COSO Internal Control—Integrated Framework 1992 vs. 2013

By December 31^st 2014, companies that utilize the 1992 COSO Internal Control—Integrated Framework are expected to have fully transitioned to the 2013 framework.  If you are an organization that is required to report to the Securities and Exchange Commission, this change directly impacts you.  But when you look at what the framework represents, it is obvious that both public and private organizations of all sizes could benefit from adopting elements.  The purpose of the framework is to prevent and detect fraud.  It is a standard framework for designing, implementing, and conducting internal controls; as well as assessing the effectiveness of your current internal controls. 

The standard was updated to account for the ongoing changes in the business environment, i.e. evolving technology, increased outsourcing, changing regulatory environment…  The most significant change in the 2013 framework from the 1992 framework was the addition of 17 principles and 77 focus areas.  These new items further define the five core areas – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.

Elements that would be most applicable to small and medium sized entities include –

• Control Environment – The entity demonstrates a commitment to integrity and ethical values.  Senior Management is responsible to designate the individual(s) responsible to manage the satisfaction of reaching the entity’s internal control objectives; as well as continually developing the individual(s).

• Risk Assessment –The entity sets its internal control objectives; as well as operations and financial goals.  Externally the entity abides by frameworks, laws and regulations.  Internally, risks are identified and their significance established.  Approaches to respond to the risks are established.  Fraud and all the potential ways it can be committed are considered. 

• Control Activities – The entity develops control activities, which include segregation of duties, technology control activities, and policies and procedures.

• Information & Communication – Obtain and generate information.  Communicate this information internally and externally.

• Monitoring Activity – On an ongoing basis, evaluate internal controls to understand their presence and effectiveness.

So how do you start? 

Review the COSO Internal Control—Integrated Framework (Core areas, principles, and focus areas) to understand what elements apply to your situation; conduct an assessment of your organization, seek board/management approval on concept implementation, engage staff through training and communications, develop a transition plan, execute the plan, monitor success and adjust if required.

If you are looking to establish internal controls for the first time, it may make sense to bring in a third party that understands your industry and the common risks, which should be considered.  Team this individual up with an internal resource that understands your entity and your processes.