ISACA Journal
Volume 2, 2,014 

Features 

The Effect of the COSO 2013 Update on IS Professionals 

John H. White, Ph.D., CISA, CPA 

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Internal Control—Integrated Framework in 1992.1 In the more than 20 years since, the framework has become the accepted general internal control framework of the US Securities and Exchange Commission (SEC), American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), Financial Executives International (FEI), and many other professional organizations and standard setters. Because of intervening changes in business models and best practices since 1992, such as economic globalization, electronic commerce, outsourcing and the pervasive use of IT, COSO initiated a project in 2010 to update the 1992 framework. After appropriate due process, including review and input from the internal control (IC) community, this project culminated in May 2013 with the publication of the revised framework.2

IT professionals must be aware of the recent, important changes in the COSO framework and especially how/why these changes are pertinent when using ISACA standards and framework documents such as the ISACA Code of Professional Ethics,3 IT Assurance Framework (ITAF),4 and COBIT 5.5

Both the 1992 and 2013 frameworks are structured around three categories of enterprise objectives and five components of an IC system to mitigate the risk to achieving those objectives. This objectives/components framework can be applied at any/all levels of the enterprise structure—all the way from the entity (highest) level down through the cascading levels of division, operating unit and, finally, the individual process (lowest) level.

The 1992 Framework

COSO depicts the 1992 framework as a three-dimensional cube with the three axes representing enterprise objectives, IC components and enterprise levels (figure 1). The slices on each axis of the cube intersect each of the slices on the other axes and, thus, the framework components apply to each enterprise objective and level. The five components of the IC framework do not represent a list of the actual controls as many users interpret. Individual controls are not specified by COSO (although individual controls are mentioned in the many examples contained in the document), and, in practice, a single individual control usually supports multiple components.

Figure 1
Figure 2

Since the 1992 and 2013 frameworks incorporate the same fundamental model of three objectives and five components, it is important to completely comprehend this structure so one can apply it in in practice.

Figure 2 offers a Unified Modeling Language (UML)-structured classifier diagram and is presented here as an alternate model of an organization and its IC system. It presents another view that shows the presence of risk and eludes the various levels of the organization. A UML-structured class diagram (also known as a UML composite structure diagram) depicts the structure of a class6 as consisting of (i.e., encapsulating) internal parts that may be connected via relationships (the lines in figure 2) to each other and/or to the outside environment. The parts internal to the main class rectangle may also be modeled as a subordinate class rectangle with its own internal part structure, so the diagram can show structure of the whole system as multiple levels of internal parts for a view of increasing amounts of structural detail. The number of levels of detailed parts to show in a structured class diagram is chosen by the presenter as a trade-off between detail and complexity.

In figure 2, the organization (a class depicted by the large outside rectangle) is shown as composed of three internal parts: objectives, risk to achieving those objectives and an IC system connected to the risk through some type of interface (represented by the lollipop and socket). The objectives part has its own internal parts consisting of three COSO-defined enterprise objective types involving operations, reporting and compliance. The IC system part also has its own internal parts, consisting of five COSO-defined components. Figure 2’s risk part does not show any lower-level internal parts, even though they exist, because additional detail about risk is not the primary topic here.

Comparing figures 1 and 2, one can see that figure 1 does not show risk in its structure. Figure 2 does show risk, but does not depict enterprise levels in its structure. Even though figures 1 and 2 depict different views of an organization and its IC system and have some differences in structure, an analysis and comparison of the two figures shows that their different structures can be reconciled and that they show alternative views of the same thing: an organization and its system of IC. UML-structured classifiers are used here to model various objects and concepts in the revised 2013 COSO framework.

Many practitioners find the 1992 framework difficult to apply in practice due to:

  • The complex interaction and relationships among objectives, risk, components and levels, as shown in figures 1 and 2
  • The generic, conceptual (as opposed to precise) definitions/descriptions of the five components and how they relate to actual, individual internal controls in practice
  • The absence of a list of specific controls to use in typical practice situations
  • The limited and dated discussion of IS/IT risk and controls

Many IC framework users look for a simple checklist of standard, recommended controls, and instead, the 1992 framework presents an abstract and conceptual discussion.

The 2013 Framework

The 2013 framework keeps the same three-objective and five-component structure as 1992, but adds depth (more detailed structure) and clarity (easier to use in practice). The 2013 framework differs from 1992 at the more detailed lower levels of structure for the reporting objective and for each of the five components. The 2013 framework also clarifies the definition of control deficiencies and effective (vs. ineffective) system of IC. IT and its effect on risk and control is discussed frequently and in depth throughout the 2013 framework.

Figure 3The three enterprise objectives from 1992 have been preserved, but the reporting objective definition and discussion is expanded in significant ways in the 2013 update. The framework now includes internal reporting (in addition to external) and nonfinancial reporting (in addition to financial). These expansions greatly increase the scope of the framework guidance. Figure 3 presents a UML-structured class diagram of the 2013 reporting objective with four internal parts made from combinations of internal/external and financial/nonfinancial reporting.

This addition to the reporting objective is a major revision and clarification of the 1992 framework and is very important to IS/IT professionals. The 1992 reporting objective was generally interpreted as covering only external financial reporting, which is only one of the four subobjectives (parts) in the 2013 framework, as shown in figure 3.

2013 Principles and Points of Focus

Perhaps the major enhancement and clarifying change in 2013 is the introduction and integration of control principles and related points of focus into the five components. In the discussion of the five components in the 1992 framework, many fundamental concepts of IC were covered in a somewhat difficult-to-summarize discussion. In the 2013 framework, these concepts have been formalized and enumerated into 17 principles that are associated with (listed under) the five components. The following is a list of the five components and abbreviated descriptions of the associated 17 principles:

  • Control environment component:
    1. The organization demonstrates a commitment to integrity and ethical values.
    2. The governing body (board of directors [BoD]) demonstrates independence from management and exercises oversight of IC.
    3. Management establishes, with BoD oversight, the organizational structure and assigns authority and responsibility for IC.
    4. The organization demonstrates a commitment to attract, develop and retain competent employees.
    5. The organization holds employees accountable for IC responsibilities.
  • Risk assessment component:
    1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risk to those objectives.
    2. The organization identifies risk to the achievement of its objectives and analyzes risk to determine the risk response.
    3. The organization considers the potential for fraud when assessing risk.
    4. The organization considers the impact of changes in the external environment and within its own business model that could impact the system of IC.
  • Control activities component:
    1. The organization selects and develops control activities to mitigate risk to achieving objectives.
    2. The organization selects and develops IT general control (ITGC) activities.
    3. The organization deploys control activities utilizing policies and procedures.
  • Information and communication component:
    1. The organization obtains or generates and uses relevant and quality information to support the functioning of IC.
    2. The organization internally communicates the information, including objectives and responsibilities concerning IC.
    3. The organization externally communicates regarding matters affecting the functioning of IC.
  • Monitoring activities component:
    1. The organization selects, develops and performs ongoing and/or separate evaluations (i.e., audits, assessments, assurances) to ascertain whether components of IC, including the principles embedded in the components, are present and functioning.
    2. he organization evaluates and communicates IC deficiencies in a timely manner to responsible parties, including management and the BoD.

Figure 4Each of the 17 principles has multiple points of focus defined and associated with it. There are a total of 87 focus points in the 2013 framework. The focus points are important and very useful in analyzing the 17 principles (as an example, see figure 4).

Each of the three second-level internal parts (representing 2013 principles 10, 11 and 12) in figure 4 has internal third-level parts of its own, which are the focus points defined for principles 10, 11 and 12. These focus points are shown inside each principle part, as a bullet. Figure 4 does not list all of the focus points for principles 10, 11 and 12. The last three focus points in principle 11 identify the three categories of ITGCs defined by the 2013 framework.

These principles and focus points make management’s and/or the auditor’s assessment of IC, when utilizing the 2013 framework, a more logical, inductive-based analysis.

2013 Framework IC Deficiencies and Effectiveness

The important topics of control deficiencies and the judged effectiveness (or not) of internal control are discussed with new definitions and criteria. The clarification of IC components provided by the newly defined 17 principles and 87 focus points in the 2013 framework is useful in practice for assessing and opining on the effectiveness of IC in any situation (e.g., either the overall IC system or IC over a single process).

The 2013 framework defines an IC deficiency as a shortcoming in a component or embedded principle that reduces the likelihood of an organization achieving its objectives. A deficiency or combination of deficiencies that severely reduces the likelihood is referred to as a major deficiency. If a major deficiency exists, an organization cannot conclude that the system of IC is effective.

A major deficiency exists when management (or an auditor) determines that a component is not present or functioning or that the five components are not operating together. One must conclude that a component is deficient if any of its principles are deficient. Thus, all 17 principles must be individually present and functioning and all must be working together; if not, the IC is ineffective.

Importance of the 2013 Framework to IS Professionals

Every organization and its subunits have business objectives and risk affecting the achievement of those objectives and, for good governance purposes, must align IS/IT objectives with its business objectives. The management of an organization must, therefore, design, implement and operate an IS/IT control system to mitigate the risk to achieving objectives, and IS auditors are then asked to assess the effectiveness of the IC system. Thus, ISACA members and certification holders who design, implement, operate and audit the IS IC systems must be familiar and proficient with the COSO 2013 framework because of its status as the most widely accepted IC framework.

The following are just a few examples of where and why an IS professional/ISACA member would need to apply knowledge of the 2013 framework; it is not meant to be a complete mapping of the 2013 framework to ISACA documents.

ISACA’s Code of Professional Ethics and the 2013 Framework
Item 1 of ISACA’s Code of Professional Ethics states that ISACA members and certification holders must “support the implementation of and compliance with appropriate standards of…control and risk management.” Item 5 states that they must “maintain competency in their respected fields…and only perform assignments where…they have the necessary skills, knowledge and competence.” Thus, COSO, because of its reputation/status as the most widely accepted IC framework and recent revisions, making it more applicable to IS/IT, becomes required reading and comprehension for many ISACA members and certification holders.

ITAF and the 2013 Framework
ITAF is a comprehensive and good-practice-setting reference model that establishes standards and guidelines to address IS audit and assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements. ITAF, 2nd Edition was released in July 2013 with new IS audit standards7 and guidelines that reference internal controls in multiple places. Here are just two examples.

  • IS Audit Standard 1008, Criteria, discusses criteria against which the IS auditor should assess the subject matter. It states that the criteria should be widely accepted and that it is preferable to use criteria published by relevant authoritative bodies.
  • IS Audit Standard 1205, Materiality, discusses audit risk and assessment of internal controls and their importance in an IS assurance engagement.

The 2013 COSO framework, with its conceptual discussions of risk, control activities, monitoring activities and 17 principles of internal control, should be used as the overall IC framework from which to plan, monitor and assess IC when applying the assurance standards and guidelines found in ITAF.

COBIT and the 2013 Framework
COBIT 5 is a business framework for the governance and management of enterprise IT (GEIT). It aligns with other standards and frameworks (such as COSO) to use as an overall and complete enterprise IT integrator using its models of goals cascade and interconnected enablers.

COBIT 5 defines an enabler as a factor that determines whether management of enterprise IT will achieve its objectives. The 2013 COSO framework also defines enterprise objectives and describes an IC system structured with components, principles and focus points that together can assure the achievement of objectives. These components, principles and focus points of the 2013 COSO framework can also be considered enablers of IC. Thus, COBIT 5 and COSO 2013 are conceptually similar, presenting different, but compatible views of IC, and can be used in combination to ensure the accomplishment of enterprise objectives through IT. The 2013 COSO framework is a more general/generic view of overall IC, while COBIT is a more detailed view of GEIT and includes IC arrangements. When used together, COBIT and the COSO framework form a superior tool, as compared to using either one independently.

IC arrangements in COBIT 5 are too numerous to mention here, since it is a comprehensive GEIT framework. Two important IC examples from the COBIT 5 process enabler model are as follows:

  • Process practice DSS06.02, Operate business process activities and related controls to ensure that information processing is valid, complete, accurate, timely and secure.
  • Process practice MEA02.01, Continuously monitor, benchmark and improve the IT control environment and control framework to meet organizational objectives.

Conclusions

The COSO Internal Control—Integrated Framework now includes internal and nonfinancial reporting in the reporting objectives covered by IC, and also includes IT general controls as a primary consideration (principal 11) of all IC systems. Thus, it is more applicable and useful to IT professionals than the 1992 version. IS/IT professionals should seek competence in understanding and applying the 2013 content to the governance, management and assurance of enterprise IT, and should, therefore, include the COSO 2013 framework in their schedule of future continuing education.

Endnotes

1 COSO, Internal Control—Integrated Framework, 1992
2 COSO, Internal Control—Integrated Framework, 2013
3 ISACA, Code of Professional Ethics, www.isaca.org/ethics
4 ISACA, IT Assurance Framework (ITAF), www.isaca.org/itaf
5 ISACA, COBIT 5, 2012, www.isaca.org/cobit
6 UML defines a class as a thing of importance in a system. A class has structure and behavior and an IC system is a class composed of many internal parts that are classes themselves.
7 The IS audit standards in ITAF, 2nd Edition became effective on 1 November 2013.

John H. White, Ph.D., CISA, CPA, is a clinical professor in the School of Accountancy, Daniels College of Business at the University of Denver (Colorado, USA), where he teaches financial accounting, database technology and IS auditing. Previously, he was a partner in a public accounting firm, specializing in systems design and auditing, and held chief financial officer (CFO) positions in the construction industry and higher education. In addition to teaching, he actively consults in the areas of design, control and auditing of database systems and accounting internal control design and analysis. He is a member of the audit committee of multiple nonprofit organizations and is a member and former officer of the ISACA Denver Chapter.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.