A decade ago, the compliance clock was ticking quickly as many U.S. public companies were aggressively documenting, testing and enhancing their internal controls over external financial reporting and disclosure to ensure compliance with Section 404 of the Sarbanes-Oxley act of 2002.

Since then, the majority of these companies have been using the COSO Internal Control Integrated Framework of 1992 as the basis for evaluating the design and effectiveness of their internal controls. In May 2013, however, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, board released an updated version of its internal control framework, noting that it will supersede the 1992 edition in December 2014. As a result, the SOX compliance clock is ticking again.

This feature provides highlights regarding the updated framework, as well as one approach, including five steps, to transitioning to it.



In 2010, COSO's board initiated a comprehensive review, refresh and modernization of the original framework to ensure that it remains relevant despite dramatic business and operating environment changes and evolving stakeholder expectations since 1992.

Business models have evolved, including greater use of shared services and outsourced service providers, and the demands, complexity and pace of change in rules, regulations and standards have intensified. Regulators and other stakeholders have higher expectations regarding governance oversight, risk management, and the prevention of fraud. The need for competency and accountability is greater than ever before.

In applying COSO's original framework, the business community learned several lessons. For example, practitioners have not fully leveraged the framework, primarily using it for external financial reporting only, which is just a subset of one of three overall categories of objectives. The concept of internal control principles was embedded in the original framework, but it seems it was buried within the details. Thus, codifying the underlying principles; increasing focus on operations, compliance, and non-external financial reporting objectives; and enhancing usability were additional drivers behind COSO's upgrade initiative.



COSO's original framework will remain available through Dec. 15, 2014, at which time it will be considered superseded. COSO's board believes that its continued use during the transition period is appropriate. Companies using COSO for external reporting purposes during the transition, however, should clearly disclose whether the 1992 or 2013 edition is used. If a company is successfully using COSO's 1992 framework for SOX compliance today, is there a compelling reason to complete their transition prior to December 2014? Indeed, do they need to transition at all?

According to COSO's news release issued with the new framework, "COSO believes that users should transition their applications and related documentation to the updated framework as soon as is feasible under their particular circumstances." In a speech soon after, Paul Beswick, chief accountant with the Securities and Exchange Commission, said that "SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or commission actions become necessary or appropriate at some point in the future," but, in the meantime, "I'll simply refer ... to the statements COSO has made about their new framework and their thoughts about transition."

SEC staff offered another hint during a meeting with the Center for Audit Quality's SEC Regulations Committee. Specifically, "The [SEC] staff indicated [that] the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer's use of the 1992 framework satisfies the SEC's requirement for a suitable, recognized framework," according to a report in Compliance Week. One can infer that the SEC expects U.S. public companies subject to SOX Section 404 to transition to COSO's 2013 framework on, or before, Dec. 15, 2014, COSO's stated transition date.

As co-lead of Campbell Soup Co.'s original global SOX team, I played a key role in defining Campbell's SOX compliance methodology and approach. Like many companies, we selected the 1992 COSO framework and then leveraged it to assess the design and effectiveness of Campbell's internal controls over external financial reporting and disclosure.

Considering that COSO's newly released framework is a refresh, and the principles and requirements of effective internal control are theoretically embedded in the 1992 edition, I expect Campbell Soup and other U.S. public companies to have a relatively smooth transition. Indeed, assuming that a company properly interpreted the original framework in developing their SOX compliance program, transitioning to the 2013 framework may be limited to updating the format of several summary SOX reports. There should be no impact on the underlying SOX compliance methodology, approach, or key controls.

Even though transitioning may result in few if any changes, you still need to work through it. The following five-step process represents one way to navigate through the transition, although there are surely other approaches as well.



Build an internal awareness and subject matter expertise by obtaining and reviewing COSO's newly released publications, including the Internal Control Integrated Framework & Appendices, the ICIF Executive Summary, the ICIF Illustrative Tools for Assessing Effectiveness of a System of Internal Control, and Internal Control over External Financial Reporting: A Compendium of Approaches & Examples. These publications represent nearly 500 pages of guidance. To obtain an overview, review the ICIF Executive Summary, recent COSO press releases, COSO's ICIF presentation deck, a frequently asked questions document, and other materials available on COSO's Web site, www.coso.org. External auditors, public companies, regulatory authorities, and other relevant parties can also be great resources, as can networking and building connections with peers at similar companies.

As a company begins developing its awareness of the updated framework, the following concepts and insights may be of particular interest:

  • Timeless concepts. Internal control continues to be defined as a process effected by people that is designed to provide reasonable assurance regarding the achievement of an entity's objectives. COSO's 2013 framework still provides for three major categories of objectives -- operations, reporting and compliance -- and still consists of five integrated components of internal control -- control environment, risk assessment, control activities, information and communication, and monitoring activities. The framework continues to be adaptable, allowing you to consider internal controls from an entity, divisional, operating unit, or functional level. Finally, management's important role in designing, implementing and conducting internal control, as well as assessing its effectiveness, is retained.
  • Codified principles. The original framework conceptually introduced 17 principles associated with the five components of internal control. These principles are essential in assessing whether the five components are present and functioning. The COSO board believes that each principle adds value, is suitable to all entities, and, therefore, is presumed relevant. If management determines that a given principle is not relevant to their organization, they should document their rationalization.
  • Requirements of effective internal control. Each of the five components of internal control and each relevant principle must be present and functioning for management to conclude that their system of internal control is effective. "Present" implies that a given component or principle exists within the design and implementation of an internal control system. "Functioning" implies that the component or principle continues to exist in the operation and conduct of the control system. Effective internal control also requires that each of the five components operate in an integrated manner. If each component is present and functioning and the aggregation of internal control deficiencies across the components does not result in one or more major deficiencies, management can judgmentally conclude they do.
  • Points of focus. COSO's updated framework describes points of focus, which represent important characteristics of the respective principles, to assist management in designing, implementing and conducting internal control, and in assessing whether or not the 17 principles are present and functioning. Relevant and suitable points of focus for a given entity can help you understand the respective principles. There is no requirement, however, for management to separately assess whether these points of focus are in place.
  • Internal control deficiencies. A major deficiency exists, according to the updated framework, if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving its objectives. If management determines that a relevant principle or associated component is not present and functioning, or the five components are not operating together, the entity has a major deficiency. When it comes to SOX or other compliance requirements, however, management should only use relevant criteria as established by regulators, standard-setting bodies, and other relevant third parties for defining the severity of, evaluating, and reporting internal control deficiencies.


To conduct a preliminary impact assessment, consider mapping the existing system of internal control against the new COSO framework. Specifically, start with COSO's principles and then conduct a gap analysis by mapping the company's controls to the principles. You will learn whether or not all principles are appropriately addressed, and may realize that certain controls are redundant or unnecessary. You could also go the other way, mapping principles to controls, and still end with an effective system of internal control. There is greater risk, however, that certain principles may be missed or not fully addressed. Or, at a minimum, you may not identify opportunities to scale back or eliminate redundant controls. If you determine there are gaps in the internal control design, they will need to be remediated accordingly.



This step will engage the broader organization, building awareness and pressure-testing the preliminary impact assessment.

SOX compliance efforts, depending on the nature and complexity of the company, may occur centrally or may entail multiple layers of assessment. Each business unit or location, for example, may prepare its own local-level assessments that are centrally rolled up. Either way, you should facilitate broad awareness of COSO's updated framework among key stakeholders, including the board of directors, senior and operational management, process and control owners, and internal and external auditors. Also leverage key stakeholders, especially process/control owners and business-unit SOX leads, to pressure-test the preliminary internal control mapping and impact assessment, especially in a more decentralized or highly complex environment.



Once you have built broad awareness regarding the updated framework, gained alignment that a timely transition is important, and completed a comprehensive impact assessment, it is time to develop and execute the company's transition plan.

During the planning phase, finalize the company's new SOX compliance methodology and approach, define project governance and decision rights, develop a detailed project plan with key milestones, identify and assign resources, and complete other standard planning activities. Most important, be realistic in your expectations, plans and timelines. Even for companies with sophisticated SOX compliance programs today, the effort to transition may be minimal, but there will be effort just the same.

As the transition plan is executed, there will likely be three phases:

  • Documentation and evaluation. During the first phase, the format or flow of underlying documentation may need to be updated, aligning it to the new mapping created during the second step. The underlying documentation must now support management in concluding that each of the five components of internal control and each relevant principle is present and functioning. This phase also entails evaluating the design of the underlying controls and enhancing the design as needed.
  • Validation testing and gap remediation. Once comfortable that the company's controls around financial reporting and disclosure are effective in their design, you need to perform validation testing to ensure that the controls have been implemented and are operating as expected. And if deficiencies are identified, gap remediation may be required.
  • External review and testing. Ultimately, the external auditor will need to assess and gain comfort with the updated SOX compliance program and supporting documents.


Companies will surely complete the transition to the 2013 edition of COSO's framework by December 2014. But in the true spirit of corporate governance, they should challenge themselves to drive continuous improvement thereafter, as there is a difference between having an adequate system and having best-in-class internal controls. For a public company, stronger corporate governance should translate into stronger business results and increased shareowner value.

They should clearly communicate the company's commitment to integrity and ethical values, the importance of maintaining an effective control environment, and the expectation that all employees fulfill their internal control obligations. To truly embed internal control responsibility into the fabric of a company's culture, business processes, and procedures, they should implement a control self-assessment program.

They should also consider using technology to support their monitoring activities, comparing transaction details against predetermined thresholds, monitoring for trends and patterns, and assessing automated performance indicators and metrics. Or they should consider developing dashboards related to key processes, activities or controls that can alert them to potential anomalies or failures. These are but a few examples of how companies can drive continuous improvement of internal controls.

J. Stephen McNally, CPA, is finance director and controller for Campbell Soup's North American supply chain -- Napoleon operations, in Napoleon, Ohio. Reach him at j_stephen_mcnally@att.net. This article originally appeared in The Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of CPAs.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access