What You Can Do Now About the New COSO Draft

by Norman Marks | November 12, 2012

COSO has released an updated draft of its landmark Internal Control-Integrated Framework. This is an important development for organizations globally, in particular for those who have adopted the framework for their Sarbanes-Oxley (SOX) compliance program. A copy of the draft, including an executive summary, the complete framework, examples for SOX, and evaluation templates, can be obtained from the COSO site at www.coso.org.

So what should organizations be doing now?

This is still a draft and no action is required per se. It is subject to change, however, and I understand that the plan is to issue it in final form in the first quarter of 2013. Organizations will be encouraged to move to it in 2014.

The most significant change is the addition of 17 Principles and related “points of focus” (to help understand the Principles). The definition of internal control has been tweaked, and supplementary documents have been added with the intent of assisting in Sarbanes-Oxley assessments.

This is what I recommend:

• Consider the 17 principles, each of which is supported by “points of focus.” While it is debatable whether you must have all 17 in place before your system of internal control qualifies as “effective,” they are all good practice.

I would assess whether all the principles are adequately addressed. If not, why not? Can you explain why they are not necessary, perhaps because the risk to the achievement of objectives is acceptably low? When it comes to controls over financial reporting, do you think your external auditors would agree that the risk is low?

If there are areas for improvement, then consider how you can address them. There is time before the updated framework is finalized, but why not take care of any issues now?

• I believe the directives from the regulators—to have a top-down and risk-based approach to internal control over financial reporting—will not change. So I doubt that you will need to make major changes to accommodate the updated framework. However, you should make sure you have solid risk assessment and that each of the risks is addressed by effective internal controls.

I would also initiate conversations with the external auditors. While I suspect some will want to move away from a risk-based approach to one based on assessing the 17 principles, I would resist such a change and press for a continuation of the approach required by the SEC guidance and Auditing Standard Number 5.

COSO has included tools specifically for SOX. As I have written in my IIA blog, I believe these to be fatally flawed and would not use them. They are inconsistent with a risk-based approach and I expect them to be replaced.

Overall, I believe there is a great deal of value in the updated framework. While it is still in draft form, there is value in considering now, just how it might be used to improve your system of internal control.

For additional guidance on an efficient system of internal control over financial reporting, you might consider this publication from the Institute of Internal Auditors.

Norman Marks CPA, is a vice president with SAP and a long-term internal audit and risk-management practitioner. He has been honored for his thought leadership by the Institute of Risk Management (honorary fellow) and the Open Compliance and Ethics Group (fellow). He regularly blogs and provides updates on Twitter, @normanmarks.