See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/255727711

Comment Letter - Coso 2012 the Release of the New Internal Control-
Integrated Framework

Article  in  SSRN Electronic Journal · March 2012

DOI: 10.2139/ssrn.2033215

CITATIONS READS

0 105

3 authors, including:

Remko Renes
Nyenrode Business Universiteit
16 PUBLICATIONS   7 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

COSO Internal Control Integrated Framework revision View project

All content following this page was uploaded by Remko Renes on 16 May 2018.

The user has requested enhancement of the downloaded file.

 Henk den Boer, henkdenboer@fermera.nl
Remko Renes, remko@regera.nl
Luc. C. van Zutphen, elvanzet@kpnplanet.nl

As per address: Brederolaan 54

2692 DA ’s-Gravenzande
The Netherlands
‘s-Gravenzande, March 27, 2012

Re: The release of the new Internal Control- Integrated Framework

Dear COSO-Committee,

We received the new (draft-) report on Internal Control-Integrated Framework with

great enthusiasm. It is an excellent moment to update the former COSO-report with
the developments that have taken place since the original report was issued.

As you describe in the accompanying letter one of the most significant

enhancements is the codification of internal control concepts into 17 principles and
supporting attributes. It will certainly support organizations as they apply judgment in
managing risk and improving performance in an increasingly complex and rapidly
changing environment.

Since 1992 a lot of both have been adopted around the world in which the basics of
the COSO-report have been built in. Examples of this are global adoption of the
COSO framework within the International Standards on Auditing (ISA) and e.g. the
audit methodology of both internal and external auditors around the world. Revision
of the original COSO-report will have consequences for all kind of documents all over
the world.

In general we are the opinion that issuing a new draft COSO-report gives a good
opportunity to bring in some relevant (inter)national developments. After studying the
current new draft report we think that the final report should provide explicit
clarification at some major points.

Therefore we have the following comments:

1. Status of COSO-ERM
2. Neglecting the category of ‘safeguarding of assets’
3. The relationship with SOX and Corporate Governance requirements
4. Internal Control Assessment and Soft Controls
5. IT developments

1. Status of COSO-ERM

In 2004 COSO issued the report Enterprise Risk Management-Integrated Framework

(ERM-report).
Risk Assessment is a part of the total framework as set out in the original COSO-
report from 1992. In the ERM-report is stated (page 8) that Internal Control is an

1
integral part of enterprise risk management. Where exactly the Internal Control
Framework fits into the ERM framework is not clear and also, vice versa, it is not
clear in the new draft-COSO-report how the ERM-report relates to the new draft-
report.

In Appendix D is stated that the Appendix outlines the relationship between the
Internal Control Framework and the Enterprise Risk Management Framework. It is
said that Enterprise Risk Management is broader than internal control.
Strategic objectives are not included in the COSO Framework. We are the opinion
that Risk Assessment also has to deal with risks as a result of the strategic choices.
It is our conclusion that ERM in fact should comprise two different parts:
1. Risks at a strategic level
2. Risks in the categories of: operations, reporting and compliance.
In our opinion the risks as mentioned under 2 are part of Risk Assessment as part of
the COSO Framework and they should be presented in that way.
Moreover we would support to broaden the COSO Framework with Risk Assessment
based on the chosen strategy. A more explicit connection between the category risks
and objectives at a strategic level and the internal control objectives and risks in the
traditional three categories will provide an excellent aide for all those companies that
have implementation COSO ERM for management purposes and apply COSO 1992
for compliance purposes.
When both parts of the ERM Framework are dealt with in this way it will be possible
to make a consistent total framework.

With the current draft COSO report it is still not clear how a consistent total
framework looks like. We consider that as a missed opportunity.

2. Neglecting the category of ‘safeguarding of assets’

In 1994 an Addendum was issued with regard to the part ‘Reporting to External
Parties’ and more specifically with regard to the aspect of safeguarding of assets.
This was based on suggestions done by some parties including the U.S. General
Accounting Office.

Since, the aspect of safeguarding of assets has been brought into the law in a lot of
countries other than the US (e.g. in Government Regulation Nr. 60/2008 in
Indonesia: Art.1.1: … security of state assets..,). In those countries the aspect of
safeguarding of assets is a normal part of the definition of internal control.

The aspect of safeguarding of assets as set out in the current draft COSO
Framework (see principle 8, par. 258) neglects in this respect these international
developments.

We would strongly recommend taking the international developments into account

especially with regard to the definition of Internal Control in order to get broad
acceptance around the world by as many organisations as possible. We would
support a more explicit clarification of the status of the 1994 Addendum in
relationship to the current COSO Internal Control Framework Exposure Draft.

2
3. The relationship with SOX and Corporate Governance requirements

Since the publication of the Cadbury Report in 1992 (The Financial Aspects of
Corporate Governance) Corporate Governance regulation both in formal law (e.g.
Sarbanes-Oxley Act) as in informal law (codes) raises the attention for internal
control and in-control statements. The COSO 1992 framework is globally perceived
as the world standard for both management and auditors involved in internal control
audit and disclosure. Internal control has become an important subject, and COSO is
on the table within boardrooms around the world.

While COSO originated from anti-fraud developments in the US, Corporate

Governance regulation raises other issues broader than prevention of fraud and
fraudulent financial reporting only. Corporate governance deals with the roles and
responsibilities and the division of power at the top of companies between executive
and non-executive board members, auditors, audit committees, internal oversight
bodies, and the relationship with oversight authorities and shareholders and other
stakeholders.

In our opinion the COSO Internal Control Framework will benefit when the
relationship between internal control and corporate governance at large is detailed
more explicitely than in the current COSO exposure draft. This will especially be the
case when the tone at the top – emphasised in the COSO framework – is the result
of primarily those responsible for governance. It is our opinion that COSO than will
become a more valuable tool for those involved in governance at companies around
the world.

4. Internal Control Assessment and Soft Controls

A COSO based assessment emphasises formal controls and under–emphasises

informal or controls although COSO itself considers informal controls to be a possible
replacement when there is a lack of formal controls (mitigating controls). The
evidence gathering process required for both the management assertion and the
external auditors’ opinion on internal control requires evidence. And evidence is
perceived as evidence when it proves the execution of control activities. Formal
controls can be proven more easily than the design and operating effectiveness of
informal controls. The emphasis on formal controls raises the question as to what
extent informal management controls (soft controls), effectively implemented in
organisations, will be rewarded positively in a management control assessment
following the COSO framework and evaluation tools.

We would welcome a clear message in the COSO final revised framework as to how
soft controls can be applied to contribute to an effective internal control system.

5. IT developments

The meaning and the use of IT is considered in all of the 5 components of the new
draft COSO-report. Principle 11 mentions specifically ‘general control activities over
technology’. A lot of examples are modern and practical and clearly part of the total
system of controls.

3
 Compared to the 1992 edition this is in our opinion an important supplement and
improvement. A consequence of the choice of a ‘principle based framework’ is the
absence of a structured approach of IT-controls.
In our opinion it would be desirable when the new COSO-report would give guidance
on that topic. Especially in the light of the forthcoming 5th revised edition of the
COBIT framework. It might be worthwhile to give an explicit idea of the relationship of
COSO with other frameworks like COBIT and ITIL

Overall conclusion:

We are very positive about the idea presenting a fully revised COSO-Internal Control
Integrated Framework report after 20 years of developments. We hope that our
suggestions lead to even more improvements of the original COSO-report than
included in the new draft report.

Kind regards,

Drs. Henk den Boer RA

Also on behalf of
Drs. Remko Renes RA and
Prof. Luc. C. van Zutphen RA

View publication stats