The COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.
The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.
As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.
Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority and responsibility
- Demonstrates commitment to competence
- Enforces accountability
- Specifies suitable objectives
- Identifies and analyzes risk
- Assesses fraud risk
- Identifies and analyzes significant change
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
Information and communication
- Uses relevant information
- Communicates internally
- Communicates externally
- Conducts ongoing or separate evaluations
- Evaluates and communicates deficiencies
Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.
Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.
A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.
Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.
If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.
At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.
The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.