COSO Issues New Internal Control Framework

COSO Issues New Internal Control Framework

Blog Keeping Current: Disclosure and Governance Developments

Section 404 of the Sarbanes-Oxley Act and SEC regulations require public reporting companies to provide an annual management report on the effectiveness of the company’s internal control over financial reporting (ICFR). Most companies are also required to obtain annual ICFR audits by their external auditors. The evaluation, and when required, the audit, must be based on a “suitable, recognized” control framework, and management and the auditor must identify that framework in their reports. Since the ICFR assessment rules came into effect, most companies have employed the Internal Control—Integrated Framework (Framework) issued in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the basis for their ICFR assessments.

On May 14, 2012, COSO released an updated Framework following a 2 ½ year deliberative process. The new Framework represents an updating, not complete overhaul, of the original Framework. COSO’s press release explains that “the updated Framework is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control.” One of the most significant changes in the new Framework is setting forth 17 principles, each of which is specifically assigned to one of the five components of a system of internal controls that were identified in the original Framework. The original Framework did not contain such principles or a requirement that any factors beyond the five components of internal controls be considered. (COSO also issued this executive summary of the new Framework.)

COSO stated that the original framework will be available until December 15, 2014, at which time COSO will “consider it superseded” by the new Framework. This suggests that companies assessing the effectiveness of ICFR as of the end of 2014 will have to apply the new Framework. During the transition period, which would include calendar year 2013, companies should disclose whether they employed the original or updated framework.

While the COSO Framework includes control elements that affect areas other than ICFR, such as operations and compliance, audit committees should focus on the parts of the Framework affecting ICFR. Audit committees should review with management and external auditors how the new Framework will affect their companies’ ICFR, management’s assessment of the effectiveness of ICFR, and (where required) the external auditor’s audit of ICFR.

More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.