||April 28, 2014
The Updated COSO Internal Control Framework FAQ: Table of Contents
View and download the entire booklet
- Who is COSO?
- How did the project to update the 1992 framework unfold?
- How is the updated framework organized?
- Why update the 1992 framework?
- What hasn’t changed?
- What has changed?
- What’s the most important change?
- How are points of focus applied?
- How are deficiencies in internal control assessed?
- Assume we previously had a clean Section 404 certification but find gaps in the process of mapping our controls documentation to the COSO principles. How will those types of deficiencies be handled? Can we now fail to comply with Sarbanes-Oxley Section 404 requirements if we are weak on specific COSO principle?
- What are the implications of a deficiency in control design or operation around entity-level type controls?
- If there are weaknesses with the Control Environment, is there any point in continuing to elevate the other components?
- What does “present and functioning” mean?
- How does management assess whether all components “operate together”?
- Are external parties who do not process transactions as part of the system of internal control?
- Are outsourced services providers a part of the system of internal control?
- When are we required to apply the New Framework?
- What is the SEC’s position on transitioning to the New Framework?
- What if we continue to apply the original framework beyond COSO’s transition period?
- Must we begin applying the 2013 New Framework in the first quarter of 2014 for purposes of complying with Section 302 of Sarbanes-Oxley?
- What are the implications for Sarbanes-Oxley compliance?
- How will the concept of “major deficiencies” under the 2013 New Framework affect the way companies report internal control deficiencies under Sarbanes-Oxley?
- Does the 2013 New Framework affect the way companies evaluate their controls over technology?
- How do we disclose our annual internal control report which framework we used during the transition period?
- What do we need to do now?
- What tasks are necessary in transitioning to the 2013 New Framework?
- What is the level of effort required to map the principles to the existing controls?
- Who should complete the mapping of controls to the 17 principles?
- What are the components of a model project plan for 2013 New Framework implementation?
- When we map our controls to the principles underlying the five components, where do entity-level controls fit in relative to process-level controls? Are the controls being mapped to the points of focus primarily entity-level controls, or are they also inclusive of process-level controls depending on the sufficiency of the entity-level controls with the organization?
- Does the 2013 New Framework alter the approach to complying with Section 404 to also consider Operations and other Compliance objectives in conjunction with our Section 4040 compliance activities?
- What are the implications of the 2013 New Framework, if any, for a company’s internal audit and other risk management functions beyond compliance with Sarbanes-Oxley and other similar regulations relating to financial reporting controls?
- To whom do we communicate—and what do we tell them?
- What do we communicate to the audit committee?
- What if we adopt the 2013 New Framework this year for ICR but not for other operational, compliance and reporting areas: Can we still disclose we have adopted the New Framework in this year’s internal control report?
- Will there be a “street reaction” to companies that do not “early apply”?
- Does the New Framework comment on the limitations of internal control?
- How do we use the illustrative tools for assessing effectiveness of a system of internal control?
- Why did COSO issue the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples?
- Are we required to use COSO’s External Financial Reporting Compendium?
- How does the New Framework apply to smaller companies?
- When using the COSO framework for a nonprofit or nonpublic entity, do the 17 principles need to be present and functioning for these “smaller” nonpublic entities?
- Does the New Framework supersede COSO’s guidance on Monitoring?
- How is the 2013 New Framework, and specifically the 17 principles, applied to evaluate internal control over compliance?
- How does the New Framework relate to ERM?
- How does the new COSO framework align to COBIT 5?