CFOs and their staffs could gain some mental clarity about how to apply internal controls more effectively in the form of a guidance document released last week, its framers think.
Their intent, after all, is to provide more practical details than the framework it replaces. The Internal Control-Integrated Framework culminates a two-and-a-half-year-long project aimed at revamping guidelines dating back to 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO a joint initiative of the American Accounting Association, American Institute of CPAs, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors.
The new guidelines spell out 17 principles the authors contend that corporations need to follow for their internal controls to be effective. They include “demonstrates commitment to integrity and ethical values; exercises oversight responsibility; establishes structure; authority and responsibility; specifies suitable objectives; and identifies and analyzes risk.” While the principles were implied in the earlier guidance, they weren’t specifically cited until the release of last week’s framework.
As David Landsittel, chairman of COSO, explains, the new framework’s 17 principles put “meat on the bones” of five parameters that make up the core principles of internal controls—the control environment, risk assessment, control activities, information and communication, and monitoring activities. “For a framework to be effective, all five components need to be present and functioning and operating together,” he says.
Compared to the previous framework, which is still widely followed by companies, more detailed steps are now included on how companies can deter and detect fraud by increasing their focus on operations and compliance. In a survey taken by COSO in 2011, 700 stakeholders and users of the 1992 framework cited operations and compliance, among other areas, as an important area for internal controls.
Recognizing how new technology plays an important role within operations and compliance is also a new change for the framework, according to Landsittel. The framework now expands upon the discussion of technology in several chapters. “Technology is much different than it was in 1992. We might have had Internet and e-mail, but it was certainly not prevalent back then–and certainly not prevalent for business use back then,” he says.
The new framework also includes approaches to and examples of how to apply the principles to preparing financial statements of both public and private and not-for-profit entities. Respondents to COSO’s survey, according to Landsittel, were interested in having better guidance on how to avoid problems stemming from a lack of internal controls, which can often lead to the restatement of financial results. “The new framework expands the external financial reporting [category] in the framework,” he said, “to include external and internal reporting and … non-financial as well as financial reporting.”
The new framework also focuses more strongly on the role of a corporation’s board and board audit committee than the prior guidance did. “There’s more importance of the oversight role of the board of directors and the importance of the oversight role of the audit committee. Those were in the 1992 framework but we’ve extended the discussion of that,” says Landsittel.
Both the board and individual employees are accountable for internal controls, COSO maintains. The new framework states that “management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” It further notes that “the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”
“It also mentions the compensation committee, which wasn’t mentioned at all back in 1992,” adds Landsittel. Typically the board of directors appoints the compensation committee.
The changes are needed because “business models have become more complex since 1992,” he says. “The guidance is framed in a current context rather than a 1992 context,” meaning more practical applications to modern business operations are used. “There’s outsourcing, for example, which is much more common than it was then. The framework recognizes that.”
The old framework will continue to be available until December 15, 2014, says Landsittel. But COSO is encouraging a move to the new framework at a quicker pace. Both frameworks will be available initially, but those companies that apply the framework should explain which framework they are using in their financial statements, he notes.
COSO launched the project to update the prior framework because that was what stakeholders said they wanted. “Do we need to start over with a clean piece of paper or do we need to just update it?” asked Landsittel, describing the process of how the framers determined what needed to be changed from the earlier framework. “Eighty percent of people said all you need to do is update it. The present existing framework was still relevant.”