INSIGHT

Internal Audits Role in Transitioning to the 2013

MetricStream COSO Internal Control - Integrated Framework

No organization is risk free. There have been several

incidents in the past when frauds have led to the downfall
of organizations as a whole. However, the global business
landscape has changed over the years. Realizing the significant
changes to business and operating environments that
have taken place over the past 20 years, the Committee
of Sponsoring Organizations of the Treadway Commission
(COSO) has issued its updated 2013 Internal Control-Integrated
Framework on May 14, 2013. The updated standards will
supersede the previous framework on December 15, 2014.
Adoption of the new standards is a top priority for companies
as the U.S. Securities and Exchange Commission (SEC) has
made it clear that it expects compliance by the end of 2014.

The COSO, an independent private-sector initiative, is
established to provide thought leadership through the
development of comprehensive frameworks and guidance
on enterprise risk management, internal control and fraud
deterrence to improve organizational performance and
governance, and to reduce the extent of fraud in organizations.
The whole purpose of updating the existing framework was to
increase its relevance in the increasingly complex and global
business environment so that organizations globally can better
design, implement, and assess internal control.
THE 17 PRINCIPLES TO EVALUATE INTERNAL CONTROL
OVER COMPLIANCE:
The framework is very adaptable to compliance. All 17
principles, under the five components, are presumed relevant
for all entities and need to be present and functioning to have
effective internal control.
CONTROL ENVIRONMENT
Demonstrates commitment to integrity and ethical
values

Board of directors demonstrates independence from

The first edition of COSO standards, established in 1992, is
the principal standard that U.S. companies use to ensure
compliance to the Foreign Corrupt Practices Act (FCPA) and
with Section 404 of the Sarbanes-Oxley Act of 2001 (SOX).
management and exercises oversight responsibility
Management, with board oversight, establishes
structure, authority and responsibility

Integrate business processes with regulatory

notifications or industry alerts
NEW FRAMEWORK: WHATS RETAINED AND WHATS
CHANGED? The organization establishes accountability

The new framework retains the core definition of internal
control, the objectives; the five components of internal control
and its seventeen principles that continues to emphasize
the importance of judgment in designing, implementing and
conducting a system of internal control, and in assessing its
effectiveness. The new framework codifies principles that
support the five components of internal control, clarifies
the role of objective-setting in internal control, reflects the
increased relevance of technology, incorporates an enhanced
discussion of governance concepts, expands the reporting
category of objectives, enhances consideration of anti-fraud
expectations, and increases the focus on non-financial
reporting objectives.
RISK ASSESSMENT
Specifies relevant objectives with sufficient clarity to
enable identification of risks
Identifies and assesses risk
Considers the potential for fraud in assessing risk
Identifies and assesses significant change that could
impact system of internal control
CONTROL ACTIVITIES
Selects and develops control activities
Selects and develops general controls over technology
Deploys through policies and procedures
 INSIGHT

INFORMATION & COMMUNICATION ORGANIZE A PROJECT TEAM TO CONDUCT AN EVALUATION:

Obtains or generates relevant, quality information Given the integral roles management, the audit
committee, internal audit and other risk management
Communicates internally
functions play in an effective system of internal control,
Communicates externally a coordinated approach to addressing the key changes
in the COSO framework is important to an effective and
MONITORING
efficient transition.
Selects, develops and performs ongoing and separate
evaluations
REVIEW/UPDATE INTERNAL AUDIT PLANS:
Evaluates and communicates deficiencies
Review internal audit plans and how they applied the
1992 edition of the framework. Internal auditors should
also review in detail the changes made to this version
POINTS OF FOCUS:
and consider possible implications of those changes
The new framework has outlined a certain points of focus to on audit plans, evaluations, and any reporting on the
enhance the rigor of understanding of each principle. They are: entitys system of internal control.

Revise the IA risk assessment methodology to address

It considers all structures of the entity (operating units,
the 17 principles supporting the five components for
legal entities, geographic distribution, and outsourced
achievement of the three objectives. Applying principles
service providers) to support the achievement of
provides a basis for checking whats covered and whats
objectives.
missing across the business including dispersed and
It designs and evaluates the reporting lines to manage outsourced operations.
the activities of the entity.
Include reference of the 17 principles in assurance
It delegates authority and defines, assigns and limits reviews performed by internal audit and its
authorities and responsibilities. communication to senior management and the audit
committee.

ROLE OF INTERNAL AUDIT IN TRANSITIONING TO THE

NEW FRAMEWORK: CONCLUSION:

The internal audit team has to leverage the right technology

DEFINITION:
solutions and use them as enablers for greater transparency
In companies with formal internal audit functions (which
and accountability for internal control and various internal
can vary from an individual assigned with internal audit
audit functions. The New Framework also provides a new
responsibilities to a formal department), the board of directors
opportunity for internal audit committees to take a fresh
empowers the internal audit function to carry out its purpose,
look at internal control, create value for the organization and
authority, and responsibilities with direct access to the audit
manage elevated expectations regarding internal control.
committee and/or the board of directors. The board or audit
committee is actively involved in reviewing the companys risk
assessment, ensuring that the internal audit plan provides
adequate assurance on the adequacy of coverage of key
risk areas, and overseeing internal audit compensation to
ensure it is structured in a manner that supports the need for
objectivity.

The responsibility of leading the transition to the New

Framework lies with internal audit department for various
purposes including planning, conducting and reporting on risk-
based audits. The role of internal audit can be summarized in
two points:
MetricStream
www.metricstream.com info@metricstream.com

Copyright 2015 MetricStream, Inc. All rights reserved.