The new COSO Framework includes an updated context relating to issues such as governance, business complexity and technology.
This week, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its long-anticipated updated Internal Control–Integrated Framework. To help convey the nature of the changes, COSO also published an illustrative guide, an executive summary and a list of frequently asked questions (FAQs).
The original Framework appeared in 1992 and later became instrumental in governance, risk management and compliance (GRC) activities thanks in large part to its use in Sarbanes-Oxley Act compliance.
The updated version is the result of 25 months of design, input, draft review and redesign by a large and impressively credentialed project team and COSO Advisory Council. The council is seeded with Big 4, Grant Thornton and Protiviti leaders; top academics; private-industry and not-for-profit executives; and representatives from many of the major professional associations within the GRC, finance and internal audit realm.
So, what’s changed?
I put that question to David Landsittel, chairman of COSO, who identified three key facets of the update:
1. “The discussion of the three fundamental objectives to which controls are applied—reporting, compliance and operational applications—has become more robust;”
2. “The Framework is easier to apply because we have more explicitly described what it takes to conclude that a system of controls is effective;” and
3. “The guidance is presented with an updated context relating to issues such as governance, business complexity and technology.”
(Obviously, there are other changes; I asked Landsittel to crystallize the most important ones.)
Poring over the new Framework and its accompanying information will take time. Even the FAQs (a format suited for tiny bursts of information) eat up 11 single-spaced pages. As I dig through all of COSO’s content on the new Framework, I’m keeping in mind why the update was undertaken in the first place (because business has changed significantly in the past 21 years). I’m also reading very closely whenever the following language crops up:
17 key principles
Point of focus
Controls to effect principles
Landsittel also offered guidance to finance, risk, compliance and audit professionals trying to get a handle on what has changed and what hasn’t. They “should read the publications carefully,” he suggested, “and make an initial assessment of how the updated framework matches up with their existing system of controls—specifically, where are the potential gaps compared with the Framework’s five components and 17 supporting principles?”