The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has recently issued a proposed update to its internal control framework. The proposal is an effort to modernize COSO's nearly 20-year-old framework for designing, implementing and evaluating the effectiveness of an internal control system to manage risks to the achievement of organizational objectives. COSO seeks comment on its proposal through March 31, 2012.
The internal control framework has gained widespread acceptance by companies over the years. Although the basic construct of the framework has not changed, COSO has found it necessary to update it to reflect the evolution of corporate structures, processes and technologies. Accordingly, amendments have been proposed to reflect current thinking and practices in use to improve the effectiveness of internal control systems. One of the key proposed updates is the introduction of 17 "principles" and "attributes" that add clarity to the five components on internal control (discussed below).
Internal control is a process designed to provide "reasonable assurance" regarding the achievement of corporate objectives relating to (i) effectiveness and efficiency of operations, (ii) reliability of internal and external financial and nonfinancial reporting, and (iii) compliance with applicable laws and regulations, including the detection and prevention of fraud. Further, those objectives are achieved through implementation of five interrelated components, namely, (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities. The following describes each component as enhanced by the proposed clarifying principles and attributes noted above.
Control Environment. The control environment is the set of standards, processes and structures designed to manage risks that threaten the enterprise. The control environment comprises the integrity and values of the organization and management's oversight and tone at the top. It also includes a governance structure that attempts to ensure individual accountability and a process to attract, develop and retain competent people.
Risk Assessment. Risk assessment is the coordinated approach to identifying, assessing and managing risks that imperil the accomplishment of organizational objectives. The coordination of risk-assessment initiatives across the enterprise greatly enhances the completeness and quality of risk analysis. Risk assessment requires a consideration of the likely occurrence and potential impact of possible changes in the internal and external environments that may vitiate internal controls.
Control Activities. Control activities are policies, procedures, processes, systems and training designed to help mitigate risks to the achievement of corporate objectives. Control activities can include authorizations and approvals, verifications, reconciliations, performance reviews, security of assets, and segregation of duties.
Information and Communication. Management obtains, generates and uses relevant and quality information from internal and external sources to support the implementation of other components of internal control. Communication is the means by which internal and external information is disseminated throughout the organization and externally (as appropriate), which enables individuals to receive clear instructions from management on their responsibilities for internal control.
Monitoring Activities. Ongoing and separate evaluations are performed to ascertain whether the components of internal control are being implemented effectively. Findings are evaluated and internal control deficiencies are communicated to management and possibly the board of directors in a timely manner.
It should be emphasized that an effective system of internal control merely provides "reasonable assurance" regarding the achievement of corporate objectives. The best system of internal control does not guarantee success in accomplishing objectives, because management judgment can be flawed and individuals are prone to make errors and mistakes. Nevertheless, an effective control system will:
For more information on COSO's internal control proposal, or its application to your compliance and risk management programs, please contact any of the individuals listed, including Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 (email@example.com).
 COSO is a private sector organization dedicated to improving the quality of financial reporting, internal control, enterprise risk management and other aspects of organizational governance.
 Internal Control - Integrated Framework (December 2011), at www.ic.coso.org.
Greg Kahn participated in the third edition of the “Maitland Roundtable,” a panel discussion held in April and presented by Maitland Group, a global fund administration and advisory firm.
Shawn Wooden co-authored an article, "Consolidation of Public Pension Plan Investment Management: Is This a Solution to the Problem?," for Bloomberg Law's Pension & Benefits Daily.
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Day Pitney Press Release
On December 7, Day Pitney, ICSGroup and CohnReznick co-sponsored "Launching a Private Fund: What You Need to Know."
Peter Bilfield and Steven Gold were mentioned in an article, "Day Pitney Expands Investment Management and Private Equity Practices," published inThe Hedge Fund Law Report.
Peter Bilfield and Steven Gold were quoted in an article, "Day Pitney Lands 2 Corporate Finance Partners," published in Law360.
Jed Davis was quoted in a breaking news article, "New York eases proposed cyber regulations after industry complaints," published by Reuters.