June 2013

Internal Control – Integrated Framework, is a new framework for fraud deterrence that was recently released by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”).  It provides expanded practical advice regarding effective implementation of internal controls.  COSO is a joint initiative of five private sector organizations with a shared interest in enterprise risk management, internal control and fraud deterrence.  The sponsoring entities are the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Association of Accountants and Financial Professionals in Business, and the Institute of Internal Auditors.  In addition to the weight provided by the influence of the sponsoring entities, the framework has also been influenced by participation from regulators such as the Federal Deposit Insurance Corporation (“FDIC”), Government Accountability Office (“GAO”), International Federation of Accountants (“IFAC”), Public Accounting Oversight Board (“PCAOB”), and Securities Exchange Commission (“SEC”).

The new framework was honed over 2 ½ years and expands on an original framework released in 1992. While the core components remain intact, it provides additional explanations as well as expanded guidance to account for advances and changes in the business environment.  The continued goal is to enable organizations to “effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.”

As defined in the framework, Internal Control consists of five integrated components and 17 principals, summarized in part below:

1. The Control Environment

a. “The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top….The control environment comprises the integrity and ethical values of the organization…”.

b. Related principals are:

i. “The organization demonstrates a commitment to integrity and ethical values.

ii. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

iii. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

iv. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

v. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”

 2. Risk Assessment

a. “Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing

[external and internal] risks to the achievement of objectives [and are] considered relative to established risk tolerances.”

 b. Related principals are:

i. “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

ii. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

iii. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

iv. The organization identifies and assesses changes that could significantly impact the system of internal control.”

 3. Control Activities

a. “Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be pre