By Treasury & Risk Staff

Updated COSO Framework provides clear principles for determining whether controls are functioning properly in the finance function and beyond.

On Tuesday, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework. COSO was formed in 1985 by the AAA, AICPA, FEI, IIA, and IMA to provide thought leadership in three areas: enterprise risk management, internal controls, and fraud deterrence. The organization released its original internal controls framework in 1992. This week’s update is the first revision to that document, and it represents two and a half years of work by COSO and by PwC, which authored the new framework under the direction of the COSO board.

The COSO Framework is designed to be applied companywide, and it can help managers maintain controls over a wide swath of treasury and finance functions. “When people think of controls, they think of general ledgers and external financial reporting, but the Framework is intended to be applied broadly,” says David Landsittel, chairman of COSO. “We articulate three overall objectives that companies can apply controls to—reporting, compliance, and operations objectives—and there’s overlap between them. In the treasury function, certainly there needs to be control over hedging or trading. Depending on the nature of the organization, that might be an operational control, but it might have financial reporting implications as well.”

Across the three objectives, the COSO Framework presents five key components of internal controls: the control environment, risk assessment, control activities, information and communication, and monitoring activities. In the latest iteration of the Framework, the core objectives and components remain unchanged from the 1992 version, but this version adds a list of principles associated with each component. The idea is that an organization which abides by these principles can ensure that its internal controls infrastructure meets the standards of the Framework.

“In the updated version of the Framework, we articulate 17 principles that need to be addressed in order to conclude that the five components are present and functioning,” Landsittel says. “We believe that making the principles more explicit makes the document easier to apply because it’s easier to see what it takes to have an effective system.” (The principles are listed on page 2 of this article.)

In addition to clarifying internal control requirements by articulating these 17 principles, the revised Framework includes broadened operations and reporting objectives—for example, covering internal management reporting as well as external reporting, for both financial and nonfinancial data. It also provides an updated context that reflects the changes in the business environment over the past two decades, including changes in technology, changes in expectations around governance and compliance, and increased complexity in companies’ business models created by practices such as outsourcing.