Wednesday, 28 May 2014

The importance of COSO and COBIT and some thoughts on implementation

The US Securities and Exchange Commission in its final rule relating to "Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" available at: states:

"The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States,67 and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors"

 In May 2013 COSO updated the COSO Framework with the SEC recognising this and subsequently advising at

"The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC's requirement to use a suitable, recognised framework"

This guidance essentially states that users of the 1992 version of the framework will have to justify why they are using this instead of the 2013 Framework. This guidance also establishes COSO as the most recognised framework for internal control hence the reason why this framework has been adopted by most SEC filers.

The 2013 COSO Framework was developed in combination with ISACA as a member of the COSO Advisory Council. ISACA maintain and publish the COBIT Framework (Control Objectives for IT) and have also published guidance that links the new May 2013 COSO Framework covering enterprise control to the new COBIT5 Framework covering IT control.

So what does this mean? It means that for SEC filers internal and external auditors will likely use COSO and COBIT guidance to assess the adequacy of the filer's control environment and effectiveness of its controls. In my experience and the experience of a number of audit, risk and regulatory compliance professionals I have found this to be the case in practice.

In practice I have not seen an organisation try and adopt the whole COSO or COBIT framework as it is, but rather I have seen that organisations have used these frameworks to undertake gap analyses of their respective current control environments and looked to COSO and COBIT for guidance as to how to fill these gaps.

I have seen internal and external assurance professionals use COSO and COBIT as the basis for their assessments of the adequacy and effectiveness of organsisations' internal controls.

Any control implementation or assurance activity based on these frameworks needs to be mindful that these frameworks are guidance and are purposely built to be generic. The key is understanding your organisation's value chain to your customer, regulatory environment and the risks to delivering this value or not complying with regulations and cultural norms and mores, then implementing a control framework that responds to these risks.