Nonprofit Resources


What You Need to Know About the COSO Framework Update

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control – Integrated Framework (COSO Framework). For more than 20 years, the COSO Framework has been used to design and implement internal controls, as well as to assess their effectiveness. Since business continues to evolve — most notably in regulations and laws, reliance upon information technology, expectations for oversight, and use of service providers — in 2013 COSO began the process of updating the COSO Framework. This update, Internal Control – Integrated Framework (2013), became effective on December 15, 2014.

The COSO Framework is designed to provide a process of controls aimed at achieving the organization’s objectives. This is similar to showing your work in math class. When implemented processes are designed correctly and the controls are operating effectively, the likelihood of achieving the desired result increases greatly. The COSO Framework has identified three key objectives to internal controls:

  1. Operations objectives relate to the effectiveness and efficiency of the organization’s operations.
  2. Reporting objectives refer to the timeliness and accuracy of both internal and external financial reporting.
  3. Compliance objectives relate to the ability to operate within the laws and regulations subject to the organization.

With the revision to the COSO Framework, it is important to first understand what has not changed. The core definition of internal control has remained consistent and states:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Furthermore, the five components of internal control continue to be control environment, control activities, risk assessment, information and communication, and monitoring; therefore, the use of the COSO Framework to assess the effectiveness of internal controls has not changed. Finally, the COSO Framework continues to emphasize the need to exercise judgment. It is meant to obtain reasonable, not absolute, assurance.

The COSO Framework update resulted in five significant changes:

  1. New principles and points of focus
    The updated COSO Framework has developed 17 principles and 77 points of focus. This is not intended to provide management with a checklist, but rather to encourage stakeholders to identify the aspects of internal control that apply to their organization. It is important to note that of the 17 principles, only three relate to control activities, while the remaining 14 principles apply to the four other components of internal control. Of the three principles in control activities, one is dedicated to the internal controls over information technology.
  2. Increased importance of information technology on internal controls
    The development of the cloud (i.e. hosted systems) and the growing number of systems that are used to generate information for operations, financial reporting, and compliance have increased organizations’ reliance on information technology. The extent of the internal controls for information technology result from the complexity of that environment, and it is important to document the relationship between the use of technology and business processes and also establish security management policies.
  3. Increased emphasis on the governance and oversight functions of the organization
    Each of the five components have points of focus related to oversight responsibilities and are meant to reiterate that the role of the board is an important part of internal control.
  4. Non-financial information and internal  reporting objectives added as principles
    This is meant to move the COSO Framework beyond external financial reporting. Non-financial information is important in identifying and developing key performance indicators (KPIs) that management and the board can use to monitor the organization’s ability to meet their objectives. In addition, internal reporting should be developed to reflect the organization’s activities and need for precision. This development has expanded the COSO Framework from external reporting to four different types of reporting: external financial, external non-financial, internal financial, and internal non-financial.
  5. Increased consideration and assessment of internal controls for preventing and detecting fraud
    While the original COSO Framework included fraud prevention, the revised COSO Framework more clearly links fraud prevention with internal controls.

The objective of the COSO Framework has always been to provide organizations with the structure to achieve their goals, and the update was designed to do that more effectively in the current operational environment. The most significant revision to the Framework provides greater clarity through the development of principles and points of focus, and is intended to encourage organizations to apply consistent judgment throughout their internal controls. Most importantly, management judgment is emphasized, and not removed, in order to apply cost/benefit concepts to the COSO Framework.

If you have any questions about the update or internal controls at your organization, please contact us: [email protected].

Christopher Gordon

Christopher joined CapinCrouse in 2006 and has more than 10 years of experience providing audit and review services to various nonprofit entities, including colleges and universities, churches, foundations, international mission organizations, and relief and development organizations. He serves as a Partner and is responsible for the oversight of audit engagements and also, as appropriate, for the recommendation of internal control structures and best practices.

Leave a Comment