Charting the course for COSO
In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework—the first update to be released in more than 20 years. With the introduction of the 2013 COSO Framework, clients have an opportunity to reassess the effectiveness and efficiency of their internal controls related to their financial reporting, operations, and compliance objectives.
Key changes to the 2013 COSO Framework
The fundamental internal control components of the original COSO Framework were retained in the updated 2013 Framework and include:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
However, the 2013 Framework includes a few significant changes, including:
Establishing 17 “principles” to describe each component of internal control
- All 17 principles must be “present and functioning” for a company’s system of internal control to be deemed effective.
- As a result, the 2013 Framework creates a more formal structure for the design and evaluation of the effectiveness of internal control.
Providing “points of focus” to support each of the 17 principles
- The points of focus are helpful when evaluating the design and operating effectiveness of a company’s controls to address the principles.
Updating guidance within each of the components of internal control, including:
- The 2013 COSO Framework provides more detailed discussions about risk assessment concepts, including the explicit consideration of the potential for fraud importance of fraud risk assessments.
- The 2013 COSO Framework includes considerations related to IT and provides guidance for ensuring the quality of information.
- As clients increase their reliance on Outsourced Service Providers (OSPs), the 2013 COSO Framework provides guidance on third-party risk management and monitoring.
How we can help
Deloitte’s COSO specialists have extensive experience in internal control, serving global clients across all industries. We can help:
- Educate and train clients on the new COSO Framework
- Assess the impacts of COSO on our clients’ design and evaluation of internal control
- Assess clients’ current processes, activities and available documentation regarding meeting the new COSO principles and points of focus
- Evaluate clients’ existing testing, monitoring and documentation processes
- Peform COSO gap assessments to identify control gaps or the need for enhanced control testing
- Identify the steps that need to be performed to transition to the 2013 Framework
- Create and implement a COSO transition, monitoring and reporting plan
- Share implementation challenges and best practices
- Implement an internal COSO communications plan with all groups responsible for implementing, monitoring and reporting on the organization’s internal control.
COSO implementation: Challenges and best practices
To truly unlock the value that can be achieved by adopting the 2013 Framework, clients should take a step back and evaluate how they are addressing risks to their organization in light of their company’s size, complexity, global reach and risk profile. When implementing the 2013 Framework, there is a difference between doing the minimum to address the framework’s principles and doing the right thing to effectively address the principles. Companies that choose to do the right thing may unlock value, reduce fraud risk, avoid financial reporting surprises and support sustained business performance over the long term.
The table below summarizes the 2013 Framework’s principles by component, and the bullets that follow list common challenges that companies are experiencing as they work to implement the framework.
Control components and principles
Key challenges and corresponding principles
- Demonstrating an effective ethics program (Principles 1, 2)
- Performing risk assessments, including effective fraud risk assessments (Principles 7, 8)
- Identifying changes and incorporating them into the risk assessment process (Principle 9)
- Segregation of duties (Principles 10, 11)
- Effectively designing management review controls (Principles 10, 12, 13, 16)
- Outsourced Service Providers (Multiple Principles)
Beyond ICFR: Using the Framework for operational and regulatory compliance
Use of the 2013 Framework outside the financial reporting context can provide helpful and necessary discipline to boards and audit committees as they address the increasingly complex array of risks they oversee. It can also provide management with a consistent and efficient framework to define, implement and monitor its control structure, helping to continually improve its overall risk management processes.
Clients can use the 2013 Framework to address:
Banking regulatory compliance
- Many banks and capital markets firms are applying the principles of the COSO framework to design quality-assurance review functions over operational and regulatory reporting. For more information about compliance trends in the financial services industry.
Cyber security risks
- Principle 6 in the 2013 Framework provides several points of focus that give organizations perspective on how to evaluate their objectives in a manner that could influence the cyber risk-assessment process.
Supply-chain risk management
- As a result of certain regulatory and operational risks, such as food and product safety, conflict minerals and consumer discontent with product performance, companies have increased their focus on proactively identifying and managing risks in the supply chain. For more information, see Deloitte’s From Risk to Resilience: Using Analytics and Visualization to Reduce Supply Chain Vulnerability.
Clients are using the 2013 Framework’s concepts to establish new programs or enhance existing ones to:
- Ensure that the OSPs understand management’s commitment to integrity and ethical values.
- Incorporate risks originating in the OSPs in the company’s risk assessment process.
- Develop monitoring procedures for key performance indicators related to service-level agreements as a means of identifying issues.
- Clients may want to consider developing a process to apply Principle 9 and related concepts when major changes are identified to sustain and continuously improve internal controls related to operational or regulatory compliance.