HN
Last month COSO (Committee of Sponsoring Organizations of the Treadway Commission) announced a project to modernize the COSO internal control - integrated framework.
According to the COSO chairman David Landsittel the core principles of the initial framework are still valid and companies of course can continue to apply the current version. In his opinion only the more detailed guidance and the examples are somehow dated. He says: "This project is not intended to change how internal control is defined, assessed, or managed, but rather provide more comprehensive and relevant conceptual guidance and practical examples."
Let’s have a look on the history of the COSO frameworks:
The initial COSO framework (often called COSO I) was described in a document from 1992: Internal Control - An Integrated Framework. Later in 1994 it was republished with minor amendments. This report presented a common definition of internal controls and provided a unified approach for the evaluation of internal control systems. Since the SEC (U.S. Securities and Exchange Commission) later specifically mentioned COSO Internal Control -Integrated Framework as an appropriate framework for the management of internal controls, many companies found and still find it safe to follow it. In the initial version the COSO framework looks at controls across three dimensions which you can see in the following picture of the COSO I cube.
Years later many business scandals and failures (like Enron (2001) and WorldCom (2002)) led to calls for an enhanced corporate governance and risk management. In response to a need for a principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management, COSO issued the Enterprise Risk Management - Integrated Framework. It was published in 2004 and was developed together with PricewaterhouseCoopers (PwC).
In this extended framework the internal control is seen as an integral part of enterprise risk management (ERM). The framework expands on internal control concepts by providing a more robust focus based on the broader subject of enterprise risk management. To emphasize the importance of identifying and managing risks across the enterprise some new components have been added to the COSO ERM framework as you can see in the new cube.
(For more information about COSO ERM please also have a look here.)
So to answer my question from the title: No, it will not be a complete new COSO framework.
The lately by COSO announced enhancements will also be based on the original framework from 1992 and will facilitate a more robust discussion of internal control. Like before COSO has engaged PwC to support its update of the framework and the PwC team leader says: "Additionally, it will further explain the interconnections with the Enterprise Risk Management - Integrated Framework, the 2006 Internal Control over Financial Reporting - Guidance for Smaller Public Companies, and the 2009 Guidance on Monitoring Internal Control Systems."
Interesting from my point of view is that the updated framework will also be exposed for public comment. The idea is to capture any additional input from the general public. The release is planned for 2012, the 20th anniversary of the initial framework.
I am curious about the new enhancements.
