Two men share securities regulation news

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Securities Regulation Daily, May 14, 2013

COSO Issues Updated Internal Control Framework

By Jim Hamilton, J.D., LL.M.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has updated its Internal Control Framework, which has significant ramifications for public company reporting and auditing. While the new framework supersedes the original 1992 Internal Control Framework, said COSO, it does not alter the core principles of the original framework. Concepts and guidance have been refined to reflect the evolution of the operating environment and the changed expectations of regulators and other stakeholders. In one sense, COSO recognizes, as do others, that the core principles of internal control over financial reporting are timeless. There will be a transition period to the new Internal Control Framework until December 15, 2014. During the transition period, COSO will consider use of the original Internal Control Framework as being appropriate, subject to disclosure of such use.

Internal Control Framework. The updated Internal Control Framework is consistent in many respects with the original Framework and retains the core definition of internal control and five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. Also, the updated Framework continues to apply judgment in developing, implementing, and assessing effective internal control.

One of the more significant updates is the formalization of fundamental concepts introduced in the original Internal Control Framework. In the updated Framework, these concepts are now principles associated with the five components. These principles provide clarity for understanding the requirements of effective internal control to facilitate designing and implementing a system of internal control and assessing its effectiveness. The Framework also includes points of focus that highlight important characteristics relating to these principles.

In response to public comments on the exposure draft, COSO clarified the requirements for effective internal control. COSO posited that an effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories of objectives, that is, operations, reporting, and compliance. It requires that each of the five components of internal control and relevant principles is present and functioning, and that the five components are operating together in an integrated manner.

Section 404 of Sarbanes-Oxley. The updated Internal Control Framework is not expected to change the dynamic of Section 404 of the Sarbanes-Oxley Act. Section 404(a) of Sarbanes-Oxley requires that annual reports filed with the SEC be accompanied by a statement by company management that management is responsible for maintaining adequate internal controls.

In the report, management must also present its assessment of the effectiveness of those controls. In addition, Section 404(b) requires the company's auditor to report on and attest to management's assessment of the company's internal controls.

SEC rules require that management's evaluation of a company's internal controls pursuant to Section 404 be based on a suitable, recognized control framework established by a body that follows notice and comment procedures. The Commission has identified the COSO Internal Control Framework as such a framework.

While PCAOB auditing standards are neutral regarding the internal control framework that auditors use for testing and evaluating controls, Board standards require auditors to use the same internal control framework that management uses, and the overwhelming majority of U.S. public reporting companies use the COSO framework.

Changes to the COSO framework would thus have significant implications for audits conducted in accordance with PCAOB standards. Changes to the COSO framework could lead companies to make changes to their controls, their control documentation, or management's process for assessing the effectiveness of internal controls, which, in turn, could affect the auditor's procedures regarding internal controls.

COSO indicated that its updated Internal Control Framework is not expected to change the underlying assessment and attestation process of Sections 404(a) and 404(b) of Sarbanes-Oxley. The original Internal Controls Framework has proven to be one of the most widely accepted frameworks for designing and evaluating systems of internal control, and this dynamic is expected to continue under the updated framework.

Indeed, the updated Internal Control Framework should enable more effective application in the practice of internal control over operations, compliance, and reporting. Certain concepts and discussions have been refined to reflect certain changes in the business environment and in expectations in the marketplace.

MainStory: TopStory AccountingAuditing

Securities Regulation Daily

Introducing Wolters Kluwer Securities Regulation Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.