By: Scott Price, Managing Partner of A-LIGN
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its “Internal Control – Integrated Framework” in May, 2013. The changes are a progressive move to align its framework with today’s business operating environment, much like the change from SAS 70 to SOC 1/SSAE 16. As technology and business practices evolve, organizations need updated guidance on how and what to address in their internal controls.
As a SSAE 16 report is focused on the five components of an internal control process (Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring), organizations receiving a SSAE 16 report will need to consider updating their internal controls to reflect the revised COSO framework. Organizations should review the updated seventeen principles outlined in the framework, as they are now considered suitable for all organizations. Management does have the ability to review those principles and determine if one is not relevant to their business environment; however this should be rare in practice.
To provide an overview of the updates, we’ve outlined the seven key changes and some transition thoughts to assist your organization in planning and moving to the updated COSO framework.
Key Changes that Impact Your SSAE 16 Report
Technology: The hardware and software that was relevant in 1992, is now considerably out of date in the 21st century. Since technology evolves and changes rapidly, the framework now includes more focus on technology in each component and principle. There is also a broader focus on the impacts of technology on the five components of an internal control process and not the specific type of technology itself.
Governance: The roles of the Board of Directors, Audit Committees, or those that are charged with the governance of their organization have been clarified in the updated framework.
Outsourcing: As more and more companies are outsourcing parts of their business (i.e. IT management, cloud computing data centers, or other third party processes) the framework has been updated to expand guidance related to the use of outside vendors.
Reporting: The financial reporting objective was clarified when internal control supports other forms of reporting for stakeholders. The rising demand for relevant information and quality reporting drove the need to update this area.
Globalization: In today’s business environment, global market reach is commonplace rather than limited to the fortunate few. Thus, the framework now includes guidance for businesses operating in the global arena (e.g. principles relating to structures, reporting lines, authorities, and the identification and assessment of risk).
Business Changes: The framework was updated to address organizations’ constant need to adapt to change internally and externally. Internal changes such as leadership change, business models, and new products or services can impact an organization’s internal control.
Fraud: Each organization must now assess fraud as part of their internal controls framework in Risk Assessment. Fraud risk could be fraudulent reporting, potential loss of assets, or corruption.
How the COSO update impacts your organization
As organizations read through COSO’s Internal Control – Integrated Framework, management needs to be educated on those changes. There are no specific controls identified for each of the seventeen requisite principles. However, management should map out their current controls to those principles to pinpoint any gaps from their current framework to the new framework. The controls identified can be used for your SSAE 16 report. A-LIGN can assist organizations in identifying areas that have weak internal controls. The overall goal of updating your organization’s framework for internal controls is to reduce risk.
If you have questions about how A-LIGN can provide a gap analysis and recommendations for your organization, please call: 888-702-5446 or email us at [email protected].