COSO’s Chairman writes about the global importance of the 2013 COSO Framework while pointing out that there is no excuse for companies in the Middle East not to learn the framework, communicate it to others and use it to help improve their internal controls.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the updated version of its Internal Control – Integrated Framework in May 2013 (the 2013 COSO Framework). The original version of the framework was issued in 1992 and gained acceptance to become the most widely used internal control framework in the world. To create a logical transition process, COSO announced that the 1992 framework would be superseded effective 15 December 2014.
These efforts support COSO’s mission to “improve organizational performance and governance and to reduce the extent of fraud in organizations”. The update of the Internal Control – Integrated Framework has resulted in several improvements to the original framework including: emphasis on non-financial reporting objectives (e.g. Integrated Reporting, Sustainability Reporting etc), focusing on the increasing importance of technology, and addressing fraud risk.
To purchase the 2013 COSO Framework or access publications on risk management, internal control and fraud deterrence, please visit www.coso.org or the IIA Bookstore http://www.theiia.org/bookstore/index.cfm
The framework has been translated from the English version into the following languages, making it truly a global framework:
All US stock exchange listed companies subject to Section 404 (management certification and being subject to independent audit on internal control over financial reporting) of the Sarbanes- Oxley Act of 2002 are given the option of choosing a “suitable” internal control framework. 100% have chosen the COSO Framework. Further, the US General Accounting Office (GAO) has adopted the framework as part of its Green Book publication on internal control guidance. Aspects of internal control regulations in China, Japan and South Korea have utilized COSO internal control related concepts.
Most recently, under its Companies Act, India has created a requirement for all listed companies to report on internal control and to require an independent assessment by the external auditor and requiring the auditor to report on the adequacy of internal financial control over financial reporting. Part of this requirement discusses the use of a framework and specifically mentions the 2013 COSO framework.
In the Middle East, the 2013 COSO Framework has been translated to Arabic by the UAE Internal Audit Association and was released in November 2014 at the Chief Audit Executives conference in Abu Dhabi, where it was also presented to the His Excellency Sultan bin Saeed Al Mansouri, UAE Minister of Economy. Further, several countries in the region have adopted regulation on internal controls (including annual evaluations of effectiveness) for listed companies. While the COSO framework is not a requirement, several leading companies (such as Etisalat and National Bank of Kuwait) have chosen to adopt the framework as a best practice.
A Broad Definition of Internal Control
COSO defines internal control broadly as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Part of the philosophy of this definition is that internal control is not and cannot be limited to finance and accounting activities but rather encompasses the entire organization and a combination of different levels of employees, management and the board.
Components and Principles that Create effective internal Control
The 2013 COSO Framework consists of 5 key components of internal controls and are represented across the face of the COSO cube model:
©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission.
The COSO cube allows for the entire enterprise or any component thereof (division, subsidiary, operating unit or function, etc.) to be subjected to the framework. The definition of internal control used as the scope of an evaluation may utilize all or any combination of the three internal control objectives: Operations, Reporting (defined as any combination of internal, external, financial or non-financial reporting) and Compliance. Therefore the framework is both clearly structured and organized, yet flexible.
The five components are defined as follows in the 2013 COSO Framework:
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.
Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews.
Information and Communication
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously.
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management
In addition, there are 17 Principles of effective internal control that support and enable these components:
Supporting each Principle are Points of Focus, representing important characteristics of the Principles. While the 2013 COSO Framework does NOT prescribe specific controls that must be in place, the Points of Focus help guide organizations in the development and selection of appropriate controls. If we look at Diagram 1 across, we can see how there are 4 Points of Focus to support the particular principle on integrity and ethical values. There can be a number of controls which address this Principle such as leading by example, communication (email or staff meetings) on the importance of ethics, the existence of a formal code of conduct with training and annual attestations.
Under the framework’s methodology, all 17 Principles must be present and function in such a way that the 5 components operate in an integrated manner in order to conclude that internal control is effective. It should be noted that compliance with the Points of Focus is optional. The principles become present and functioning through responsive control activities that are designed to the correct level of precision and are in fact operating as intended. Operating effectiveness is generally determined though independent testing of the control activity.
Benefits to Internal Auditors
While the 2013 COSO Framework, when implemented correctly, helps organizations to achieve their objectives and improve performance, it is also way for internal auditors to meet the requirements of the IIA’s standards and drive positive change within their organizations.
When it comes to the IIA’s Standards, evaluating internal controls using the 2013 COSO Framework mainly helps to address 2 Standards which can be difficult to implement:
- 2100 – Nature of Work: Relates to the evaluation of governance, risk management, and control processes (Mainly through the Control Environment, Risk Assessment, Control Activities and Information & Communication components).
- 2450 – Overall Opinions: Supporting overall opinions on internal controls with sufficient, reliable, relevant, and useful information (Mainly through the Monitoring Activities component).
Similarly, by promoting a world class control framework, internal auditors can be seen as having up to date knowledge and can use this knowledge to educate management and work with them to improve governance, risk and control processes. Even at private companies in the Middle East, such as the Ali Bin Ali Group in Qatar, the internal auditors are promoting awareness of the framework within their company.
Get Started- Use Some or All of it
As stated in the title of this article, you need to :
- Learn the COSO materials- read and study them, determines how you can best apply some or all of this material to your organization all at once or over time.
- Get started by putting the COSO concepts in place- Even if it’s a small change to begin, you have to start somewhere.
- Communicate the COSO concepts and materials to others- you can’t be successful alone. This includes your internal audit team, company management, the board and many employees in your organization.
The 2013 COSO Framework is meant to be applied to all companies. COSO can be tailored to any type of organization regardless of company size, maturity, industry or location or type (private, public and etc). For small companies in some cases, the 2013 COSO Framework may be implemented using less than 100 key controls. In the Middle East, forward-thinking companies are already using the framework and internal auditors are using it to build awareness around internal control best practice. With this trend and the translation of the 2013 COSO Framework into Arabic, there is no excuse not to use it and benefit from it!
- http://www.nbk.com/corporategovernance/governanceframework/riskmanagementandinternalcontrol_en_gb.aspx (Accessed on 9 January 2015)
- http://www.alibinali.com/coso-internal-control-integrated-framework-workshop-for-aba-finance-team/ (Accessed on 9 January 2015)
ROBERT HIRTH is the Chairman of COSO and is a Senior Managing Director with Protiviti in the United States.