COSO Internal Control Integrated Framework - 17 Principles

In the last issue of the Briefing, I discussed the changes in the COSO framework.  The updated framework provides attributes, explanations, and examples of how the 17 principles fit into the control component.  In this article I will define and describe the 17 principles and how they work in consonance to effect change.

The COSO cube has long been used as an illustration tool for demonstrating the relationship between the control components (listed on the front of the cube), the organizational objectives (listed on the top of the cube), and the organizational units (listed on the side of the cube).  An examination of the updated cube versus the original cube reveals that the primary change is reflected in the organizational objectives. 

“Financial Reporting” has now become simply “Reporting.”  This change in illustration is meant to reflect the broadening of the reporting category to include nonfinancial reporting, both internal and external.  This change should make the framework more flexible and useful to users.

Value proposition COSO asserts the following value proposition. “The changes will enhance performance with greater agility, confidence and clarity.  The updated Internal Control Integrated Framework (ICIF) better supports efforts to design and adapt systems of internal control.”

One might easily see how the broadening of the reporting category would lead to greater agility and the codification of the seventeen principles would offer greater confidence and clarity.

Benefits In addition, COSO claims the following benefits will accrue to users of the updated framework. • Improvement of governance • Expansion of the use beyond financial reporting • Improvement in the quality of risk assessment • Strengthening of anti-fraud efforts • Adaption of controls to changing business needs • Greater applicability for various business models

Like the value assertion it is easy to believe that the updated framework will produce the benefits COSO claims that it will.  Expansion of the reporting aspect of the framework is an obvious benefit since the updated framework explicitly states that will occur.  Other benefits such as “Improvement of governance” and “Improvement in the quality of risk assessment” can be inferred from the codification of the principles.  The true test of benefits will be in the actual use of the updated framework.  The skill and commitment of the users will no doubt play a role in the number and type of benefits manifested from the updated framework.

Expected Finalization COSO expects to complete the final version of the updated framework sometime in the first quarter of calendar year 2013.  A press release posted on the COSO web site stated that the original final release date was expected to occur in the fall of 2012.  The reason for the push-back in release time was unclear and it is by no means certain that another delay will not occur.  University System of Georgia colleges and universities operate on a fiscal year that runs from July through June. 

If the final release occurs in early January, the fiscal year will be half over.  If the release occurs in late March, the fiscal year will be three quarters complete.  At that juncture, it will likely be impractical for USG schools to take any significant action on the updated ICIF.  It might be more appropriate for USG audit shops to initiate conversations regarding the updated ICIF.  These conversations could begin among the audit group itself and naturally expand to interested members of the campus community.  These members might include the executive staff (President, Vice President, Provost, etc.), any risk management group on campus, any legal officers on campus, and any other persons or offices that might be involved in control establishment or risk mitigation.  Any action these groups deem appropriate would most likely begin no earlier than fiscal 2014.

Further information Don’t take this brief article as the final word on this matter.  Arm yourself with information and knowledge.  To get this information go to www.coso.org.  There you will find the draft version of the new framework.  Be forewarned, the document is over 150 pages in length.  You will also find: comment letters from interested parties, an FAQ section, PowerPoint presentations offering explanations of the process, and press releases.  This documentation should allow you to make an informed decision about how the updated framework may affect your institution.  You will then be able to decide what action, if any, your campus needs to pursue. 

David Randy Pearman Georgia

Institute of Technology

Associate Director of Internal Auditing

Randy.pearman@business.gatech.edu     ​