Professional Documents
Culture Documents
net/publication/255727711
Comment Letter - Coso 2012 the Release of the New Internal Control-
Integrated Framework
CITATIONS READS
0 105
3 authors, including:
Remko Renes
Nyenrode Business Universiteit
16 PUBLICATIONS 7 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Remko Renes on 16 May 2018.
Dear COSO-Committee,
Since 1992 a lot of both have been adopted around the world in which the basics of
the COSO-report have been built in. Examples of this are global adoption of the
COSO framework within the International Standards on Auditing (ISA) and e.g. the
audit methodology of both internal and external auditors around the world. Revision
of the original COSO-report will have consequences for all kind of documents all over
the world.
In general we are the opinion that issuing a new draft COSO-report gives a good
opportunity to bring in some relevant (inter)national developments. After studying the
current new draft report we think that the final report should provide explicit
clarification at some major points.
1. Status of COSO-ERM
2. Neglecting the category of ‘safeguarding of assets’
3. The relationship with SOX and Corporate Governance requirements
4. Internal Control Assessment and Soft Controls
5. IT developments
1. Status of COSO-ERM
1
integral part of enterprise risk management. Where exactly the Internal Control
Framework fits into the ERM framework is not clear and also, vice versa, it is not
clear in the new draft-COSO-report how the ERM-report relates to the new draft-
report.
In Appendix D is stated that the Appendix outlines the relationship between the
Internal Control Framework and the Enterprise Risk Management Framework. It is
said that Enterprise Risk Management is broader than internal control.
Strategic objectives are not included in the COSO Framework. We are the opinion
that Risk Assessment also has to deal with risks as a result of the strategic choices.
It is our conclusion that ERM in fact should comprise two different parts:
1. Risks at a strategic level
2. Risks in the categories of: operations, reporting and compliance.
In our opinion the risks as mentioned under 2 are part of Risk Assessment as part of
the COSO Framework and they should be presented in that way.
Moreover we would support to broaden the COSO Framework with Risk Assessment
based on the chosen strategy. A more explicit connection between the category risks
and objectives at a strategic level and the internal control objectives and risks in the
traditional three categories will provide an excellent aide for all those companies that
have implementation COSO ERM for management purposes and apply COSO 1992
for compliance purposes.
When both parts of the ERM Framework are dealt with in this way it will be possible
to make a consistent total framework.
With the current draft COSO report it is still not clear how a consistent total
framework looks like. We consider that as a missed opportunity.
In 1994 an Addendum was issued with regard to the part ‘Reporting to External
Parties’ and more specifically with regard to the aspect of safeguarding of assets.
This was based on suggestions done by some parties including the U.S. General
Accounting Office.
Since, the aspect of safeguarding of assets has been brought into the law in a lot of
countries other than the US (e.g. in Government Regulation Nr. 60/2008 in
Indonesia: Art.1.1: … security of state assets..,). In those countries the aspect of
safeguarding of assets is a normal part of the definition of internal control.
The aspect of safeguarding of assets as set out in the current draft COSO
Framework (see principle 8, par. 258) neglects in this respect these international
developments.
2
3. The relationship with SOX and Corporate Governance requirements
Since the publication of the Cadbury Report in 1992 (The Financial Aspects of
Corporate Governance) Corporate Governance regulation both in formal law (e.g.
Sarbanes-Oxley Act) as in informal law (codes) raises the attention for internal
control and in-control statements. The COSO 1992 framework is globally perceived
as the world standard for both management and auditors involved in internal control
audit and disclosure. Internal control has become an important subject, and COSO is
on the table within boardrooms around the world.
In our opinion the COSO Internal Control Framework will benefit when the
relationship between internal control and corporate governance at large is detailed
more explicitely than in the current COSO exposure draft. This will especially be the
case when the tone at the top – emphasised in the COSO framework – is the result
of primarily those responsible for governance. It is our opinion that COSO than will
become a more valuable tool for those involved in governance at companies around
the world.
We would welcome a clear message in the COSO final revised framework as to how
soft controls can be applied to contribute to an effective internal control system.
5. IT developments
The meaning and the use of IT is considered in all of the 5 components of the new
draft COSO-report. Principle 11 mentions specifically ‘general control activities over
technology’. A lot of examples are modern and practical and clearly part of the total
system of controls.
3
Compared to the 1992 edition this is in our opinion an important supplement and
improvement. A consequence of the choice of a ‘principle based framework’ is the
absence of a structured approach of IT-controls.
In our opinion it would be desirable when the new COSO-report would give guidance
on that topic. Especially in the light of the forthcoming 5th revised edition of the
COBIT framework. It might be worthwhile to give an explicit idea of the relationship of
COSO with other frameworks like COBIT and ITIL
Overall conclusion:
We are very positive about the idea presenting a fully revised COSO-Internal Control
Integrated Framework report after 20 years of developments. We hope that our
suggestions lead to even more improvements of the original COSO-report than
included in the new draft report.
Kind regards,