The internal control framework that was unveiled last year by the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, will take some time to adjust to, but the Securities and Exchange Commission is encouraging companies to transition to it by the end of this year.
COSO issued the Internal Control – Integrated Framework last May, the first significant update since 1992 (see COSO Releases Updated Internal Control Framework). The new framework takes into account many of the changes that have occurred in the world since that time, including the growth of the World Wide Web and the passage of the Sarbanes-Oxley Act of 2002.
“The new framework was brought out in May of 2013, with an implementation due date of Dec. 15, 2014,” said Amy Ribick, manager of risk advisory services at the accounting firm Brown Smith Wallace in St. Louis. “So we’re looking at about 10 months from now, all companies that use the COSO framework to structure their internal audit function and their internal controls function will need to shift over to the revised and enhanced framework.”
Ribick sees many advantages in the new framework. “What this update to the framework did was it brought out that businesses are different today than they were back in 1992,” she said. “They are more technology driven. There is more fraud out there, unfortunately, for people to experience. What the framework has done is it has pulled out a lot of what was already in the original framework and created additional principles and points of focus. Within each principle you have several points of focus, so that way it just gives everybody that’s going through this implementation process a structured guideline to think through the internal controls of their organization.”
She believes COSO 2013 has built on the earlier framework to give companies a way to structure their internal controls and think through the possible risks they face. Ribick advises clients to start getting ready for implementation of the new framework.
“Companies should be discussing the updates to their framework at this point if they have not already started the discussions,” she said. “A lot of people have a 12/31 year-end, and they’re still trying to wrap up the year, so I expect that this will actually pick up a lot of speed come the late March, early April timeframe. But what companies should be doing is developing a plan to look at their current internal controls structure in comparison to the principles and points of focus and see how they have changed for that organization. Once they do that, there may be some gaps, so they should put together a team of key management to make sure that everybody is aware of the changes that need to occur, making sure all the stakeholders are educated.”
Educating the relevant executives and employees at the company about the new framework will also be important, especially the board of directors to explain why the organization is going through this process.
“I’m sure there will be a lot of board discussions on why they are spending the time going through the internal controls if they already feel like they’re good,” said Ribick. “I think the first couple of discussions of the COSO 2013 framework will be to figure out the game plan on how to go about it. That could mean bringing an outside vendor in to help with that transition. That could also mean building a team internally of all the different departments.”
Ribick pointed out that COSO 2013 is not only focused on financial reporting. “It’s actually looking at the operational side of businesses too, so that will also cause some departments that maybe haven’t been the focus to be involved in those discussions,” she added.
Public companies need to include a statement in their financials indicating which framework they’re operating under for 2013 through 2014. “You may see that some companies are using a tailored approach to COSO, but that’s because they don’t feel like it’s 100 percent applicable to them,” said Ribick. “At the very least, I’ve been telling organizations and companies to start with the entire framework and at least document where you’re at and where you feel like your gaps are, and then discuss those with management and the rest of the team, with any of the stakeholders or shareholders, and then get a good plan in place by late April at the latest to start transitioning, if there are any transitions that need to occur throughout the year.”
Companies can work on their enterprise risk management while they are preparing for the transition to the new internal control framework.
“My advice is to read through the framework and get a grasp of the principles and points of focus and then compare that to your current internal controls structure and your internal controls that have been identified,” said Ribick. “Put together a detailed plan to assess those gaps and appropriately educate the company. This shouldn’t be a scary thing. COSO just got the framework up to speed for where organizations are already at. It’s very focused on technology and fraud awareness. Regardless of company size or requirements, or if you’re public or private, it’s just a good sound framework to base your internal controls on for your organization.”