Align your controls with COSO’s principles
A mapping exercise is one of the most important activities for any
organization implementing the updated 2013 internal control framework
of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), experts say.
The updated framework includes 17 newly described principles across
the five components of internal control that were present in the
original, 1992 framework. Mapping your principles to those controls—or
mapping the controls to your principles—is a key early procedure in
implementing the new framework, experts said last week at the AICPA
Conference on Current SEC and PCAOB Developments.
“Recognizing that there are now 17 criteria, not five—17 principles,
five components—we can understand why an organization may need to
reorganize … their internal controls to show how they actually support
each of these principles,” said Stephen Soske, CPA, who led PwC’s
efforts to author the framework update and related guidance.
Fourteen of the 17 principles relate to what Soske called the
“softer” components of internal control—control environment, risk
assessment, information and communication, and monitoring activities.
He predicted that these components are the ones organizations will be
more likely to redesign or document differently as a result of the
update by COSO, of which the AICPA is a founding member.
In the past, organizations have spent much more time designing
practices that fulfill the control activities component because they
are the first line of defense for preventing and detecting a material
misstatement, Soske said. The design issues associated with control
activities also are more likely to have been subject to audit scrutiny
than those associated with the softer components, according to Soske.
“We also recognize that some companies, as they map the controls to
these principles, have identified some design gaps,” he said. “And the
area that we would suggest they focus on would be perhaps in the
softer components where the design of indirect entity-level controls
could be reevaluated.”
The mapping exercise enables a registrant to demonstrate how its
system aligns with the 2013 COSO framework and supports management’s
internal control assertion, Soske said. In addition, the mapping
exercise serves as a gap assessment to show areas where the controls
do not support the principles.
There are two possible directions to the exercise, as organizations
can map the controls to the principles, or vice versa. AT&T
Director of Accounting Bill Schneider, CPA, CGMA, prefers mapping the
controls to the principles. He said it’s easier to discover gaps that
way because, if you start with the principles, you may be biased
toward finding a control to cover each of them.
But starting with the principles and mapping to the controls may
reinforce the idea that an individual control may help satisfy
“You don’t want to forget about that, because that’s really the gold
standard, if you have a control that can support multiple principles,”
said Schneider, a member of the COSO advisory task force. “It’s less
work from a document and testing standpoint, and you get more value
for your buck.”
Soske suggested using the “points of focus” for each of the
principles to assist the mapping exercise. Although it is not
necessary for all of the points of focus to be present at every
organization, they can help an organization determine how its internal
controls are aligned with the updated framework.
“You will then have a very good road map to build a bridge between
the controls you have designed … and how they would actually map to
the updated framework,” Soske said.
Ken Tysiac (
) is a JofA senior editor.
Research & References of Align your controls with COSO’s principles|A&C Accounting And Tax Services