8028227458?profile=originalThe Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control – Integrated Framework document all the way back in 1992 to assist publicly traded organizations adhere to the Sarbanes-Oxley Act (SOX) Section 404. COSO considers internal controls to be an integral part of enterprise risk management (as does LogicManager), and as such, any changes to the Internal Controls best practices has a direct effect on organizations with Enterprise Risk Management programs.

It seems timely then, with the release of an updated version of COSO’s Internal Controls – Integrated Frameworkto take a quick look at the changes made and what Risk Managers should be aware of for their own Enterprise Risk Management Programs.

Why did COSO need to update its Framework?

Besides it predating the rise of the internet?! COSO needed to update its framework for a variety of reasons, many of which you might expect. The regulatory environment is more demanding and the penalties more severe than they were in 1992. More importantly, the actual speed of business has dramatically increased. The original framework, while comprehensive, was cumbersome to both read and implement. Businesses today value operational efficiency, so the new framework has been slimmed down to cover what’s most critical to business today in the areas of financial and SOX reporting, regulatory compliance management, and operations risk management.

OK, but how much did they actually change?

The structure of the information should look familiar. There are three categories of objectives – Financial Reporting, Operations, and Compliance – and 5 components of internal controls – control environment, risk assessments, control activity, information and communication, and monitoring activities. The reporting narrative had been adapted to include more than just external financial reporting, and the introduction of 17 codified principles, or more detailed points of focus, gives the document a more detailed, step-by-step approach that may remind organizations of the RIMS Risk Maturity Model structure.

This new structure should assist organizations in applying the Internal Controls framework more broadly, and make it easier to conduct gap analysis between current and ideal adherence.

It doesn’t sound like they changed all that much, is there anything I have to do if my organization currently uses COSO?

That all depends on the specifics of your organization’s internal controls framework. COSO’s 1992 Framework was highly relational, mapping the connection between internal controls, financial statements, monitoring activities, and various organizational objectives. If your company’s internal controls have already been mapped, your adjustment might be as easy as taking those relationships one step further and mapping to the now codified principles under each of the 5 components. If you haven’t yet formalized that mapping process, you might benefit from the exploration of ERM software that can assist with that process.

That all sounds like it could be more trouble than its worth, what’s the benefit of updating our framework?

The new framework will improve how your organization identifies gaps in its internal control environment, and a well-documented procedure can pay off in the event of a control failure. Internal controls is a critical component of Enterprise Risk Management, and integrating the two functions into a single, non-silo platform can drive the continuous improvement the board is looking when they adopt guidelines like COSO. COSO recommends organizations complete their transition no later than December 15, 2014, at which point they’ll consider the original framework superseded.

For more information, or help on how your organization can adhere to COSO’s frameworks or others, download this eBook on integrating more governance areas into your risk management program, or contact LogicManager at info@logicmanager.com.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!