COSO Internal Control—Integrated Framework 1992 vs. 2013

By December 31st 2014, companies that utilize the 1992 COSO Internal Control—Integrated Framework are expected to have fully transitioned to the 2013 framework.  If you are an organization that is required to report to the Securities and Exchange Commission, this change directly impacts you.  But when you look at what the framework represents, it is obvious that both public and private organizations of all sizes could benefit from adopting elements.  The purpose of the framework is to prevent and detect fraud.  It is a standard framework for designing, implementing, and conducting internal controls; as well as assessing the effectiveness of your current internal controls.

The standard was updated to account for the ongoing changes in the business environment, i.e. evolving technology, increased outsourcing, changing regulatory environment…  The most significant change in the 2013 framework from the 1992 framework was the addition of 17 principles and 77 focus areas.  These new items further define the five core areas – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.

 COSO 17 Principles

Elements that would be most applicable to small and medium sized entities include –

  • Control Environment – The entity demonstrates a commitment to integrity and ethical values. Senior Management is responsible to designate the individual(s) responsible to manage the satisfaction of reaching the entity’s internal control objectives; as well as continually developing the individual(s).


  • Risk Assessment –The entity sets its internal control objectives; as well as operations and financial goals. Externally the entity abides by frameworks, laws and regulations.  Internally, risks are identified and their significance established.  Approaches to respond to the risks are established.  Fraud and all the potential ways it can be committed are considered.


  • Control Activities – The entity develops control activities, which include segregation of duties, technology control activities, and policies and procedures.


  • Information & Communication – Obtain and generate information. Communicate this information internally and externally.


  • Monitoring Activity – On an ongoing basis, evaluate internal controls to understand their presence and effectiveness.


So how do you start?

Review the COSO Internal Control—Integrated Framework (Core areas, principles, and focus areas) to understand what elements apply to your situation; conduct an assessment of your organization, seek board/management approval on concept implementation, engage staff through training and communications, develop a transition plan, execute the plan, monitor success and adjust if required.

If you are looking to establish internal controls for the first time, it may make sense to bring in a third party that understands your industry and the common risks, which should be considered.  Team this individual up with an internal resource that understands your entity and your processes.

Additional posts on this subject include –

What is the proper way to roll-out an ethics program?

 Internal Audits – “Inspect what you Expect”

 The Best Way to Avoid Fraud is to Remove the Opportunity

 How Problematic is a Financial Restatement?

Update – WSJ (04/29/2015), “Almost three-fourths of the U.S. stock-listed companies that have filed 10Ks with the U.S. Securities and Exchange Commission since Dec. 15, 2014 have transitioned to using the updated COSO 2013 framework for reporting internal controls of their financial reporting requirements, said Bob Hirth, chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO Commission).”

Where are you in the process?

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.

CFO Concerns 2015

In 2015, the CFO will continue to be tested in a challenging market.  After the Great Recession, growth has not returned to pre-recession levels.  The macro-economic environment is anything but stable.  In addition to individual concerns that are industry or market specific, following is a selection of issues that face all CFO’s regardless of the organization industry, size or geography.

Brand Protection – A new area of concern and focus will be brand protection.  Not the brand protection associated with intellectual property.  While that concern does exist with the growth of on-line market places, the brand protection in this context relates to avoiding blemishes to your brand associated with vendor mis-management.

In the normal course of business, companies purchase inputs for their products or services from external vendors.  Interacting with vendors is critical for all businesses.  However, third party vendors create a certain level of risk that should be controlled and managed.  What would be the impact on your organization if your vendor fails?

Consider the following – Defective air bags from a vendor are causing recalls to be issued for Honda, Toyota, Nissan and General Motors Co.; faulty ignition-switches are central to General Motors recalls and  a lawsuit.  One year after the announcement of a strategic partnership, an Apple vendor filed for bankruptcy.  Hackers breached the systems of both Target and Home Depot by going through vendors of the respective companies.

Update – Apple Watch: Faulty Taptic Engine Slows Rollout, WSJ (4/29/2015) – “A key component of the Apple Watch made by one of two suppliers was found to be defective, prompting Apple Inc. to limit the availability of the highly anticipated new product, according to people familiar with the matter.”

Vendor Management should be a part of your Business Continuity Plan.

Regulation and Taxation – The adoption of increased regulation is associated with increased costs.  With every change an organization is required to analyze the new regulation, develop a plan to implement the regulation, develop training for current staff, potentially be required to hire new staff, and monitor implementation.  It is for this reason that time is a very important element when adopting new regulations.

Patient Protection and Affordable Care Act

Healthcare is now moving into the next phase as penalties for not covering employees are set to take effect.    With respect to ensuring compliance with the law, employers must comply with certain IRS reporting and disclosure requirements, which are important for the administration of the individual and employer mandates.  This reporting will be required beginning in 2016 for coverage provided during the 2015 calendar year.  By January 31, 2016, you must provide a notice called the 1095 to everyone who was on payroll in 2015; as well as file a form called the 1094 with the IRS.

To alleviate the burden in 2016, it is recommended that the following steps be adopted – Review IRS Reporting requirements under Sections 6055 and 6056; determine what applies to your organization; determine the information that must be gathered; develop an approach; and establish a procedure to collect and maintain the data.  It will be far easier to collect data going forward then to scramble in January 2016 to complete a form.


In 2013, 55 tax provisions expired, of which 24 would be categorized as business provisions.  In 2014, 6 tax provisions are slated for expiration.  Of the six, three provisions relate to Alternative vehicle/fuel; while three provisions relate to defined benefit pensions.

It may make sense to review the 61 provisions, as Congress can extend them retroactively for 2014.

Debt Collection

The Consumer Financial Protection Bureau (CFPB) filed a lawsuit against a firm for its debt collection tactics ((  As stated in the law suit – “…the Firm operates less like a law firm than a factory. It relies on an automated system and non-attorney support staff to determine which consumers to sue. The non-attorney support staff produce the lawsuits and place them into mail buckets, which are then delivered to attorneys essentially waiting at the end of an assembly line. The Firm’s attorneys are expected to spend less than a minute reviewing and approving each suit.”

You cannot help but see the parallels between this situation and the robo-signing scandal relating to foreclosures which took off in 2010.  As a result of that scandal, in February 2013, a settlement deal was entered into with 13 banks over foreclosure abuses.  The cost of the settlement – $9.3 billion.

If you extend credit to your customers, which is required for almost all businesses, a certain amount of bad debt will result.  Now with the potential of legal action, it is more important to develop a strategy to efficiently and legally assert your rights of collection.

Optimizing the Business – When business is good, it is very easy to overlook inefficiency.  But if sales decline or stay static and costs continue to rise, profits must decline.  To thrive, a business must evolve and stay focused on optimizing business processes by removing inefficiencies and waste, to contain costs.

  • Focus on Cash Flow. Poor cash flow management will impact a business by constraining its ability to fill orders timely if inputs and/or inventory purchases are delayed; replacing outdated equipment; and, implementing process improvement which historically has upfront costs, prior to the savings.
  • Review product lines and services, to understand the profitability generated. The natural result will be an emphasis on the most profitable activities; while de-emphasizing the less profitable or money loosing activities.
  • Review customer/client relationships,to understand the relationship value. Obtaining a customer that becomes unprofitable is a common situation. It only becomes an error of management if you do not review the economics of each client periodically, or ignore the results after the review. If you discover that a client is unprofitable, try to correct the situation or walk away from the client.
  • Review and Improve Business Management and Production Processes. Process improvement is undertaken for a multitude of reasons which include – improve customer satisfaction, improve employee satisfaction, eliminate/contain non-value added costs.  Several back-office tasks should be consistently managed closely. More than likely these areas represent straight expense, but are critical to the successful management of any business, i.e. Accounting, Finance, Administration.

No doubt 2015 will be a challenging year.

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.