the ICIF with changes that have occurred in the business environment, i.e. stakeholder expectations, financial and regulatory laws, and technology.  Input was sought from private industry, academics, government agencies, and not-for-profit organizations during the update process.  The ICIF updates are scheduled to be completed during the first quarter of 2013.

Why is it happening?

The core concepts of the original framework remain unchanged.  However, there may be changes pertaining to the way some of the concepts are applied.  Objectives of the project include adding more focus on operational and compliance control objectives, and explicitly identifying principle points of focus to provide efficiency and a basis for evaluating effectiveness of operations.  COSO will also produce tools (templates and scenarios) for assessing the overall effectiveness of internal control and a companion guide applying the ICIF over external financial reporting.

What is changing?

COSO’s desired outcome is to provide the governance community with the following:

1) Seventeen principles that may be universally applied to develop and evaluate the effectiveness of internal control systems;

2) Expanded financial reporting objectives to address internal, external, financial, and nonfinancial reporting objectives; and

3) Increased focus on operations, compliance, and nonfinancial reporting objectives.

Since the project represents updates and not changes, the impact of the ICIF updates on the University System of Georgia (USG) and individual campuses should be positive.  If our control systems currently incorporate the tenants of the original ICIF, the updates will continue to strengthen our internal control system.  The updated ICIF should simply supply more details and tools to use in examining control systems, and give greater confidence in our assertions about those systems.

What is not changing?

The ICIF was a well thought-out and useful document.  Its original concept continues to be valid, and many points within the framework will remain unchanged.  For instance, the definition of internal control remains unchanged:

“A process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) effectiveness and efficiency of operations, b) reliability of financial reporting, and c) compliance with laws and regulations.”

The five components of internal controls will also remain unchanged.

1. Control Environment – the tone of the organization
2. Risk Assessment – the goals of the organization and the perceived threats to those goals
3. Control Activities – the organizations policies and procedures
4. Information and Communications
5. Monitoring Activities – the assessment of a system of control over time

The fundamental criteria used to assess the effectiveness of systems of internal control and the use of judgment in evaluating the effectiveness of systems of internal control will also remain in place.

An In-depth Look at the Codification of the 17 Principles

However, the updated framework provides attributes, explanations, and examples of how the 17 principles fit into the control component.  COSO believes that the principles were always implied by the language of the framework and that the updates simply reduce to writing principles that were already present.  The 17 principles will be defined and described in the next issue of the Briefing. 

David Randy Pearman, Associate Director of Internal Auditing

Georgia Institute of Technology

Randy.pearman@business.gatech.edu ​