A Quick Guide to COSO Internal Controls 2013 Changes

The Committee of Sponsoring Organizations of the Treadway Commission (C... released its Internal Control – Integrated Framework document all the way back in 1992 to assist publicly traded organizations adhere to the Sarbanes-Oxley Act (SOX) Section 404. COSO considers internal controls to be an integral part of enterprise risk management (as does LogicManager), and as such, any changes to the Internal Controls best practices has a direct effect on organizations with Enterprise Risk Management programs.

It seems timely then, with the release of an updated version of COSO’s Internal Controls – Integrated Frameworkto take a quick look at the changes made and what Risk Managers should be aware of for their own Enterprise Risk Management Programs.

Why did COSO need to update its Framework?

Besides it predating the rise of the internet?! COSO needed to update its framework for a variety of reasons, many of which you might expect. The regulatory environment is more demanding and the penalties more severe than they were in 1992. More importantly, the actual speed of business has dramatically increased. The original framework, while comprehensive, was cumbersome to both read and implement. Businesses today value operational efficiency, so the new framework has been slimmed down to cover what’s most critical to business today in the areas of financial and SOX reporting, regulatory compliance management, and operations risk management.

OK, but how much did they actually change?

The structure of the information should look familiar. There are three categories of objectives – Financial Reporting, Operations, and Compliance – and 5 components of internal controls – control environment, risk assessments, control activity, information and communication, and monitoring activities. The reporting narrative had been adapted to include more than just external financial reporting, and the introduction of 17 codified principles, or more detailed points of focus, gives the document a more detailed, step-by-step approach that may remind organizations of the RIMS Risk Maturity Model structure.

This new structure should assist organizations in applying the Internal Controls framework more broadly, and make it easier to conduct gap analysis between current and ideal adherence.

It doesn’t sound like they changed all that much, is there anything I have to do if my organization currently uses COSO?

That all depends on the specifics of your organization’s internal controls framework. COSO’s 1992 Framework was highly relational, mapping the connection between internal controls, financial statements, monitoring activities, and various organizational objectives. If your company’s internal controls have already been mapped, your adjustment might be as easy as taking those relationships one step further and mapping to the now codified principles under each of the 5 components. If you haven’t yet formalized that mapping process, you might benefit from the exploration of ERM software that can assist with that process.

That all sounds like it could be more trouble than its worth, what’s the benefit of updating our framework?

The new framework will improve how your organization identifies gaps in its internal control environment, and a well-documented procedure can pay off in the event of a control failure. Internal controls is a critical component of Enterprise Risk Management, and integrating the two functions into a single, non-silo platform can drive the continuous improvement the board is looking when they adopt guidelines like COSO. COSO recommends organizations complete their transition no later than December 15, 2014, at which point they’ll consider the original framework superseded.

For more information, or help on how your organization can adhere to COSO’s frameworks or others, download this eBook on integrating more governance areas into your risk management program, or contact LogicManager at info@logicmanager.com.

Views: 79


You need to be a member of GlobalRisk community to add comments!

Join GlobalRisk community

Our Sponsors

Would you like to reach over 90,000 + Risk Professionals? 



Current Partners Include:





Join GRC Inner Circle - Get Top Risk Resources, Member Support PLUS become our patron

Business Exchange

If your organization delivers products and services that bring value to our members, you are welcome to join our partnership program.

Companies are welcome to setup a business profile page in our Multimedia Business Directory. You will get full control of the page and can include cutting edge possibilities – videos, adverts, presentations, white papers, job offers, Press Releases, product information, company blog, news feeds and more.


Our Knowledge Partners

Request our MEDIA KIT

Our Twitter feed

© 2020   Created by Boris Agranovich.   Powered by

Badges  |  Report an Issue  |  Terms of Service