Printable versionSend by emailPDF version
January 16, 2014

The recently released Committee of Sponsoring Organizations of the Treadway Commission[1] (COSO) Framework encourages corporations to reassess their internal control environments as the transition period gets underway.[2] With the 1992 framework set to be replaced on December 15, 2014, public companies that file in the U.S. will be expected to follow the updated Framework, if they were previously following COSO.

COSO’s Internal Control Framework is the most widely used around the world.[3] If companies fail to evaluate their internal control based on the new Framework, they expose themselves to undue fraud risks, as well as regulatory scrutiny from the Securities and Exchange Commission (SEC) or Department of Justice (DOJ).

In addition, implementing procedures based on the new COSO standards will reinforce control and increase the chances of detecting and possibly preventing fraud and bribery.

The Framework Evolves

COSO’s original Framework, released in 1992, was accepted by the SEC as a model attesting to internal control over financial reporting as required by the Sarbanes-Oxley Act of 2002 (SOX). The five main components of this Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – remain the foundation for the updated framework. In the 20 years since its inception, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven and global.[4] The new Framework is intended to consider technology and globalization, which have become an increasingly important part of the current business environment.[5]

Within the five main components, the new Framework lists 17 principles. Of note is the introduction of Principle #8, Risk Assessment, which requires an organization to consider the potential for fraud in assessing risks to the achievement of objectives.[6] The business has to incorporate the principle of fraud risk assessment into their internal control such as in financial reporting, misappropriation of assets, management override or corruption. The Framework emphasizes fraud risk factors like incentive, pressure, opportunity, attitude and potential rationalization.[7]

Further, compared to the previous Framework, which is still widely followed, more detailed steps are now included on how companies can deter and detect fraud by increasing their focus on operations and compliance.[8] Consideration of these fraud issues by companies, will undoubtedly strengthen and enhance an organization’s internal control.

Recent enforcement actions signal that the SEC has stringent expectations for a company’s internal control. For instance, as publicly reported in August 2012, a large technology company agreed to pay a $2 million penalty to settle books and records and internal control charges arising from a slush fund developed by its distributors in India. There were no allegations that the company itself made or had knowledge of the improper payments, only that it failed to accurately record the extra funds held by distributors and maintain an effective system of internal control that would have prevented the improper use of funds.[9]

Critically, the Framework also introduces the concept of outsourced service providers (OSPs), which are any third parties conducting business on a company’s behalf. This is especially relevant as it relates to the Foreign Corrupt Practices Act[10] (FCPA) and corruption, as intermediaries, sub-contractors, consultants, and sales agents may be extensions of the company and may interact with government officials in foreign countries. The concept of knowing your OSPs is somewhat similar to the “know your customer” principle that financial institutions are familiar with to ensure that they are not providing banking services to individuals or organizations that are involved in illegal activities. Today’s companies need to have insight into the operating environments of OSPs, and should conduct rigorous due diligence and monitoring of these third-party providers.

Failure of companies to follow the new Framework may result in violations that may require reporting to the SEC. Although the SEC (to date) has not provided guidance on when the transition to the updated Framework begins, it will be watching.[11] According to the SEC Regulations Committee Minutes, the longer issuers continue to use the 1992 framework, the more likely they will receive questions about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework. [12]

Delaying the implementation of strengthening internal control in accordance with the Framework may also increase executives’ exposure. Management is responsible for establishing and maintaining adequate internal control over financial reporting as defined under the Securities Exchange Act of 1934. When executives sign the Management's Report on Internal Control Over Financial Reporting, they are providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. By failing to adopt the Framework, executives can expose themselves and their companies unnecessarily.

Although compliance is only required for public companies that claim to follow it, the Framework should not be ignored by private companies. By following the COSO guidelines and implementing internal control policies and procedures that are aligned with the Framework, private companies may reduce their fraud risk, and be better prepared if they plan to become a public company.

Internal Control Refresher

The FCPA has two principal parts: 1) the anti-bribery provision and 2) the accounting provision, which requires that companies maintain accurate books and records[13] and proper internal control[14].

Implementing rigorous and effective procedures based on the new COSO standards reinforces control surrounding fraud and bribery. Without such control, companies may continue to unnecessarily expose themselves to fraud risks.

As discussed, the DOJ and the SEC continue to place more emphasis on internal control and compliance programs during their investigations. In addition, both agencies have been using industry sweeps[15] as an enforcement tool to capture multiple companies in a particular industry where government believes the corrupt conduct is pervasive. Targeted industries have included oil and gas, freight-forwarding, medical device, pharmaceutical and financial services. Enforcement activities are currently targeting the retail industry and the movie industry.[16] One of the ways for companies to minimize the consequences of any potential infraction is by maintaining an effective compliance program.


An effective compliance program begins with an evaluation of the internal control environment and should enable a company to focus its resources on areas of concern and address risks prior to a reportable violation occurring. Without strong internal control, companies will be less prepared to respond to a “Hello There”[17] letter from FCPA enforcement authorities or the SEC.

Companies should embrace the new Framework sooner, rather than later. Failing to evaluate internal control against the new Framework may expose companies to undetected fraud, increase a company’s risk of regulatory action by the DOJ or the SEC, and subject the organization and its executives to possible shareholder lawsuits.

[1] COSO is a joint initiative of 5 organizations: American Accounting Association, American Institute of CPAs, Financial Executives International, Institute of Management Accountants, Institute of Internal Auditors.

[2] The Transition Period is from May 14, 2013 to December 15, 2014.

[3] COSO Powerpoint presentation developed in conjunction with PwC.

[4] COSO Internal Control – Integrated Framework Executive Summary, May 2013, page i.

[5] Journal of Accountancy, “Newly released COSO framework a fresh look at internal control” by Ken Tysiac, May 14, 2013.

[6] COSO Internal Control – Integrated Framework Executive Summary, May 2013, page 7.

[7] These concepts overlap with Donald Cressey’s conceptual Fraud triangle; ACFE.

[8] CFO, New guidelines could help deter fraud by Kathleen Hoffelder. May 21, 2013.

[9] Press Release, SEC, SEC Charges Oracle Corporation with FCPA Violations Related to Secret Side Funds in India (Aug. 16, 2012).

[10] The Foreign Corrupt Practices Act (FCPA) was enacted by Congress in 1977. Until recently, FCPA enforcement was not a significant priority. “Over the past several years, there has been a dramatic increase in FCPA enforcement activities by both the DOJ and the SEC, and both agencies have increased resources that are focused on tackling FCPA investigations.”

[11] SEC Drops New Hint: Update to New COSO Framework; Compliance Week, Nov. 12, 2013.

[12] SEC Regulations Committee Meeting Minutes, Sept. 25, 2013.

[13] The books and records provision requires that all issuers “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” 15 U.S.C. Section 78m(b)(2)(A).

[14] The internal control provisions require issuers to “devise and maintain a system of internal accounting control.” 15 U.S.C. Section 78m(b)(2)(B).

[15] Industry sweeps are where enforcement agencies target entire industries where corruption is thought to be manifest within the industry.

[16] Preparing for an FCPA ‘Industry Sweep’ by Zach Harmon and Amelia R. Medina. Corporate Counsel, December 13, 2013.

[17] Letters of inquiry from the SEC.