Technology guidance abundant in COSO internal control proposal

While scanning the US Committee of Sponsoring Organizations of the Treadway Commission’s proposed internal control framework, Kenneth Vander Wal counted more than 200 mentions of technology.

“That’s probably about 199 more times than the ’92 framework,” said Vander Wal, a member of COSO’s Advisory Council and past president of the Information Systems Audit and Control Association (ISACA). The increased prominence of technology was one of the reasons COSO decided to update its Internal Control—Integrated Framework and issue accompanying documents on internal control over financial reporting and illustrative tools for implementation.

The exposure period for all three proposed documents recently ended. They are expected to be released in final form in the first quarter of 2013. COSO’s framework also is used to guide internal control processes by some companies outside the United States. COSO Chairman Dave Landsittel said local professionals are familiar with COSO’s internal control guidance in Japan and China, where there are regulations comparable to the US Sarbanes-Oxley Act, as well as in South America, Spain, and France.

Although COSO officials say the guidance in the original, 20-year-old framework remains solid, they said an update was needed to reflect the current business environment. Technology plays a big part in that.

In the original framework, technology considerations were prominent in just two of the five components of internal control—control activities and information systems. The updated framework proposal considers technology in all five components.

“Technology is now embedded in virtually every enterprise,” Vander Wal, who is also a member of COSO’s Advisory Council, said in early December during a presentation by COSO officials at the AICPA Conference on Current SEC and PCAOB Developments in Washington.

Vander Wal explained the updated consideration of technology across COSO’s five components as follows:

Control environment. There is a need for technology competence on the board of directors and in senior management. “That’s now a requirement in many instances, depending on the nature of the organisation,” Vander Wal said. In addition, there are more regulatory requirements to consider based on the use of technology.

Risk assessment. The availability of more data as a result of technology allows for more risk assessment analytics, but also creates new risks. And technology is identified as an entity-level risk in the proposed framework. “Think about the risk associated with implementing cloud computing in your organisation, or the impact of technology failure, which is much more significant now than it would have been in 1992,” Vander Wal said. “How long could you operate successfully if your technology failed, and what are the provisions for addressing that risk? In other words, what is the business continuity planning?”

Control activities. Technology provides new responses to risks, as well as increased efficiency of risk responses.

Information and communication. As a result of technology, more internal and external information is available over more channels. “So what are the controls over access to that?” Vander Wal said. “How do I analyse it? How do I use it? All of those things are considered when you look at that section and the technology in that particular component.”

Monitoring activities. The guidance focuses on new methods for monitoring technology, and new ways to use technology for monitoring. “We’re using dashboards now, for example,” Vander Wal said. “We’re using technology to monitor controls. We’re using technology to report key performance indicators.”

COSO’s proposed framework spells out a total of 17 specific principles to consider across the five components. Principle 11, which is under the “control activities” component, deals primarily with technology. It states that an organisation should select and develop general control activities over technology to support the achievement of objectives. The points of focus for organisations to consider in that principle include:

  • Determining the dependency between the use of technology in business processes and technology general controls.

  • Establishing relevant control activities for technology infrastructure, security management processes, and technology acquisition, development and maintenance.

“How do we maintain systems?” Vander Wal asked. “And how do we secure systems? What are the processes that we have in place over that? That’s really the focus we see in that Principle 11.”

The proposal also addresses the impact of technology on the volume and complexity of data and information, and how that affects organisations. It says:

  • Systems need to be increasingly complex to process and maintain control over the high volume of data available through electronic means.

  • Operational or compliance risks may offset the benefits of increased information.

  • Security, protection and retention of data are increasingly important.

The proposed framework limits mention of specific technology for fear of becoming dated. The acceleration of technological breakthroughs means this update to the framework might not last another 20 years if its guidance were limited to discussions of today’s gadgets.

“I am comfortable with the balance that has been achieved,” Vander Wal said. “I think the main challenge that we have is going back to the competency of understanding the risk associated with technology, and do we really understand how that impacts the entity?”

Ken Tysiac ( is a CGMA Magazine senior editor.