Updates to the COSO Internal Control – Integrated Framework: Breakdown of What it Means for Management

By: Scott Price, Managing Partner of A-LIGN

On May 14, 2013, COSO’s board issued an updated version of its “Internal Control – Integrated Framework,” originally published in 1992. The updated Framework incorporates input from various organizations, including the American Institute of Certified Public Accountants, the Institute of Internal Auditors, public accounting firms, and regulators. The revised Framework was provided as an effort for entities to reduce risk, improve compliance, and strengthen internal control.

Some of the major changes include the following:

  •  Considerations related to changes in business, operating, and regulatory environments
  •  Expanded financial reporting objectives to include other important forms of reporting
  •  Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives
  •  The addition of 17 principles underlying the original five components of internal control

Additionally, the new Framework modifies the classification of internal control into two tiers:

  •  Major deficiency: A deficiency, or combination of deficiencies, severe enough to adversely affect the likelihood an entity can achieve its objectives
  • Internal control deficiency: A shortcoming in a relevant principle or component with the potential to adversely affect the ability of the entity to achieve its objective

How does the COSO Framework apply to SOC 1?

A SOC 1 engagement is focused on five components of an internal control process designed to achieve certain objectives, one of them being external financial reporting. The recipients of a SOC 1 will likely be evaluating its internal control system based on the five COSO components. Therefore, a SOC 1 fits right into the user organization’s description of its internal control system.

The five COSO components under the updated Internal Control Integrated Framework are:

  1.  Control environment
  2.  Risk assessment
  3.  Control activities
  4.  Information and communication
  5.  Monitoring activities