COSO proposals give real-world internal control examples

News reports show the frightening weather satellite images of a hurricane that’s causing concern for leaders of an automobile manufacturing plant.

The possible effects on the supply chain as the storm approaches one of the company’s suppliers seem obvious. The problems this could cause for internal control over the company’s financial statements are less apparent.

As one of many scenarios described in new guidance proposed Tuesday by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), though, the hypothetical example brings to life a real external financial reporting risk a company might face.

COSO’s proposed guidance describes how the accounting and finance departments of the auto manufacturer could determine how possible plant shutdowns would affect the financial statements. Financial executives would be able to inform the company’s directors about potential penalties contained in sales contracts, and what insurance coverage existed to mitigate potential losses.

The purpose is to “bring forth the fact that something somewhat removed from financial reporting can have an impact on financial reporting,” COSO Chairman David Landsittel said in a telephone interview.

COSO on Tuesday released its Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples proposal for public comment. The proposed Compendium devotes 145 pages to discussion of how to apply COSO’s proposed, updated Internal Control—Integrated Framework to external financial reporting.

The guidance applies to public company financial statements; financial reports private companies prepare for banks and lenders; reports not-for-profits prepare for potential donors; and financial reporting governmental entities may provide to the public or oversight agencies.

Although COSO’s guidance is most often used in the United States, the guidance is designed to have universal appeal. Landsittel said China and Japan in particular have regulations similar to the US Sarbanes-Oxley Act of 2002 that make COSO guidance relevant.

The Compendium was one of three proposed documents released Tuesday for comment by COSO. A revised version of the updated Internal Control—Integrated Framework, and an Illustrative Tools document also were made available.

Comments can be made on COSO’s website through November 20th. COSO plans to release final versions of all three documents in late March.

Changes to framework

Significant changes were made to the Internal Control—Integrated Framework as a result of comments received from more than 200 stakeholders during an exposure period earlier this year.

The 17 principles described across five components stayed the same from the previous document. The components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring activities—also did not change.

Landsittel described the most important changes made in the revised version of the proposed framework:

  • COSO reorganised the material to make it clear that information in the appendices is supplemental to the framework. Commenters had said the framework wasn’t clearly separated from supplemental information in the earlier version.

  • Chapter 3 clarifies COSO’s description of what’s required to conclude on effectiveness of internal control.

  • The “attributes” that were listed for each principle in the earlier version were replaced with “points of focus.” COSO made it clear that the points of focus don’t all need to be fulfilled; they are just considerations to help users evaluate the principles.

  • Classification of deficiencies was limited to “deficiencies” and “major deficiencies.” The proposal makes it clear that a system of internal control can’t be operating effectively if a major deficiency exists.

  • An appendix was added to describe how small entities can apply the framework.

  • More information on how to deal with technology was added, although the framework doesn’t go into detail on types of technology.

The Illustrative Tools proposal, meanwhile, provides a template for users to apply the framework.

“The requirements that are in Chapter 3 that deal with effectiveness come alive, so to speak [in the Illustrative Tools],” Landsittel said, “and a template gives an organisational approach as to how someone can accumulate information in their consideration as to whether the requirements for effectiveness are addressed.”

Explicit guidance

The update came about because COSO members wanted to facilitate easier use and application while reflecting the increase in complexity in the business, operating and regulatory environments that has evolved since the original framework was published in 1992.

Members of COSO thought it was important to create the Compendium to give explicit application guidance for external financial reporting because the updated framework itself was made more robust in its discussion of its objectives for operations and compliance.

Landsittel said that although there are exceptions, in most cases all 17 principles have to be present and functioning in order for effectiveness of internal control to exist.

As for the auto manufacturer’s consideration of the hurricane, it is an example of Principle 9, which says organisations must identify and assess changes that could significantly affect the system of internal control.

“We hope the examples and approaches are real world,” Landsittel said. “…We wanted to have a clear path as to how the framework could be applied in an external financial reporting environment.”

Ken Tysiac ( is a CGMA Magazine senior editor.