The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released for comment a draft 2012 Internal Control—Integrated Framework. The 2012 framework, expected to be released later this year, addresses changes in the globalization of markets, operations, and business models; rapidly changing technology; increasingly complex regulatory requirements; and growing expectations for governance oversight that have evolved since the original was implemented in 1992.
The revised framework retains the original five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) but incorporates additional principles and attributes intended to provide clarity in the design and development of internal controls, and that can support the assessment of the effectiveness of internal controls.
The new draft provides what I believe is improved guidance and clarity for completing a comprehensive risk assessment in a number of areas:
- Most significant is the clarification that the risk assessment process includes risk identification, risk analysis (for example, the probability of occurrence and potential impact), and risk response (such as how the risk should be managed, with acceptance, avoidance, reduction and sharing).
- Identifying risks is clearly linked to the achievement of an entity’s objectives.
- Risk is considered within the overall entity and within its subunits (HR, legal, purchasing, etc.).
- Risk tolerances are incorporated into the assessment of acceptable risk levels.
- The new framework emphasizes the need for management to understand significant changes in internal and external factors that may impact the overall system of internal controls (external factors may include economic changes that impact financing or availability of capital; internal factors may include significant changes in management responsibilities or disruptions in information systems processing that can adversely impact operations).
- The new framework considers not only fraud risks related to financial reporting or safeguarding of assets, but also risks related to corruption and specific attributes in identifying and evaluating such risks.
Don’t wait—update now
Even though the 2012 Internal Control—Integrated Framework is still in draft form, I believe there is much that management can leverage in updating their risk assessment processes in the new year. The new framework provides a much more robust process that covers risk assessment against stated business objectives; risks associated with fraud and corruption and safeguarding assets; and risk appetite as an integral part of control activities. It adds value by ensuring that you’re focusing on the right internal controls so your company meets objectives and sustains and improves performance.
This means now is the time to take a fresh perspective and evaluate current processes, rather than waiting until the new framework is released. Making sure your activities are in alignment with the new framework now will put you ahead of the game.
To read the draft 2012 Framework and provide comments, go to the COSO website.