Audit Executive Center Hosts Roundtables on COSO Framework Exposure Draft
The Institute of Internal Auditors’ (IIA’s) Audit Executive Center recently hosted three roundtables aimed at seeking insight from chief audit executives (CAEs) on proposed updates, revisions, and enhancements to the 1992 Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control — Integrated Framework (Framework), which was released for public comment in December 2011.
The roundtables, which were held in Orlando, Fla. (Jan. 18), Chicago (Jan. 24), and New York (Jan. 25), brought together more than 30 CAEs from Fortune 250 companies and other distinguished organizations. Special guests who also participated in the multi-hour roundtables included COSO Board Chairman David Landsittel, COSO board member Sandra Richtermeyer, IIA President and CEO Richard Chambers, COSO Framework authors Stephen Soske, Chuck Harris, Miles Everson, and Frank Martens with PricewaterhouseCoopers LLP, and members of The IIA’s Professional Issues Committee task force assigned to develop The IIA’s official response.
All sessions were facilitated by Dick Anderson, clinical professor of risk management at DePaul University’s Center for Strategy, Execution, and Valuation.
The exposure draft to the COSO Framework aims to primarily update the original document to better reflect changes in the business and regulatory environments during the past 20 years, establish specific principles and related attributes that can be used to develop and assess a system of internal control, and expand upon the original financial reporting objective.
Notable additions to the Framework include 17 principles and supporting attributes divided among the five internal control components: control environment, risk assessment, control activities, information and communication, and monitoring activities (refer to “Outline of the 17 Principles” on this page for more information).
CAEs participating in the roundtables provided valuable insight on proposed COSO Framework revisions. Key themes revolved mostly on observations surrounding:
The completeness and comprehensiveness of the 17 principles and the related supporting attributes.
Missing or nonfunctioning principles (e.g., if a principle is not present or functioning, does this constitute a control deficiency, although subject to management’s determination of its severity?).
The appropriateness of having separate, stand-alone principles on technology and fraud risks.
The relationship between COSO’s Enterprise Risk Management — Integrated Framework and the revised Framework, including coverage adequacy pertaining to business strategy, strategic risk, and other risk types.
The expansion of the reporting component — previously known as the financial reporting component — to include internal financial and nonfinancial reporting and external nonfinancial reporting activities and controls.
The adequacy of guidance on the compliance and operations objectives.
The differing classifications of control deficiencies across the objectives.
“Feedback from roundtable participants provided valuable first-hand information to the people directly involved with the exposure draft and primarily responsible for making revisions as a result of the exposure comment process,” says Hal Garyn, CIA, CPA, IIA vice president of North American Services, who also participated in the roundtables.
“This was a unique set of experiences that all participants found valuable and engaging. We’re proud that The IIA’s Audit Executive Center could be the catalyst to make these special, open-dialogue feedback sessions happen.”
The revised COSO Framework will remain open for public comment until March 31, 2012. After completing a brief questionnaire on the COSO website, CAEs can download the 20-page executive summary, the full text of the 168-page exposure draft, and a feedback questionnaire.
Due to the importance of the Framework and the potential impact and ramifications of the updates, many comment letters are expected. CAEs are strongly encouraged to provide comments directly to COSO individually or to help their organizations with a response.
IIA members also can provide input to The Institute’s official response to the Framework update by emailing email@example.com with the subject line “COSO Exposure Draft” on or before Feb. 15., 2012. The final Framework is scheduled for release in the fourth quarter of 2012.