We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

A Quick Guide to COSO Internal Controls 2013 Changes

Vote 0 Votes

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control - Integrated Framework document all the way back in 1992 to assist publicly traded organizations adhere to the Sarbanes-Oxley Act (SOX) Section 404. COSO considers internal controls to be an integral part of enterprise risk management (as does LogicManager), and as such, any changes to the Internal Controls best practices has a direct effect on organizations with Enterprise Risk Management programs.

It seems timely then, with the release of an updated version of COSO's Internal Controls - Integrated Frameworkto take a quick look at the changes made and what Risk Managers should be aware of for their own Enterprise Risk Management Programs.

Why did COSO need to update its Framework?

Besides it predating the rise of the internet?! COSO needed to update its framework for a variety of reasons, many of which you might expect. The regulatory environment is more demanding and the penalties more severe than they were in 1992. More importantly, the actual speed of business has dramatically increased. The original framework, while comprehensive, was cumbersome to both read and implement. Businesses today value operational efficiency, so the new framework has been slimmed down to cover what's most critical to business today in the areas of financial reportingcompliance, and operations management.

OK, but how much did they actually change?

The structure of the information should look familiar. There are three categories of objectives - Financial Reporting, Operations, and Compliance - and 5 components of internal controls - control environment, risk assessments, control activity, information and communication, and monitoring activities. The reporting narrative had been adapted to include more than just external financial reporting, and the introduction of 17 codified principles, or more detailed points of focus, gives the document a more detailed, step-by-step approach that may remind organizations of the RIMS Risk Maturity Model structure.

This new structure should assist organizations in applying the Internal Controls framework more broadly, and make it easier to conduct gap analysis between current and ideal adherence.

It doesn't sound like they changed all that much, is there anything I have to do if my organization currently uses COSO?

That all depends on the specifics of your organization's internal controls framework. COSO's 1992 Framework was highly relational, mapping the connection between internal controls, financial statements, monitoring activities, and various organizational objectives. If your company's internal controls have already been mapped, your adjustment might be as easy as taking those relationships one step further and mapping to the now codified principles under each of the 5 components. If you haven't yet formalized that mapping process, you might benefit from the exploration of ERM software that can assist with that process.

That all sounds like it could be more trouble than its worth, what's the benefit of updating our framework?

The new framework will improve how your organization identifies gaps in its internal control environment, and a well-documented procedure can pay off in the event of a control failure. Internal controls is a critical component of Enterprise Risk Management, and integrating the two functions into a single, non-silo platform can drive the continuous improvement the board is looking when they adopt guidelines like COSO. COSO recommends organizations complete their transition no later than December 15, 2014, at which point they'll consider the original framework superseded.

For more information, or help on how your organization can adhere to COSO's frameworks or others, download our eBook on integrating risk governance areas or contact LogicManager at info@logicmanager.com.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives