Does your company have effective internal controls in place? In today’s regulatory environment, implementing and maintaining a strong system of internal controls is more important than ever. This is especially true if your company is required by federal law to file annual reports on the adequacy of its internal control systems.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework for ensuring adherence to a strong internal control structure.
Internal Control — Integrated Framework contains 17 principles of an effective internal control system. In addition to these broad principles, there are 77 “points of focus” to support implementation and maintenance.
The COSO framework can benefit any company, but it is particularly relevant for public companies subject to Section 404 of the Sarbanes-Oxley Act (SOX). Sec. 404 requires a public company’s management and external auditors to report annually on the adequacy of internal controls over financial reporting. (Currently, smaller public companies with a public float of less than $75 million are exempt from this requirement. The SEC has a proposed rule to expand this expected to be issued in 2020.)
Most public companies subject to Sec. 404 have used COSO’s framework to implement internal controls and evaluate their effectiveness.
COSO is an independent body jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).
The COSO framework is built around five interrelated components:
- Control environment. This is the set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment. This is a process for identifying and assessing risks related to achievement of a company’s objectives.
- Control activities. These are actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, business performance reviews and segregation of duties.
- Information and communication. This is the flow of information necessary to support the internal control function. It includes effective upstream and downstream communication within a company as well as communication with external parties such as customers, suppliers, regulators and shareholders.
- Monitoring. This is the ongoing evaluation of the internal control system’s performance over time.
A company’s internal control systems are considered effective only if all five of these components (along with the relevant principles) are both “present” and “functioning.” In other words, it’s not enough to design and implement a system that incorporates these components and principles. Your company also must ensure that they operate together in an integrated manner and “continue to exist in the conduct of the system of internal control to achieve specified objectives.”
The framework is designed to recognize the complex, global and technologically driven business and operating environments. Further, the principles recognize that today’s investors and other stakeholders demand greater transparency and accountability. In response, the framework includes:
- A detailed discussion of the need to consider potential fraud in assessing a company’s risks,
- Emphasis on globalization of markets and business operations,
- Guidance on the impact of information technology on business processes and reporting,
- Details on a company’s responsibilities when outsourcing service providers, and
- Expansion beyond external financial reporting to also include nonfinancial and internal reporting.
The framework is principles-based and allowing directors and management to exercise judgment in designing, implementing and ensuring adherence to internal controls that are appropriate for the company and its operating environment.
COSO provides 77 “points of focus” spread across the 17 principles to help facilitate designing, implementing, and conducting internal controls. These are specific items to consider when evaluating the presence and coverage of controls over a COSO principle. For example, for the principle: “Demonstrates commitment to integrity and ethical values,” there are four supporting points of focus:
- Sets the tone at the top;
- Establishes standards of conduct;
- Evaluates adherence to standards of conduct; and
- Addresses deviations in a timely manner.
Depending on a company’s facts and circumstances, making the transition to the framework can take time, so it’s a good idea to begin the process as soon as possible. Start by familiarizing yourself with the 17 principles and other guidelines, such as the 77 points of focus. Then, evaluate the current state of your internal control system and develop a plan for correcting any weaknesses. Weaver can assist you in implementing or adhering to the 17 principles in order to develop the strong internal control system your company needs.
If you would like more information about implementing or making the transition to the COSO framework, contact Weaver today.
Update: Final Rule Issued March 12, 2020
On March 12, 2020, the SEC adopted as final the 2019 proposed amendments designed…
A stable system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and…