Section 404 of the Sarbanes-Oxley Act and SEC regulations require public reporting companies to provide an annual management report on the effectiveness of the company’s internal control over financial reporting (ICFR). Most companies are also required to obtain annual ICFR audits by their external auditors. The evaluation, and when required, the audit, must be based on a “suitable, recognized” control framework, and management and the auditor must identify that framework in their reports. Since the ICFR assessment rules came into effect, most companies have employed the Internal Control—Integrated Framework (Framework) issued in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the basis for their ICFR assessments.
On May 14, 2012, COSO released an updated Framework following a 2 ½ year deliberative process. The new Framework represents an updating, not complete overhaul, of the original Framework. COSO’s press release explains that “the updated Framework is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control.” One of the most significant changes in the new Framework is setting forth 17 principles, each of which is specifically assigned to one of the five components of a system of internal controls that were identified in the original Framework. The original Framework did not contain such principles or a requirement that any factors beyond the five components of internal controls be considered. (COSO also issued this executive summary of the new Framework.)
COSO stated that the original framework will be available until December 15, 2014, at which time COSO will “consider it superseded” by the new Framework. This suggests that companies assessing the effectiveness of ICFR as of the end of 2014 will have to apply the new Framework. During the transition period, which would include calendar year 2013, companies should disclose whether they employed the original or updated framework.
While the COSO Framework includes control elements that affect areas other than ICFR, such as operations and compliance, audit committees should focus on the parts of the Framework affecting ICFR. Audit committees should review with management and external auditors how the new Framework will affect their companies’ ICFR, management’s assessment of the effectiveness of ICFR, and (where required) the external auditor’s audit of ICFR.