Does your organization have effective internal controls in place? In today’s regulatory environment, implementing and maintaining a strong system of internal controls is more important than ever. This is especially true if your company is required by federal law to file annual reports on the adequacy of its internal control systems.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework for ensuring adherence to a strong internal control structure.
Internal Control — Integrated Framework contains 17 principles of an effective internal control system. In addition to these broad principles, there are 77 “points of focus” to support implementation and maintenance.
The COSO framework can benefit any organization, but it is particularly relevant for public companies subject to Section 404 of the Sarbanes-Oxley Act (SOX). Sec. 404 requires a public company’s management and external auditors to report annually on the adequacy of internal controls over financial reporting. (Smaller public companies with annual revenues of less than $100 million and a public float of less than $700 million are exempt from the auditor’s opinion on internal controls.)
Most public companies subject to Sec. 404 have used COSO’s framework to implement internal controls and evaluate their effectiveness.
COSO is an independent body jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).
The COSO framework is built around five interrelated components:
- Control environment. This is the set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment. This is a process for identifying and assessing risks related to achievement of a company’s objectives.
- Control activities. These are actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, business performance reviews and segregation of duties.
- Information and communication. This is the flow of information necessary to support the internal control function. It includes effective upstream and downstream communication within a company as well as communication with external parties such as customers, suppliers, regulators and shareholders.
- Monitoring. This is the ongoing evaluation of the internal control system’s performance over time.
An organization’s internal control systems are considered effective only if all five of these components (along with the relevant principles) are both “present” and “functioning.” In other words, it’s not enough to design and implement a system that incorporates these components and principles. Your organization also must ensure that they operate together in an integrated manner and “continue to exist in the conduct of the system of internal control to achieve specified objectives.”
The COSO framework is designed to recognize the complex, global and technologically driven business and operating environments. Further, the principles recognize that today’s investors and other stakeholders demand greater transparency and accountability. The framework includes:
- A detailed discussion of the need to consider potential fraud in assessing a company’s risks
- Emphasis on globalization of markets and business operations
- Guidance on the impact of information technology on business processes and reporting
- Details on a company’s responsibilities when outsourcing service providers
- Expansion beyond external financial reporting to also include nonfinancial and internal reporting
The framework is principles-based, which allows directors and management to exercise judgment in designing, implementing and ensuring adherence to internal controls that are appropriate for the organization and its operating environment.
COSO provides 77 “points of focus” spread across the 17 principles to help facilitate designing, implementing and conducting internal controls. These are specific items to consider when evaluating the presence and coverage of controls over a COSO principle. For example, for the principle “Demonstrates commitment to integrity and ethical values,” there are four supporting points of focus:
- Sets the tone at the top
- Establishes standards of conduct
- Evaluates adherence to standards of conduct
- Addresses deviations in a timely manner
Depending on your facts and circumstances, making the transition to the framework can take time, so it’s a good idea to begin the process as soon as possible. Start by familiarizing yourself with the five components, 17 principles, and 77 points of focus. Then evaluate the current state of your internal control system and develop a plan for correcting any weaknesses.
If your organization is new to COSO, see our introduction, Implementing the COSO Integrated Framework, which includes a self-assessment that will help you understand your organization’s current internal control maturity. Weaver can assist you in implementing or adhering to the 17 principles in order to develop the strong internal control system your company needs.
If you would like more information about implementing or making the transition to the COSO framework, contact Weaver today.
Updated as of Sepember 16, 2022.
Public Company Insights: SEC Proposes Redefining Accelerated Filers
Update: Final Rule Issued March 12, 2020
On March 12, 2020, the SEC adopted as final the 2019 proposed amendments designed…
Growing up Strong: Assess Your Company’s Internal Controls
A stable system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and…