In 1992, the Committee of Sponsoring Organisations of the Treadway Commission, COSO, introduced its Internal Control – Integrated Framework with the aim of helping organisations achieve operational objectives, better reporting and compliance. Most companies then did not have the sophisticated internal controls that are widely applied today. What was generally used was a list of controls for auditors to check against. Electronic data exchange was only just beginning to gain traction, and many financial reporting regulations were yet to be written. While it was a good start to addressing a complicated matter, the COSO framework had limitations.
It was broad-based for easier application across a wide range of industries and processes but with time, technological advances and the dynamics of the business environment, it became less effective. Also, many users found that the framework could only work properly if a strong, formal control environment could be established; this was not always possible, particularly where the organisation had complex operations or was present in multiple jurisdictions which all had their respective regulatory environments. Small businesses, especially, felt overwhelmed by the scope of the framework, and abandoned it for systems that were easier to follow.
More than 25 years after the debut of this first framework for internal audit improvement, the COSO board saw the necessity for updates to make it more relevant and user-friendly amid the business environment of the 21st century. A two-year revision process thus resulted in COSO’s 2013 Internal Control – Integrated Framework, intended to provide more guidance for implementation and help to organisations. The update was necessary because of the radically changed business landscape. In the two decades since the Framework’s introduction, big businesses had failed because of ineffective risk management and ineffective internal controls.
These economic and financial debacles spurred the move for better internal control over financial reporting, better corporate governance, better compliance and increased transparency of company workings. The 2013 Framework focuses on the role of the Board, and that of the audit committee, in overseeing internal control. With COSO 2013, internal audit is key to making things work. As the organisation’s control experts, auditors may well find themselves at the forefront of the upgraded Framework, as internal audit extends further over compliance and operations. This will require auditors to develop a comprehensive understanding of the Framework’s key features and principles, and communicating them to management, the board audit committee and board of directors.
The revised framework comes at a time of heightened scrutiny from regulators and other stakeholders, who want to see better oversight and review of governance procedures from the Board and management. This is linked to greater overall accountability, particularly over the performance of senior management such as the CEO and CFO, who are held to account by the Board. The updated COSO framework provides focus on operations, compliance and non-financial reporting objectives. Audit committees will be spending more time with the CFO, the accounting department, internal and external audit to strengthen fraud measures, and overcoming reporting shortfalls and errors.
How should the audit committee go about this? They should first consider the five embedded principles which are applicable to the control environment, according to COSO, i.e.: demonstrate commitment to integrity and ethical values; exercise oversight responsibility; establish structure, authority and responsibility; demonstrate commitment to competence; and establish accountability. To be able to do all this, the audit committee should develop a good working relationship with the CFO, and be proactive about discussing issues and challenges. Ideally, the Board member chairing the audit committee should review materials and set the agenda for its meetings.
The focus here should be on the results of due diligence or matters arising from reports on issues pertaining to the internal control environment, integration timelines for systems, and the risk management process. Significant issues and transactions should be discussed, as well as related disclosures; committee members should express their observations and concerns. Audit committees should look out for indications where internal controls may not be present or are not functioning optimally, and determine the improvements needed, to meet the objectives of the principles. Documentation should be detailed; any reports for release should first be reviewed by the audit committee for consistency.
The Framework also addresses fraud more comprehensively, assessing it as part of internal control and including it in compliance and operations risk assessments. With the focus on fraud, whistleblowing programmes may also come under the purview of the audit committee. There is also increased emphasis on professional judgement, particularly when evaluating whether or not effective internal control has been achieved. Applying the 2013 COSO Framework may be helpful in addressing the numerous risks that Boards and audit committees oversee but it still has limitations. For example, human error and bad judgement will still cause failure in internal controls.
The Framework may be applied in different areas, including in managing risks related to environmental, social and governance (ESG) issues. It allows management to consistently define, implement and monitor control structures and improve the risk management process. Correctly applied, it can help audit committees develop effective organisational oversight programmes that will improve the effectiveness of internal control, and lead to more efficient operations, better compliance, and more robust internal and external reporting.