The COSO effect: How the new control framework adds value, not just work for work’s sake

Share on facebook
Share on linkedin
Share on twitter
Share on email
Share on print

Every business, private and public, has a control structure. Internal controls — often called COSO after the Committee of Sponsoring Organizations that has set the standard for internal controls since 1992 — are the functional steps that process accounting transactions generated by a business.
Every company wants to profit by providing a product or service, and therefore, transactions must be initiated and recorded. The internal controls are the baseline framework to execute that.
“The current business environment is highly automated and global with more of a remote workforce and increased transparency. So, those kinds of activities needed to be reflected in the COSO framework,” says Alyssa G. Martin, a partner in Risk Advisory Services at Weaver. “This framework that we are all ‘supposed to follow’ was essentially stale. It wasn’t a reflection of the real business environment today.”
COSO recognized that migration by releasing an updated framework last year.
Smart Business spoke with Martin about these COSO changes and what they mean for those who run companies.
When do these changes go into effect?
The updated framework was approved in May 2013. Organizations in regulated industries, such as banking, insurance or health care, and those accountable to the U.S. Securities and Exchange Commission need to evaluate and update their control structure against the new framework by December 2014.
Others like large private organizations in unregulated industries aren’t required to use the new framework. However, these controls are best practices that are worth emulating.
How has the framework been updated?
The COSO framework still has 17 components, but those components are revised, renamed and renumbered. A couple of the biggest differences relate to data security and fraud prevention. The old framework did not explicitly recognize the reliance on technology in the ordinary course of business, as well as the need to specifically prevent and deter fraud. Further, the revised framework is more focused on overall coordinated governance, such as no longer viewing HR policies and procedures as separate from company-wide policies and procedures, and managing risk to meet business objectives.
How can an organization get started on following the new framework?
Corporate internal control structures sit along a spectrum that ranges from unintentional actions that focus on just trying to record transactions to highly intentional, effectively controlled and mature.
Every business should evaluate its structure against the new framework. As an outcome of the evaluation, if you fall toward the mature, effectively controlled end of the spectrum, the business is likely already following these changes. Ad-hoc organizations that are not strongly controlled, stale and/or highly manual are looking at more material changes.
Your chief financial officer, chief accounting officer or controller — whoever is responsible for the accurate reporting of financial transactions — needs to compare your internal controls to the new framework in a high-level gap assessment. Even if your processes aren’t well documented, this person knows best what practice is in place, and if it’s working or needs improvement.
Then, consider getting consultative help to implement the new framework. External assistance provides a competency and skillset to apply this framework efficiently. It is also a labor source to complete a project of this scale while people who work in the company are doing their normal jobs.
What’s the takeaway for business leaders?
This new framework is a good excuse to take a fresh look and determine if the way business is transacted could be more effective, efficient or automated in order to benefit the company. Every business can benefit from having internal controls that are intentional and preventative focused.
It may seem like work for work’s sake, but if you have to go through this exercise, then use this opportunity to look at efficiency and effectiveness. Are your processes scalable if the company experiences growth? Are you using automation that can be preventative and have low labor costs? Is it standardized, so it can be transferred to a new location?

The paradigm in which you approach this has a direct relation to the value and output at the end, which is why consultative assistance is so beneficial. Those experts can help you get more value versus simply going through an exercise to check the right boxes.

Insights Accounting is brought to you by Weaver