COSO Internal Control – Integrated Framework Update Project

 

 COSO Internal Control – Integrated Framework Update Project

Frequently Asked Questions

(as of March 2011)

 

1. What’s new since the January 2011 FAQs?

 

In March 2011, the COSO Board decided to develop a companion document to the updated Internal Control – Integrated Framework (ICIF) that addresses the application of the Framework specifically to the external financial reporting objective. This document will link external reporting to the Principles and Attributes included in the updated Framework and provide relevant approaches and examples. The Board anticipates this companion document will supersede the 2006 Guidance on Internal Control over Financial Reporting – Guidance for Smaller Public Companies (ICFR) while retaining relevant guidance for small businesses. It will be exposed for public comment commensurate with the updated Framework. Such a companion document would allow for a more detailed and tailored discussion of internal control over financial reporting for compliance with Sox 404 while allowing the overall integrated framework to focus on operations, compliance and external reporting objectives.

2. Is the COSO Board still gathering input?

The COSO Board’s survey to solicit input from a broad audience for updating the COSO ICIF will remain open until September 1, 2011. Input is encouraged to be provided through the survey mechanism or via email to icif@us.pwc.com.

3. What is this nature and timing of this project?

While the ICIF has proven to be one of the most widely accepted frameworks for designing and evaluating internal control, the COSO Board has decided to update the Framework to make it more relevant to the current business environment.

The COSO Board continues to believe that the core principles and underlying Framework first developed in 1992 are timeless. Hence enhancements to the Framework are not expected to alter these core principles fundamentally based on broad market acceptance to date. The updated Framework should enable more effective application in practice of internal control over operations, compliance and financial reporting. Certain concepts and discussions are expected to be refined to reflect the evolution of the business environment and changed expectations in the market place. It is also the intent of the COSO Board to keep the Framework as succinct as possible.

The projected publication date of the updated Framework is mid-2012 and is intended to be rolled out with minimal disruption to capital markets.

4. What are some of the preliminary areas expected to be updated?

While the nature and extent of updates are still to be defined as the date of this document, preliminary topics of discussion that gave rise to the need for considering an update to the original Framework include the following:

– Reflecting the increased use of IT in business operations (e.g., ERP systems, other automation tools, internet);

– Expanding the financial reporting objective to include consideration of management reporting and external reporting more broadly (not intended to affect the scope of Sarbanes-Oxley compliance which remains focused on internal controls over financial reporting), (e.g., enabling reporting on sustainability and various third party standards);

– Providing more detail around key governance principles (e.g., responsibilities of the audit committee, compensation committees, and alignment of incentives);

– Explaining the linkages between Internal Control and Enterprise Risk Management frameworks to enable more effective and integrated application in practice;

– Expanding the discussion on risk assessment

– Reflecting changes in business models (e.g., increased use of outsource providers, increased rationalization of supply chain and infrastructure management)

– Considering the nature and broader impact of fraud in the business environment (e.g., inappropriate use of assets, intentional misrepresentation)

– Making more crisp and concise those areas of lengthy discussion in the original Framework that have become institutional knowledge; and

– Incorporating core aspects of the 2006 Internal Control over Financial Reporting- Guidance for Smaller Public Companies and the 2009 Guidance on Monitoring Internal Control Systems.

 

The update is expected to be analogous to a software update, where the original version remains valid and usable, but the update reflects the additional knowledge and experience gained over time and provides more up-to-date content and a more user-friendly interface.

5. Will the conceptual and logical construct of the Framework (i.e. the three objective categories and five components) be overhauled?

We will review both the conceptual and logical construct with a preliminary expectation that the refresh will be internally consistent with the Framework first developed in 1992 –the three objectives categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations; and the five components: control environment, risk assessment, control activities, information and communication, and monitoring. However, it may be refined to reflect changes in expectations of organizations. For example, we will explore whether the objective related to ‘reliability of financial reporting’ might be changed to ‘reliability of reporting’ and whether the objectives related to effectiveness and efficiency of operations, and compliance with applicable laws and regulations need updating. Finally, it is our expectation that the five components of the framework will remain relatively unchanged.

6. What will be the structural elements of each component within the Framework?

We anticipate that principles and attributes, which have been drawn from the five components of the 1992 Framework, will define the essential considerations for managing or evaluating the presence and functioning of the five components of internal control set forth in the Framework. It is generally expected that all principles will, to some extent, be present and functioning for an organization to have effective internal control, or when a principle is not being met, some form of internal control deficiency exists. Attributes represent characteristics associated with particular principles. Although each attribute is generally expected to be present and functioning within an entity, it may be possible for a principle to be present and functioning even though not every attribute relating to that principle is present and functioning. We anticipate these principles and attributes will facilitate mapping of the updated Framework to other frameworks and guidance.

7. Who is involved?

 

PwC will serve as the author and project leader for updating the Framework and reporting to the COSO Board of Directors.

 

To capture views of a broad range of professionals in the market place, COSO has formed an Advisory Council representing industry practitioners as well as representatives and observers from academia, government agencies, and non-profit organizations to capture views of a broad range of professionals in the market place. The Advisory Council is comprised of the following members:

Members

(in alphabetical order by last name)

Company COSO Affiliation
 1. Jim DeLoach

 

 

Protiviti

 

Accounting & Consulting Firm

 2. John Fogarty

 

Deloitte Accounting & Consulting Firm
 3. Trent Gazzaway

 

Grant Thornton Accounting & Consulting Firm
 4. Audrey Gramling

 

Kennesaw State University AAA
 5. Steven Jameson

 

Community Trust Bank IIA
 6. Cees Klumper

 

GAVI Alliance IFAC
 7. Steve McNally

 

Campbell Soup IMA
 8. Thomas Montminy

 

PwC Accounting & Consulting Firm
 9. Al Paulus

 

E&Y Accounting & Consulting Firm
 10. Ray Purcell

 

Pfizer FEI
 11. Tom Ray

 

KPMG Accounting & Consulting Firm
 12. Bill Schneider, Sr.

 

AT&T AICPA
 13. Ken Vander Wal

 

ISACA ISACA

The updated Framework together with the companion guidance on ICFR will be exposed for public comment to capture any additional input from the general public to help ensure that the update adequately addresses internal control challenges that organizations face today.

 

8. To what extent are regulators involved in this initiative?

The SEC, FDIC, GAO, and PCAOB have been informed of this project and have accepted the invitation to attend the Advisory Council meetings as observers. The Advisory Council will provide input to the project. Other regulators may be involved from time to time.

 

9. How will this update to the Framework affect SOX 404 Filers?

 

The underlying attestation process, e.g., SOX 404 (a) and 404 (b) is not expected to change. In the spirit of continuous improvement, what will change is the ability to apply the Framework more effectively in practice with more current applications examples (e.g., control environment, IT/IS and governance), greater alignment with enterprise risk management, and a more succinct and focused document.

 

We anticipate that the Framework will include an appendix of the key revisions made. This appendix may assist Management in reviewing and applying the Framework for its SOX 404 compliance.

 

10. To what extent are international constituencies involved in this initiative?

International input will be sought to maximize alignment with other framework from around the world where possible. IFAC has provided an observer to the Advisory Council. Among the organizations forming the Advisory Council, one comes from overseas and several have international representation. In addition, regulators or standard-setters from other parts of the world will be engaged from time to time.

 

11. What does this mean for other existing COSO frameworks, guidance and tools, such as the Enterprise Risk Management – Integrated Framework, the Guidance for Smaller Public Companies, and the Guidance on Monitoring Internal Control Systems? Will they become obsolete?

COSO’s 2004 Enterprise Risk Management – Integrated Framework and 2009 Guidance on Monitoring Internal Control Systems are expected to remain. The 2006 Guidance on Internal Control over Financial Reporting – Guidance for Smaller Public Companies is anticipated to be superseded by the companion guidance on ICFR to be published with this updated Framework, retaining relevant guidance for small businesses. Depending on the nature and extent of updates deemed necessary, certain concepts from such frameworks, guidance, and tools may be leveraged or enhanced, as applicable.

 

12. How was PwC selected as the project leader?

A thorough selection process was followed for selecting Coopers & Lybrand, a predecessor firm of PwC, to write the original framework in 1992. They were given the right of first refusal for future updating requests and have been engaged to do this update. The PwC team includes senior resources involved in previous COSO projects that bring an in-depth understanding of the 1992 framework and the rationale for decisions made in creating that framework, as well as senior resources that can provide fresh market perspectives.

13. How will COSO and the Project Team get input?

The COSO Board and Project Team will get input from several channels throughout the course of the project:

• The Advisory Council will provide input through quarterly meetings and periodic communications;

• A survey has been made available to the general public (COSO Web Survey Link) through the COSO Board members, Advisory Council, and the COSO website (www.coso.org), soliciting input on the Framework (what is dated or challenging to interpret, how it could be improved or made more current, what is unnecessary and why, what is missing, and other observations);

• Comments can also be provided to the Project Team through the COSO website or via email; and

• The updated Framework will be issued for public comment.

 

If you have any other questions or suggestions, please email icif@us.pwc.com

On September 21st, 2011, posted in: Latest News by