22 I AFP Exchange November 2013

For the first time in nearly 12 years, companies that comply with COSO will need to update their internal control frameworks. Developed by the Committee of Sponsoring

Organizations of the Treadway Commission, COSO will change to a new framework in December 2014—and it’s expected that preparing will take between three and nine months.

While publicly traded companies typically use COSO to assist in the evaluation of internal controls over financial reporting, all companies may leverage COSO for their overall internal control framework. COSO provides an approach to designing, implementing and evaluating effective internal controls to help ensure the achievement of a company’s strategic, financial, operational and compliance objectives.

Though the essence of the framework has remained the same, the mind-set has changed, and companies need to be aware of the timeframe to comply.

Understanding how much time it will take your company to implement the revised framework is key—not only for those directly involved but for top management and other employees as well, as this will impact a variety of areas within a company.

Risk Column

Start NowPreparing for the new COSO internal control framework Amy Ribick

www.AFPonline.org AFP Exchange I 23

The new COSOThe goal of the updated internal

control integrated framework is to provide greater clarity and guidance related to the design and implementation of an effective internal control system. While the essence of the COSO has not changed, the original framework has been streamlined and underlying principles have been added, which contain specific areas of focus.

The most significant changes in the update are the 17 principles that have been articulated to help assess the internal control environment. Within the principles lie 79 points of focus to provide further guidance on what organizations should consider when evaluating their environment. The new framework also better reflects the technology and globalization we have seen in the past few decades that have become an important part of the business environment, as well as the complexities in laws, regulations and standards that continue to increase.

Another key part of the new framework is the focus on corporate governance, technology and fraud awareness. For several years the focus has been on financial reporting controls, but internal controls are broader and intended to address other important business objectives, such as fraud or internal reporting, used by management to make key decisions.

Since there has been so much focus in recent years on internal control over financial reporting, many people

5 Steps to COSO Transition Success

Transition timelinePrepare a project plan and timeline for transitioning to the new COSO framework. Businesses should estimate at least between three to nine months to properly plan and implement the transition.

StakeholdersIdentify the stakeholders in your organization that should be aware of the COSO framework updates. The board of directors, top management, personnel, internal and external auditors are stakeholders that could be impacted by internal control changes.

Current frameworkEvaluate whether the current framework is applied effectively throughout the organization today. The way businesses operate today has drastically changed since the original COSO framework was published in 1992. New business models, evolving technology, changing regulatory requirements and other challenges require a system of internal control that can quickly adapt to changes in business, operating and regulatory environments. How your business has changed and the implications of that on your internal control system are important discussions to be had.

Internal control educationEducate the various departments and key stakeholders on their ownership and responsibilities and the importance and relevance of internal controls. Internal controls are important to all areas of your business. As an example, fraud risks exist in all areas of an organization, not just in financial reporting. So it’s important that each department understands the five integrated components that make up internal control—control environment, risk assessment, control activities, information and communication and monitoring activities—and how these address objectives within their specific area of responsibility.

Well-planned transitionDetermine the internal budget and expertise needed and available to support the transition. Keep in mind that external assistance is available and can be helpful to assist with meeting the deadline.

5

24 I AFP Exchange November 2013

Risk Column continued

assume that that is where controls are needed. Of course, numbers reported erroneously or fraudulently will have an impact on the business. But the COSO framework points out that bad business decisions and fraudulent activity can occur in any aspect of the organization, not just those related to financial reporting. It will be vital to educate employees throughout the organization on the importance of sound internal controls so that everyone is on the same page and working toward the same goals.

In addition, companies will need to provide evidence, documentation and support of their internal control methodology and risk assessment processes, and demonstrate how these principles have been addressed within the organization. Ideally, companies can take this exercise as an opportunity to identify additional efficiencies and improve existing systems and processes.

This is a big undertaking that companies ideally need to start addressing now in order to ensure compliance and take advantage of the opportunity to improve the efficiency and effectiveness of their internal control environment. During the transition period, organizations will have to state whether they are using the 1992 framework or the updated version.

Preliminary deadline neededA revised structure and plan ideally

should be in place by summer of 2014 in order to seamlessly transition ahead of the December 15, 2014, deadline—after which time COSO will consider the old framework expired.

Companies need to address whether they can make this transition alone.

directed to the principles and points of focus attached to each portion of COSO.

To prepare for the transition, financial management and internal auditors need to begin assessing the 17 principles as soon as possible, coordinate with external auditors, develop a transition plan and communicate the plan with senior management and board members (see illustration above).

Amy Ribick, CFE, CRMA, is a manager in Brown Smith Wallace’s risk services practice, where she provides internal audit services, including Sarbanes-Oxley documentation and testing, for clients. Visit Brown Smith Wallace at www.bswllc.com

Phase 1 - Education and Identification

Educate leadership and your organization about the

importance of the COSO transition

Identify key stakeholders to assist with the COSO transition

Phase 2 - Assessment

Perform an in-depth gap assessment of COSO 92

to COSO 2013

Evaluate additional internal control opportunities

Phase 3 - Implementation

Develop a project plan to address gaps and

opportunities identified

Monitor project plan accordingly

Continual education of internal controls and COSO 2013

requirements

Many have the necessary skills to handle the transition internally. However, others may struggle with finding the resources and the time to devote to this transition.

There can be several advantages to utilizing external resources such as helping facilitate the transition process, allowing management and key members of the team to focus on their day-to-day responsibilities. It also provides companies with an independent, third-party perspective that may allow for the identification of opportunities to improve existing practices.

When assembling a team, it is important to include people from all areas of the organization to ensure the transition is viewed from a variety of angles. Particular attention needs to be