Internal Audit’s Role in Transitioning to the 2013 COSO Internal Control - Integrated Framework

The COSO, an independent private-sector initiative, is established to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence to improve organizational performance and governance, and to reduce the extent of fraud in organizations. The whole purpose of updating the existing framework was to increase its relevance in the increasingly complex and global business environment so that organizations globally can better design, implement, and assess internal control.

The first edition of COSO standards, established in 1992, is the principal standard that U.S. companies use to ensure compliance to the Foreign Corrupt Practices Act (FCPA) and with Section 404 of the Sarbanes-Oxley Act of 2001 (SOX).

 

NEW FRAMEWORK: WHAT’S RETAINED AND WHAT’S CHANGED?

The new framework retains the core definition of internal control, the objectives; the five components of internal control and its seventeen principles that continues to emphasize the importance of judgment in designing, implementing and conducting a system of internal control, and in assessing its effectiveness. The new framework codifies principles that support the five components of internal control, clarifies the role of objective-setting in internal control, reflects the increased relevance of technology, incorporates an enhanced discussion of governance concepts, expands the reporting category of objectives, enhances consideration of anti-fraud expectations, and increases the focus on non-financial reporting objectives.

THE 17 PRINCIPLES TO EVALUATE INTERNAL CONTROL OVER COMPLIANCE:

The framework is very adaptable to compliance. All 17 principles, under the five components, are presumed relevant for all entities and need to be present and functioning to have effective internal control.

 

CONTROL ENVIRONMENT

• Demonstrates commitment to integrity and ethical values
• Board of directors demonstrates independence from management and exercises oversight responsibility
• Management, with board oversight, establishes structure, authority and responsibility
• Integrate business processes with regulatory notifications or industry alerts
• The organization establishes accountability

 

RISK ASSESSMENT

• Specifies relevant objectives with sufficient clarity to enable identification of risks
• Identifies and assesses risk
• Considers the potential for fraud in assessing risk
• Identifies and assesses significant change that could impact system of internal control

 

CONTROL ACTIVITIES

• Selects and develops control activities
• Selects and develops general controls over technology
• Deploys through policies and procedures

 

INFORMATION & COMMUNICATION

• Obtains or generates relevant, quality information
• Communicates internally
• Communicates externally

 

MONITORING

• Selects, develops and performs ongoing and separate evaluations
• Evaluates and communicates deficiencies

 

POINTS OF FOCUS:

The new framework has outlined a certain points of focus to enhance the rigor of understanding of each principle. They are:

• It considers all structures of the entity (operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
• It designs and evaluates the reporting lines to manage the activities of the entity.
• It delegates authority and defines, assigns and limits authorities and responsibilities.

 

ROLE OF INTERNAL AUDIT IN TRANSITIONING TO THE NEW FRAMEWORK:

 

DEFINITION:

“In companies with formal internal audit functions (which can vary from an individual assigned with internal audit responsibilities to a formal department), the board of directors empowers the internal audit function to carry out its purpose, authority, and responsibilities with direct access to the audit committee and/or the board of directors. The board or audit committee is actively involved in reviewing the company’s risk assessment, ensuring that the internal audit plan provides adequate assurance on the adequacy of coverage of key risk areas, and overseeing internal audit compensation to ensure it is structured in a manner that supports the need for objectivity.”

The responsibility of leading the transition to the New Framework lies with internal audit department for various purposes including planning, conducting and reporting on riskbased audits. The role of internal audit can be summarized in two points:

 

ORGANIZE A PROJECT TEAM TO CONDUCT AN EVALUATION:

• Given the integral roles management, the audit committee, internal audit and other risk management functions play in an effective system of internal control, a coordinated approach to addressing the key changes in the COSO framework is important to an effective and efficient transition.

 

REVIEW/UPDATE INTERNAL AUDIT PLANS:

• Review internal audit plans and how they applied the 1992 edition of the framework. Internal auditors should also review in detail the changes made to this version and consider possible implications of those changes on audit plans, evaluations, and any reporting on the entity’s system of internal control.
   
• Revise the IA risk assessment methodology to address the 17 principles supporting the five components for achievement of the three objectives. Applying principles provides a basis for checking what’s covered and what’s missing across the business including dispersed and outsourced operations.
   
• Include reference of the 17 principles in assurance reviews performed by internal audit and its communication to senior management and the audit committee.

 

CONCLUSION:

The internal audit team has to leverage the right technology solutions and use them as enablers for greater transparency and accountability for internal control and various internal audit functions. The New Framework also provides a new opportunity for internal audit committees to take a fresh look at internal control, create value for the organization and manage elevated expectations regarding internal control.