Internal Controls – Getting Current with the COSO 2013 Framework


By Clair A. Rood, Jr., Senior Managing Director | CBIZ MHM, LLC Salt Lake City and Brian Antonius , Senior Manager - Risk & Advisory Services | CBIZ

December 2, 2014

A lot has changed in the business world over the past 20 years: technology, globalization of business, organizational relationships, such as outsourcing and joint ventures, to name a few. Alas, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recognized these vast changes to the business environment and issued the COSO 2013 Internal Controls Framework, an updated version from the 1992 model.

Why is this important?

COSO is a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control. The COSO Internal Control framework is also the only framework that meets the criteria for the SEC’s acceptable framework for Sarbanes-Oxley. When COSO released the 2013 framework, it also considered the original framework superseded as of December 15, 2014. Thus, public companies that have internal control assessment responsibilities pursuant to Section 404 of SOX will need to be in compliance with the guidance and requirements of the COSO 2013 framework.

Back to the Basics

To understand what companies need to do to be in compliance with the new framework, we need to revisit the original framework. The core, or in this case the COSO cube, remains intact. The Framework Objectives (Operations, Reporting, & Compliance), the Framework Components (Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities) and the different levels of the organization (Entity Level, Division, Operating Unit, Function) all still exist, and the criteria used to assess the effectiveness of an internal control system are quite similar. Bottom line: All five components must be present and functioning and operating together when concluding that internal control over a particular objective is effective.

Key Changes to the New Framework

While the end goal remains the same, the 2013 framework added several enhancements  designed to help companies address the evolution of the business environment along with their associated risks and to expand internal controls beyond just financial controls.

  • 17 Principles are now explicitly noted in the new framework, and all 17 principles have to be present and functioning, and the five components operating together in an integrated manner for an effective system of internal control. 

    Note: “Points of Focus” become important considerations when assessing the presence and functioning of a principle.
  • The reporting category of objectives has been expanded to include additional types of reporting such as external non-financial reporting, internal financial reporting, and internal non-financial reporting.
  • A separate principle has been established to consider risks related to fraud.
  • A separate principle has also been established to consider risk specifically on technology as part of an organization’s control activities.
  • Management is responsible for controls over outsourced, third-party activities.
  • There is an increased emphasis on individual competence and accountability from the Board of Directors through Senior Management.

Transitioning to the New Framework

At CBIZ MHM, we believe there is not a one size fits all approach to adapting and transitioning into the new framework. A lot of factors come into play such as the size and complexity of the business as well as how well the company has kept up-to-date with controls documentation. To this extent, we recommend the following transition to the new framework:

1. Gain Alignment, Develop Awareness & Expertise

This process doesn’t happen in a tunnel. It’s important to have subject matter experts in the company who understand the new framework and how it relates to your business. The team must understand the concept of internal control, the requirements of effective internal control and what would constitute a deficiency versus a major deficiency when evaluating the system.

2. Conduct an Impact Assessment

This is where the rubber meets the road. The principles should be mapped to the organization’s existing controls documentation, not directly to the five components. Next, the team must evaluate whether there are any gaps or deficiencies in the controls or documentation by determining if all of the elements of the 17 principles were addressed. Remember, for management to conclude that its system of internal control is effective, all relevant principals must be present and functioning and all five components must operate together in an integrated manner.

3. Define Gaps and Remediate

As gaps are identified, the team must address by identifying additional controls or enhancements to existing controls. All internal control documentation should be updated throughout this process.

Page 12
Utah Business Social
UB Events View All
Community Events View All  |  90 South 400 West, Ste 650 Salt Lake City, Utah 84101   |  (801) 568-0114

Advertise with Utah Business

Submit an Event

* indicates required information
* Event Name:
Price (general):
Website (if applicable):
Coordinator's Name:
Coordinator's Email:
Coordinator's Phone:
Venue Name:
Venue Address:
Venue City:
Venue Zip:
Event Capacity:
* Event Description: