COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
In the two decades since the publication of the original framework in 1992, a number of factors have pointed to the need for an update on what to consider in establishing a sound control environment. There is now greater complexity in business models, with enterprises extending to a wide network of third parties and business partners that are not only accountable for delivering results but also for adhering to expected standards that the organization seeks to uphold. The multiple structures that define organizations today, whether by product line, geography, legal entity, or some other factor, require a flexible and multidimensional approach to governance and control and the ability to report accordingly.
Today, there is an increased need for transparency of how the organization operates and governs itself; reporting now extends beyond financial performance; risk discussions are expected to be more robust and detailed; corporate social responsibility reporting matters more to stakeholders; and the pace for publishing such information has accelerated. Changes in expectations of governance as a result of regulatory developments, listing standards, and other stakeholder requirements have mandated certain structures and processes. These include independence of board members, disclosures of skill profiles, processes for board and audit committee evaluation, and alignment of incentives, pressures, and rewards to ensure the right behavior is promoted and negative behavior is corrected. All of this is designed to keep pace with the evolving risk profile of the organization.
In the updates to Chapter 5, the Control Environment, key changes include:
-
Combining into five principles the discussions relating to integrity and ethical values, commitment to competence, board of directors or audit committee, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices
-
Explaining linkages between the various components of internal control to demonstrate the foundational aspects of the control environment for a sound system of internal control
-
Expanding the discussion of governance roles in an organization, recognizing differences in structures, requirements, and challenges across different jurisdictions, sectors, and types of entities
-
Clarifying the expectations of integrity and ethical values to reflect lessons learned and developments in ethics and compliance (e.g., codes of conduct, the attestation process, whistle-blower processes, investigation and resolution, and training and reinforcement both internally and with third parties)
-
Expanding the notion of risk oversight and strengthening the linkages between risk and performance to help allocate resources to support internal control in the achievement of the entity's objectives
-
Emphasizing the need to consider internal control across the complexities in organizational structure resulting from different business models and the use of outsourced service providers, business partners, and other external partners
-
Aligning roles and responsibilities discussed in organizational structure with the information presented in Appendix B, Roles and Responsibilities, so that major roles are used consistently within the Framework.
Since 1992 the attention given to risk and the risk assessment component of internal control has continued to increase, with risk and control being more closely aligned. Consequently, many organizations have shifted their thinking away from being prescriptive to taking a more risk-based approach to internal control. Some users of the original framework suggested that updates were needed to further enhance the understanding of risk and its link to the overall system of internal control. As companies embrace risk management and enterprise risk management programs, they are also seeking greater clarity of how risk assessments are considered in the context of internal control, and what aspects of risk management remain incremental to internal control.
Users also noted that almost half of the original chapter on risk assessment focused on objectives, and that this focus was not needed if objective-setting was truly a precondition to internal control. Many organizations have expanded their reporting efforts, moving to include many other types of external reporting beyond just financial reporting. Finally, often in response to events occurring within their organizations, industry, or within the general business community, and as a result of expanding legislative pressures in some jurisdictions, many organizations have also increased their efforts relating to anti-fraud efforts.
Therefore, Chapter 6, Risk Assessment, reflects these key changes by:
-
Repositioning much of the discussion on objective-setting, which continues to be viewed as a precondition to risk assessment, to Chapter 2, Objectives, Components, and Principles, and no longer including the discussion on categories of objectives, linkage between objectives, and achievement of objectives in the Risk Assessment component
-
Focusing the Risk Assessment component on articulating objectives relating to operations, reporting, and compliance with sufficient clarity so that any risks to those objectives can be identified and assessed, and considering the need to assess the suitability of objectives for use as a basis for assessing effectiveness
-
Broadening the financial reporting category of objectives to include other aspects of external reporting and to include internal reporting
-
Reflecting the view that non-financial reporting is conducted in relation to an external requirement or standard
-
Clarifying that risk assessment includes processes for risk identification, risk analysis, and risk response
-
Expanding the discussion on the risk severity beyond impact and likelihood to include velocity and persistence
-
Incorporating risk tolerances (set as a precondition to internal control and pertaining to the level of acceptable variation in performance and the relative importance of objectives) into the assessment of acceptable risk levels
-
Expanding the discussion on management needing to understand significant changes in its internal and external factors and how those might impact the overall system of internal control
-
Considering fraud risk relating to material omission or misstatement of reporting, inadequate safeguarding of assets, and corruption as part of the risk assessment process
Since 1992, the evolving role of technology in business has perhaps been most evident in the implementation of control activities. While the fundamental concepts around control activities put forth in the original framework have not changed, technology has changed many of the details. Today, information technology is much more integrated into business processes throughout any entity. The variety of technologies being used at most entities has mushroomed beyond largely centralized information systems in an organization's own data center to myriad decentralized, mobile, intelligent and web-enabled technologies, which are increasingly located at third-party service organizations. Also, the recent focus on improving controls in organizations, which has been provoked by the marketplace and regulation, has led to a deeper understanding of how control activities are effectively designed and implemented.
Therefore, within Chapter 7, Control Activities, key changes include:
-
Broadening the discussion to reflect the evolution in technology since 1992 (e.g., replacing data center concepts with a more general discussion on the technology infrastructure)
-
Expanding the discussion of the relationship between automated control activities and general controls over technology to reinforce the linkages to business processes, with the details on automated control activities and general controls over technology separated into discrete sections to clarify the distinction between the two
-
Expanding the discussion that control activities constitute a range of control techniques while providing a more detailed description of these types and techniques, and a way to categorize them; making distinct transaction-level controls from controls at other levels of the organization; and discussing in more detail information-processing objectives
-
Updating the discussion on general technology controls to focus more on the universal concepts of what needs to be controlled in this area rather than specifics applicable to 1992 technology
-
Clarifying that control activities are actions established by policies and procedures rather than being the policies and procedures themselves
The source, volume, and form of information and communication have expanded dramatically since 1992. Information sources have grown more diverse and complex, spanning outsourced service providers that support all or part of an organization's business processes (e.g., outsourcing service providers, joint ventures) and internal and external networks designed to create unstructured information-sharing mechanisms (social media).
The volume of information, particularly in the form of raw data, accessible to and collected by organizations, creates both opportunity and risk. The scope of regulatory regimes has created greater demand for information, greater expectations for quality and protection, and greater requirements for communication. And, as organizations and business models have become more complex in structure and geographic reach, quality information and its communication within the organization has become an imperative. Additionally, the importance of the free flow of information within the organization to allow management and employees to understand new or changed events or circumstances to re-evaluate risks and modify the internal control system has become more critical as the legal, management, and functional structures of business entities have become more complex.
Within Chapter 8, Information and Communication, key changes include:
-
Emphasizing the discussion of importance of quality of information
-
Expanding the discussion of the expectations for verifying to a source and for retention when information is used to support reporting objectives to external parties
-
Expanding the discussion on the impact of regulatory requirements on reliability and protection of information
-
Expanding the discussion on the volume and sources of information in light of increased complexity of business processes, greater interaction with external parties, and technology advances
-
Reflecting the impact of technology and other communication mechanisms on the speed, means, and quality of the flow of information
-
Adding content on the information and communication needs between the entity and third parties, emphasizing the importance of considering how processes may occur outside the entity (e.g., by the use of third-party service providers that manage specific processes) and how the entity needs to obtain information from and communicate with parties that operate outside its legal and operational boundaries
In applying the original framework, users often focused monitoring efforts extensively on control activities. With the change in regulatory reporting requirements in many jurisdictions, organizations have begun to consider monitoring in its broader and intended context—assisting management in understanding how all components of internal control are being applied and whether the overall system of internal control operates effectively. To enhance internal consistency among components in the Framework and make the discussion more actionable, the title of this component has been updated to Monitoring Activities and the discussion has been enhanced.
The changes to the principles in the Framework will not substantially alter the approaches developed for COSO's Guidance on Monitoring Internal Control Systems.
Within Chapter 9, Monitoring Activities, key changes include:
-
Refining the terminology, where the two main categories of monitoring activities are now referred to as "ongoing evaluations" and "separate evaluations"
-
Adding the need for a baseline understanding in establishing and evaluating ongoing and separate evaluations
-
Expanding discussion of the use of technology and external service providers
| Generated November 9, 2014 22:46:48 |