COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this more than 20-year old COSO Framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. This means that you need to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
COSO has produced three volumes detailing the COSO 2013 Internal Controls Framework. The first lays out the Framework and is entitled “Internal Control – Integrated Framework”, herein “the Framework volume.” The second is an illustrative guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, herein “the Illustrative Guide”, which discusses how best to assess your internal control regime and provides forms and work sheets to use. The third volume is the “Executive Summary of the first volume, herein “Executive Summary”. All three works form an excellent starting point for exploration of the COSO 2013 Internal Controls Framework and how you might use it for your best practices anti-corruption compliance program.
In the COSO 2013 Internal Controls Framework update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; II) Reporting Objectives – internal and external financial reporting; and III) Compliance Objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically includes the need for controls to address compliance with laws and regulations.
The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. From these five Objectives come 17 Principles which we explore in more detail.
Three key takeaways:
- You must use the 2013 Internal Controls Framework or a similar source for your internal controls structure.
- The 2013 Internal Controls Framework identifies the following areas: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring.
- Your internal controls must be sustainable.