In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated Framework, originally published in 1992. COSO’s framework is used by most public companies — as well as many privately held financial institutions subject to internal control requirements — to assess their internal control over financial reporting.
COSO recommended that organizations transition to the new framework by Dec. 15, 2014, and now considers the old framework to be superseded. Although many banks continue to use the old framework, at some point it will no longer be considered a “suitable, recognized framework” and banks will need to implement a new one. When that will happen isn’t clear, so banks should make the transition as soon as feasible.
Certain banks must comply
A bank is required to conduct a management assessment of internal control effectiveness if it’s:
- A publicly traded institution subject to Section 404(b) of the Sarbanes-Oxley Act of 2002 (SOX)
- A privately held institution with more than $500 million in assets subject to the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA).
Banks in the first category and privately held banks with more than $1 billion in assets must have their external auditors attest to and report on management’s assessment of internal control. To satisfy these requirements, covered banks must select a suitable, recognized internal control framework — usually, COSO. And that means implementing updated COSO as soon as feasible.
What about privately held banks with less than $500 million in assets? These banks aren’t subject to SOX or FDICIA, but the need for updated internal controls is likely to trickle down to community banks in the form of heightened regulatory expectations.
Changes include internal control principles
COSO’s 2013 update generally retains the original five components of internal control from the 1992 framework: control environment, risk assessment, control activities, information and communication, and monitoring. But the 2013 update supplements those components with 17 “principles of effective internal control” as well as 81 detailed “points of focus” to guide organizations in incorporating those principles.
The update reflects significant changes in the business and operating environments over the last two decades. For example, the 2013 framework explicitly discusses the need to consider potential fraud in assessing risk, places greater emphasis on globalization, provides enhanced guidance on the impact of information technology on business processes and reporting, and details an organization’s responsibilities with respect to outsourced service providers. It also extends beyond external financial reporting to include nonfinancial reporting and internal financial reporting.
Making the transition can take time, so the sooner you get started the better. Begin by reviewing and evaluating your current internal control policies, procedures and documentation. Map your existing controls to the 17 principles and 81 points of focus outlined in the updated COSO framework and modify your controls to close any gaps in coverage.
Banks that make the switch to COSO 2013 often find that many of these gaps are caused by missing documentation rather than missing controls.