Can your company handle the transition from COSO92 to COSO2013 alone and meet the December 2014 deadline? Amy Ribick, CFE, CRMA, manager in the Brown Smith Wallace risk advisory services practice, discusses what will change with the 2013 update and why it’s important to get started on a transition plan early.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently updated the Internal Control-Integrated Framework. The goal is to provide greater clarity and guidance related to the design and implementation of an effective system of internal control. In order to implement the COSO Framework by the December 2014 deadline, companies need to get the process started now, says Amy M. Ribick, CFE, CRMA, manager in Risk Advisory Services at Brown Smith Wallace.
“By starting the process now, organizations can have a structure and plan in place by next spring and make the transition seamlessly ahead of the Dec. 15, 2014, due date,” says Ribick.
Smart Business spoke with Ribick about the COSO Framework, what will change with the 2013 update and the process of transitioning to the new standards.
Who uses the COSO Framework?
Most organizations use the COSO Framework to provide a structure for their internal control environment. While publicly traded companies typically use it to assist in the evaluation of internal control over financial reporting, all companies are able to leverage COSO for their overall internal control framework. COSO provides an approach to designing, implementing and evaluating effective internal controls to help ensure the achievement of a company’s strategic, financial, operational and compliance objectives.
What are the significant changes?
The essences of the COSO cube, as it’s referred to, have not changed. The original Framework has been streamlined and underlying principles have been added, which contain specific areas of focus. These changes provide greater guidance and an opportunity to enhance internal control by bringing focus to the specific principles.
The most significant changes in the update are the 17 principles that have been articulated to help in assessing the internal control environment. Within the principles, there are 79 points of focus to provide further guidance on what organizations should consider when evaluating the environment. Another key part of the new COSO Framework is the focus on corporate governance, technology and fraud awareness. The focus for several years has been on financial reporting controls, but internal controls are broader and intended to address other important business objectives such as fraud or internal reporting used by management to make key decisions.
Can companies handle the transition alone?
Many companies have the necessary skills to handle the transition internally. However, others will struggle with finding the resources and time to be able to focus on the transition. There can be advantages to utilizing an external resource — for example, it helps facilitate the transition process so that management and key members of the team can focus on their day-to-day responsibilities. It also provides companies with an independent, outsider’s perspective that may allow for the identification of opportunities to improve existing practices. When assembling a team, it’s important to include people from all areas of the organization so that all aspects are considered. Particular attention needs to be directed to the principles and points of focus attached to each portion of the COSO cube.
What might be most difficult to implement?
Because there has been so much focus in recent years on internal control over financial reporting, many people assume that’s where controls are needed. Of course, if numbers are reported erroneously or fraudulently, that affects the business. But the COSO Framework points out that bad business decisions and fraudulent activity can occur in any aspect of an organization, not just those related to financial reporting. Education on the importance of sound internal controls throughout an organization will be very important.
Companies also will need to provide evidence, documentation and support of their internal control methodology, risk assessment processes, etc., and show how these principles have been addressed.
This is a big undertaking and companies that start earlier will be able to take advantage of the opportunity to improve the efficiency and effectiveness of their internal control environment.