As entities of all sizes and types prepare for and face increasing challenges in today’s business environment, frameworks developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) continue to offer foundations that position and support organizations for successful futures. COSO, whose sponsors include the AICPA, is a voluntary private-sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence.
The updated COSO 2013 Integrated Control Framework
An important development in the internal control landscape launched in 2013 with COSO’s release of an update to its integrated framework. COSO’s popular original internal control framework, released in 1992, was accepted by the SEC as a framework for attesting to internal control over financial reporting as required by the Sarbanes-Oxley Act of 2002 (SOX). The five main components of the original framework remain the foundation for the updated framework:
information and communication
Taking an integrated approach to its original internal control framework, COSO sought to increase the framework’s relevance in the increasingly complex and global business environment and to help organizations worldwide better design, implement and assess internal control.
The articulation of 17 specific principles spread across the five main components of internal control is the most significant new development in COSO’s new framework. As in the past, the five components need to be functioning—and functioning together—for internal control to be present.
Each principle is accompanied by explicit points of focus designed to help users evaluate whether the principle is present and functioning. Although some points of focus don’t apply to all users and all situations, they will help organizations understand with greater specificity the way the more general principles are supposed to be evaluated.
With the 2013 update, COSO sought to provide organizations significant benefits; for example, increased confidence that controls mitigate risks to acceptable levels and reliable information supporting sound decision making. To that end, COSO also offered a new definition of enterprise risk management (ERM),emphasizing the relationship between risk and value and focusing on the integration of ERM throughout management, linking it to decision-making.
The COSO 2017 Enterprise Risk Management – Integrated Framework
The 2017 update to the Enterprise Risk Management - Integrated Framework addressed the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The update highlights the importance of considering risk in both the strategy-setting process and in driving performance.
Later, COSO evolved its guidance for organizations confronting environmental, social, and governance (ESG)-related risks. Guidance for Applying Enterprise Risk Management (ERM) to Environmental, Social and Governance (ESG)-related Risks was issued in partnership with the World Business Council for Sustainable Development and sought to help organizations strengthen their resilience as they are faced with frequent and severe ESG-related risks ranging from extreme weather to product safety recalls. The text aligns with COSO’s “Enterprise Risk Management—Integrating with Strategy and Performance” document, which organizations use to improve their risk management approaches.
To support organizations in their efforts to implement the framework, the AICPA and COSO released the Internal Control - Integrated Framework and Compendium Bundle (2013). This four-volume bundle contains COSO's new Internal Control - Integrated Framework, its executive summary, and appendices. In addition, the bundle contains Illustrative Tools for Assessing a System of Internal Control and Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples. The bundle also includes a link to an Excel file containing four different, customizable templates from the illustrative tools, including overall assessment, components, principles, and deficiencies.