March 2012

Financial Reporting Center

White Paper: COSO 2012 Updated, Principles-Based, and More Guidance

Abstract
The Committee of Sponsoring Organizations of the Treadway Commissions (COSOs) Internal Control Integrated Framework (COSO framework) is used by virtually all business and governmental entities in the United States and is widely used in major countries across the world. This widespread use is a testament to the quality and ease of use of the COSO framework, so why change it? The COSO framework is being changed to keep it relevant in the current and future business world, to emphasize its relevance beyond just financial reporting, and to make it easier to use. This white paper lays out the rationale for changes that are underway in the COSO framework and highlights the implications for CPAs, regardless of whether they are in public accounting or business; with large companies or small companies; or in the profit or not-for-profit sector. The COSO framework was developed to be timeless, and it has shown itself to be conceptually sound and capable of evolution. The updated guidance is intended to further clarify aspects of the COSO framework and to provide guidance that will facilitate both its implementation and the evaluation of internal control. CPAs are encouraged to read the COSO exposure draft and comment on the changes in the COSO framework. Prepared by Larry Rittenberg, PhD, CPA, CIA Professor Emeritus, University of WisconsinMadison Former Chair of COSO Charles E. Landes, CPA AICPA, Vice-President Professional Standards Group COSO Board Member

Introduction
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the first comprehensive framework for internal control following a recommendation of the Report of the National Commission on Fraudulent Financial Reporting in 1987 (better known as the Treadway Commission). In making the recommendation, the Treadway Commission recognized that internal control is a complex, dynamic, and evolving concept and that research up to that point resulted in various interpretations and philosophies related to internal control. COSOs Internal ControlIntegrated Framework (hereinafter referred to as the COSO framework) was published in 1992 and constituted a unique framework through its recognition that five components of internal control are necessary for effective internal control. internal control is designed to assist the organization in achieving its objectives across operations, financial reporting, and compliance. the fundamental concepts of internal control apply to all organizations: large or small, for profit and not for profit, and governmental entities. management is responsible for effective internal control, with active oversight by boards and those in governance positions. the framework must be fundamentally sound to allow specific internal control processes to evolve with changes in business, technology, and risk.

In December 2011, COSO released for public comment an updated Internal ControlIntegrated Framework (Framework) that is intended to help organizations improve performance with greater agility, confidence, and clarity. This paper explains the proposed changes and their impact on CPAs and addresses the question of why change now.

aicpa.org/FRC

Why COSO Is Changing the COSO Framework

Change is part of modern life. As an example, going back 20 years, who would have thought the United States would be moving to financial reporting standards based on a converged Financial Accounting Standards Board and International Financial Reporting Standards framework? Consider technology changes over those same 20 years. Twenty years ago, electronic business was just beginning, cyberattacks were something written about in fictional mystery books, and social media was a term not yet invented. Yet, today, virtually all processing is based on the soundness of IT that has to interact across organizations and, in many cases, across countries. But there is more. Organizations must do a better job of monitoring their supply chain, there are more joint ventures and outsourcing arrangements than could ever be conceived of earlier, crossborder compliance issues are more important, operations and accounting are ever more closely integrated, organizations are ever more regulated, CPAs are increasingly asked to ensure that there are proper controls associated with federal assistance (bailouts or other support), and there are calls everywhere for better monitoring of internal control. Does all this change mean that the COSO framework is obsolete? Quite the contrary! As the COSO board gathered information regarding potential changes to the COSO framework, the universal answer was that the COSO framework remained solid, but there was a need for more guidance in applying the COSO framework in ever-changing conditions. In fact, the Treadway Commission, as previously noted, started with the proposition that internal control is complex, dynamic, and ever evolving to respond to new organizational structures, as well as changes in technology, organizational forms, and governance processes. With this data in hand, the COSO board established a large cross-sectional advisory team to advise them and engaged PricewaterhouseCoopers to lead the evolution, or refreshing, of the COSO framework.

What Is Not Changing

The basic structure of internal control, the components of good internal control, and the definition of internal control remain the same. The COSO cube (introduced in 1992) shown in figure 1 remains a strong descriptor of internal control with the one major change of financial reporting changed to reporting to reflect the evolving nature of business reporting:
Figure 1: COSO Cube

Copyright 19922012. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

The strength of the COSO cube is that it clearly depicts the objectives across the top and the components of internal control across the front (including the need to build internal control off a strong control environment). Perhaps most importantly, the control framework is intended to permeate all of the organization, whether structured by subsidiary, divisions, operating units, or departments: Everything begins with the setting of objectives. Internal control relates to the achievement of those objectives.

aicpa.org/FRC

The components of internal control are interactive with the setting of objectives and with each other (for example, the control environment influences the setting of objectives). Moreover, there is a logical flow in the sense that risks are associated with objectives; those risks are managed or mitigated through the control environment and control procedures. Effective communication facilitates the control processes, and all the processes require effective monitoring.

The updated COSO framework retains the cube as a model because of its strength in portraying the integration of internal control across objectives and throughout the organization. The major change to the COSO cube is that the broader term reporting replaces the term financial reporting as an objective.

Changes to COSO in 2012

The major objectives of the 2012 refreshing of the COSO framework is to update it ( a) for changes in the nature of organizations, IT, and the impact of new global structures and ( b) to make it easier to use. The most significant changes are the adoption of a principles and attributes approach in the framework, which was first introduced in the 2006 COSO Internal Control over Financial ReportingGuidance for Smaller Public Companies, provides more detailed guidance for designing and assessing the effectiveness of internal control. recognizing that reporting takes place in many different forms and times other than through just the annual financial statements. reinforcing the importance of compliance and operations objectives. reinforcing the importance and pervasiveness of IT by developing a specific principle related to IT control. requiring a specific risk assessment principle related to fraud risk. more recognition that operations, compliance, reporting, and the need for internal control often cross boundaries of organizations and countries, whether it be sourcing product, outsourcing of functions, or various types of joint ventures. more detailed guidance of alternative ways in which an organization might implement a component of internal control and thus accomplish effective internal control.

Principles and Attributes. Seventeen principles are systematically derived from the 5 components of internal control to help users understand the fundamental concepts associated with each component. Supporting the 17 principles are 81 attributes, representing characteristics associated with the principles. Although the framework would expect each of the 5 components and 17 principles to be present and functioning, it would not require that all attributes be present. This is because it may be possible that certain attributes of a principle could come together in various ways to achieve the effective attainment of the underlying principle. A summary of the 17 principles is presented as an appendix, and examples of attributes are presented in selected examples that follow. Reporting. We have clearly moved into an era of instant information. The reporting objective recognizes that investors, owners, regulators, and other users demand more information from an organization and that organizations need effective internal control to ensure that the information is both timely and reliable, regardless of whether the information is operational, financial, graphical versus hard numbers, or prospective. The reporting objective reflects that increase in reporting opportunities and demands.

aicpa.org/FRC

Operations and compliance objectives. With increasing regulations designed to protect investors, it is not surprising that compliance objectives have taken on greater importance. At the same time, operations and performance data (part of reporting) have become more integrated. All organizations are under pressure to perform more effectively and efficiently. Organizations that do not have strong internal control in these areas will find it difficult to survive.
Compliance: Federal Regulations We are seeing more and more demand in the United States relative to reporting on internal control over compliance. There has been, over the last several years, a real increase in the amount of federal funds that are being disbursed into our economy, and with that comes reporting requirements by entities. Folks who receive certain levels of federal funds must go through an audit of compliance, which also includes reporting on internal control over compliance. Therefore, there are many auditees from very small nonprofit organizations to major national organizations who are required to maintain pretty strict internal control over compliance as a result of receiving federal funds. Therefore those organizations are going to be impacted by this as well. Comment by Charles Landes: February 2012 round table on COSO update.

Information Technology. IT has become ubiquitous across organizations and countries. We are interconnected no matter where we are at any moment. Applications are now developed for phones that will take sales orders, data and applications may reside in something now referred to as a cloud, and there is increased demand for instant and reliable information. The impact of IT is pervasive not only across our personal life but across all organizations, and the need to properly control IT has never been more important. The updated guidance explicitly recognizes the fundamental role that IT plays in every organization and is recognized as a specific control principle.
Evolving Nature of Controls The movement to a constantly connected workforce implementing decisions in an instant has changed the balance between preventive and detective controls. Although both still have their place in an internal control structure, the importance and value of preventive controls has grown significantly. Its useful to know that someone just stole $1 million dollars by processing fake invoices through your accounts payable system, but its better to stop it from happening in the first place.

Fraud risk assessment. Investors and other stakeholders expect organizations to protect from fraud the resources that have been entrusted to them. In 2006, a principle on fraud risk assessment was introduced in COSOs guidance for internal control over small businesses and is r etained here. Although some will, at first glance, look at this as an additional requirement in the COSO framework, it by no means represents such a requirement. Fraud is a significant risk that needs to be addressed in order to accomplish the organization s operations, reporting, and compliance risks. Moreover, when combined with the specific attributes, the COSO framework provides a systematic process in which to assess, mitigate, and control the risk of fraud. See figure 2 for the principle and attributes related to fraud risk assessment as covered in the exposure draft:

aicpa.org/FRC

Figure 2: Fraud Risk AssessmentPrinciple and Attributes1 Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Considers Various Ways That Fraud Can OccurThe assessment of fraud considers possible loss of assets, fraudulent reporting, and corruption resulting from the various ways that fraud and misconduct can occur. Considers Risk FactorsAn entitys assessment considers factors that influence the significance of the loss of assets and the related impact on operations, reporting, and compliance activities. Assesses Incentive and PressuresThe assessment of fraud risk considers incentives and pressures. Assesses OpportunitiesThe assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entitys reporting records, or committing other inappropriate acts. Assesses Attitudes and RationalizationsThe assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.

____________
1

All of the principles and attributes are taken from the exposure draft. See www.coso.org to download a copy of the exposure draft.

In essence, we believe that most CPAs will look at the fraud principles and related attributes and understand

the consistency of the COSO guidance with Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (AICPA, Professional Standards). Evolving nature of organizational relationships . Organizations are becoming increasingly boundaryless. Companies have integrated operations across the world; many organizations have increasingly strong supplychain relationships that require constant communication and coordination; joint ventures are ever more existent; and outsourcing takes place in production, customer support, and data processing. The updated COSO guidance has been significantly updated to address internal control issues across the evolving nature of organizational relationships. More detailed guidance. The nature of a framework is such that the framework is a conceptual design that is designed to stand the test of time. The COSO framework is such a framework. The components of internal control have remained and have proven to be sufficient as organizations, technology, and societal expectations have changed. However, COSO recognizes that there are significant changes in how companies are governed, how IT has changed the nature of control procedures, and how controls are monitored. COSO has incorporated four significant structural elements to the COSO framework that should ensure its relevance for coming decades: 1. 2. 3. The COSO framework recognizes changes in the nature of reporting. The principles are designed to be timeless and to provide more detailed guidance in implementing each of the components of the COSO framework. The attributes associated with each principle provide additional structure to implementing the principles but are designed to evolve over time and recognize that there are many options in implementing the attributes to achieve the objective underlying the principle. The detailed guidance is thoroughly updated to include current examples of internal control related to all three objectives.

4.

aicpa.org/FRC

As an example of how these elements come together, we examine the guidance related to the control environment with a specific principle that states the following:
Principle 5. The organization holds individuals accountable for their internal control responsibilities in

pursuit of objectives. The guidance identifies five separate attributes of a systematic process to accomplish the principle and, in each case, recognizes that organizations may take different approaches as long as the attribute is present. One of the attributes requires the organization to establish performance measures, incentives, and rewards. This attribute was added to address the potential dysfunctional aspects of compensation programs on controls and the potential override of controls. Detailed guidance is given in the following description of considerations to be addressed in implementing this attribute:
Success Measures Clear Objectives Considerations Consider all levels of personnel to support the achievement of the entitys objectives. Consider the multiple dimensions of expected conduct and performance of the organization, outsourced service providers and business partners (e.g., per service-level agreements), define objectives and related incentives and pressures. Define metrics to transform disparate data into meaningful information on performance. Communicate/reinforce the entitys objectives and how each area and level of the organization is expected to support the achievement of objectives. Identify and discuss events that the market has rewarded in the past and those that the market has punished. Communicate consequences (positive and negative) of not achieving or fully/partially achieving specific entity objectives. Identify and align performance measures with the significant sources of value creationand destructionfor the entity. Measure expected versus actual conduct and the impact of the deviations, both positive and otherwise. Assess the expected impact of performance on risk, operational improvement, and business performance. Adjust performance measures regularly based on a systematic and continuous evaluation of the potential impacts of risks as these evolve over time as well as the quantification of the associated rewards.

Defined Implications

Meaningful Metrics

Adjustment to Changes

More Principles, More GuidanceThe Path Forward

Although the principles and attributes are not intended to serve as a checklist, COSO believes that having these 17 principles and related attributes explicitly laid out in the COSO framework will help preparers and auditors better understand what controls are necessary to achieve an effective system of internal control. One way of using the principles is to view them as being similar to important control objectives. For example, CPAs in business, industry, or government who have responsibility for internal control over financial reporting will want to consider whether their system has controls that are designed and operating to achieve each of the 17 principles. If any of the principles are not present and functioning, the exposure draft states that an internal control deficiency exists. Although the exposure draft is silent on whether the severity of the deficiency represents a material weakness or significant deficiency (because that determination is a matter of professional judgment), any CPA involved with the design or operation of a system of internal control will

aicpa.org/FRC

want to understand each of the principles and whether they are present and functioning within that system of internal control. Similarly, auditors can also use the principles and attributes to help them better understand and assess their clients system of internal control over financial reporting. As part of their risk assessment procedures, if the auditor believes that an applicable principle is missing, or controls are not operating effectively to achieve any of the principles, the auditor needs to evaluate the control deficiency and will also need to understand how that weakness in the system of internal control impacts the risks of material misstatements (whether due to error or fraud) in the financial statements. Additionally, because compliance audits usually require the auditor to test the design and operating effectiveness of internal control over compliance, these principles will also be very helpful in tailoring the auditors work program in order to understand, test, document, and report internal control deficiencies. ***** Few things are constant for 20 years. The COSO framework has absolutely stood the test of time, and correctly so, the COSO board has chosen the twentieth anniversary of the original framework to update its guidance. Although it is difficult to embrace change, we always note that most change is retrospectively viewed as better. Yes, revising the COSO framework is one more change in an almost overwhelming sea of change these days. We are confident that you will find the new document not only easier to use but one that stands ready to continue to evolve with changes in the environment. We urge all readers to let COSO know your thoughts on the proposed COSO framework. Once COSO issues a final document, the AICPA will be developing guidance to assist all CPAs in applying the updated COSO framework.

aicpa.org/FRC

Appendix: The 17 Principles

Control Environment

1. 2. 3. 4. 5.

The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control.

Risk Assessment

6. 7. 8. 9.

Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
Information and Communication

13. The organization obtains or generates and uses relevant, quality information to support the functioning of the other components of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Copyright 2012 by American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775. All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email copyright@aicpa.org with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.

aicpa.org/FRC