Internal controls: that was then, this is now: COSO updates its 1992 classic internal control-integrated framework.

• Author: Scott, Robert B. 'Bob'
• Position: Committee of Sponsoring Organizations of the Treadway Commission - Cover story

[ILLUSTRATION OMITTED]

Originally issued in 1992, the COSO Internal Control-Integrated Framework has been internationally recognized as the conceptual anchor any organization needs to develop a strong system of internal control. A proposed update, which should be finalized in early 2013, is expected to leave many of the framework's timeless concepts untouched but add detail to address the changing environment. In applying this new framework, state and local governments should keep in mind the unique aspects of their operating environments, including political, legal and operational.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1) issued the original framework to provide guidance and thought leadership about what constituted good internal control within an organization. It has become a global resource, translated into seven languages. But no document can remain relevant without addressing the rapid changes occurring in organizations, including:

* Increasing expectations of strong governance and oversight.

* Globalization of markets and operations.

* Reliance on rapidly changing technology.

* Increasing complexity of rules, regulations, and standards.

* Increasing expectations for preventing and detecting fraud.

An effort began in 2011 to update the integrated framework, beginning with a survey of stakeholders, continuing with an exposure draft of proposed changes, and ultimately culminating in the proposed update, to be issued in early 2013. This article will discuss the original framework, the proposed changes, and areas state and local government should consider when applying the framework.

NOT JUST A FINANCE THING

The beauty of COSO's integrated framework is its simplicity and how broadly it can be applied across organizations. Based on the belief that good internal controls are necessary for the long-term success of all organizations, COSO takes internal controls beyond the finance department and sets them squarely on the shoulders of every employee from the governing board down. If asked to name an internal control, most of us would probably say "segregation of duties." Few, if any, would go with "long-term strategic plan." However, given COSO's emphasis on organizational success and the tone at the top, one could argue that detailed controls within individual areas start with strategic goals from the governing board that define what success means for the organization. In other words, it's easy to develop controls to mitigate poor segregation of duties, but an organization that doesn't have a direction is a much harder problem to solve.

The original 1992 framework is best...