Jean Kester, Partner, LehmanBrown International Accountants

COSO’s Internal Control – Integrated Framework updated and issued in May 2013 is required to be transitioned into use by December 15, 2014

Overview

In 1992, five nonprofit sponsoring organisations came together as the Committee of Sponsoring Organisations of the Treadway Commission (COSO) to create a framework of internal control concepts which would help organisations improve operational performance and corporate governance using internal controls, risk management and control activities in deterring fraud, called Internal Control – Integrated Framework (1992 Framework). This framework, which helps companies design and implement internal controls as well as assessing the effectiveness of an entity’s internal control structure, is the most widely used internal control framework used by publically listed US entities to aid in compliance with the Sarbanes Oxley Act of 2002, Section 404 (SOX 404). SOX 404 requires US publically listed entities to perform an annual assessment of the design and operating effectiveness of their internal controls over financial reporting.

In 2013, COSO issued a revised Internal Control – Integrated Framework (2013 Framework), to be transitioned into use by December 2014.  Many companies will have already transitioned to the new Framework, but for those that haven’t – there are only a few short months to accomplish that prior to the deadline, year-end and the annual audit season.

The 2013 Framework is illustrated in the following COSO “Cube”, demonstrating the relationships of the components and objectives of an internal control structure under the 2013 Framework.

(1)

In this article, we briefly summarise the major changes and differences from the 1992 Framework, indicating where a company’s internal control structure, analysis and documentation may need to be changed to comply with the 2013 Framework guidance.

Summary of the major changes

Expanded coverage of type of reporting addressed
The 1992 Framework focused on external financial reporting. The 2013 Framework has added additional objectives related to internal financial and nonfinancial reporting.  The 2013 Framework now reaches across a broader spectrum of an entity’s internal control structure.

Explicit documentation over 17 principles
The updated 2013 Framework now contains explicit discussion of 17 principles in the five major components of internal control.  The five major components are Control Environment, Risk Assessment, Control Activities, Communication and Monitoring.  These five components comprise the backbone of the Framework.

While these 17 principles are not new and were introduced in the original 1992 Framework, they were offered as guidance and now are required to be addressed under the 2013 Framework. All 17 principles are required to be included and functioning effectively in a company’s internal control structure. Each company must address each principle specifically and have a rationalisation formally documented if one of the principles is deemed not applicable.

The 17 principals consist of the following concepts (2):

Control Environment

• Commitment to integrity, ethical values, and behavior of key executives
• The company maintains appropriate corporate governance and oversight
• The company creates an appropriate organisational structure and ensures assignment of authority and responsibility
• Management demonstrates a commitment to competence
• Accountability is established and enforced

Risk Assessment

• Appropriate entity-level objectives have been established and communicated.
• A risk assessment process allowing for the identification and analysis of risk has been established.
• Fraud risk is assessed.
• Established processes exist to identify and analyze internal and external significant changes which may affect the entity

Control Activities

• Control activities are designed and developed
• General controls over information technology are designed and developed
• Policies and procedures set out the control activities

Communication

• Information systems provide management with relevant external and internal information, and that information is provided to the right people.
• Adequate internal communication systems
• Appropriate external communication systems

Monitoring

• Periodic evaluations of internal control are made.
• Management analyzes and communications known deficiencies and responds appropriately to risks related to those deficiencies.

Other General Significant Changes
The 1992 Framework, while indicating management should consider fraud risk, did not specifically address assessing fraud risk as a requirement in management’s evaluation of the internal control structure.  Other significant changes relate to the use of a new term and definitions over deficiencies in the internal control structure. While deficiencies were address in the 1992 version, the 2013 version discusses Deficiencies and Major Deficiencies and notes that companies should follow accounting and regulatory guidance as well when assessing the significance of any deficiencies noted in their assessment of the design and effectiveness of their internal control structures.

Information available to assist in the process

Focus Points to Consider
The updated 2013 Framework also provides focus points to consider for each of the 17 principles.  While not required, nor all encompassing, these focus points will help guide management through the analysis of their internal control structure and any potential needs for changes in controls, as well as potential changes in the assessment process. These points of focus will be useful especially in the first year of transition.

Overall Impact of the Changes
The updated 2013 Framework will require each company which has adopted COSO’s 1992 Framework to look at its entire internal control structure, the documentation supporting that structure and their assessment process used to evaluate its internal control structure to ensure compliance with the new guidance under the 2013 Framework. Each company will consider whether there is a need to revise areas as necessary to ensure the new requirements are included, including addressing the 17 principles and fraud risk specifically and have focus points as examples to assist with the analysis.
_____________________________________________________________________

APPENDIX: COSO Guides and Appendices
The following publications have been issued by COSO related to the 2013 Framework:

• Internal Control—Integrated Framework Executive Summary
• Internal Control—Integrated Framework and Appendices.
• Internal Control—Integrated Framework Illustrative Tools for Assessing Effectiveness of a System of Internal Control
• Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

www.coso.org

LehmanBrown is a China-focused accounting, taxation and business advisory firm,
combining years of international expertise with practical China experience and
knowledge. For further information on how we can support your business, please
contact us at: enquiries@lehmanbrown.com

(1): From Internal Control-Integrated Framework, COSO, 2013
(2): See COSO’s Internal Control-Integrated Framework, 2013, for full descriptions of the 17 principles