Transitioning to the 2013 COSO Framework

Since the Committee of Sponsoring Organizations (COSO) issued its Internal Control — Integrated Framework (2013 Framework) in May 2013, many organizations have implemented the new framework to comply with the initial December 15, 2014 transition deadline. The 2013 Framework’s internal control components (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities) have not changed since the 1992 Framework was published. However, the 2013 Framework requires management to assess whether 17 principles are present and functioning, which is a change from the previous framework. Further, the 2013 Framework includes points of focus, which are important characteristics of the 17 principles and assist management with determining whether controls are properly present and functioning.

The COSO internal control framework is used widely by many public and private organizations. For public companies, the transition to the new 2013 Framework has impacted their compliance with the Sarbanes-Oxley Act (SOX). Public organizations are required to disclose which framework they are adhering to (whether 1992 or 2013), as some public organizations delayed implementing the new 2013 Framework. For other organizations, the transition to the 2013 Framework is recommended as the 1992 Framework is superseded.

The new 2013 Framework has given both public and private organizations an opportunity to re-evaluate their controls. Implementing the 2013 Framework requires stakeholders to evaluate the new framework and determine whether any gaps exist.

Mapping to the 2013 framework

Public or private organizations that have not made the transition to the 2013 Framework should familiarize themselves with the changes to the 2013 Framework. Although not required, it is recommended that organizations formally map their existing controls to the 17 principles and the applicable points of focus. The mapping should help evaluate the impact of implementing the 2013 Framework and identify any resulting control changes that would be necessary to their existing control environment. Completing the mapping process early in the internal control risk assessment process is critical and should lead to timely identification of gaps and allow for sufficient time for remediation. As part of the mapping exercise, key internal audit stakeholders and control owners should be involved in order to ensure all relevant controls are captured and the mapping is complete and accurate.

The most direct way to determine control gaps is by utilizing a robust mapping tool. A good mapping tool will include the points of focus and control examples from the COSO Compendium of Examples. The tool should also account for the fact that some controls can cover multiple principles and points of focus, but attention should be given in documenting how the control activity addresses the points of focus and related principles. Once all of the relevant points of focus are addressed by a control activity, organizations need to evaluate whether the controls are present and functioning. Present and functioning refers to evaluating the controls for design and operating effectiveness. The evaluation is a key factor when determining whether or not a deficiency exists.