Rita Crundwell, the former comptroller for Dixon, Illinois, stole over $53 million from a city of 16,000 people with an annual budget of $6 to $8 million. In the early 1990s, she opened a secret bank account in the name of the city and began transferring funds (disguised as payments to the Illinois DOT). The monies (in the secret account) were used by Rita to fund one of the nicest quarter horse ranches in the world.
The theft was simple. The damage was massive.
Losses from fraud and other risks can happen to any organization that lacks sufficient internal controls. Therefore, it’s imperative that your business, government, or nonprofit create a sound working internal control system.
Prior to 1992 (the year COSO’s internal control framework came into existence), internal control guidance was sparse. Accountants knew that controls were needed, but many had no model to follow.
COSO to the Rescue
The Committee of Sponsoring Organizations (COSO), consisting of five organizations, such as the AICPA, came together to develop an internal control framework that accountants could use in any organization. Those standards have served well over the last twenty years, but with many changes in technology (e.g., cloud computing), the uptick in laws and regulations (e.g., Sarbanes Oxley), the increase in outsourcing (e.g., payroll), and the higher incidence of fraud, it became apparent that the framework needed amendments. So the COSO did just that, releasing the updated framework in May 2013; the effective date of the guidance is December 15, 2014.
The Hip Bone Connected to the Leg Bone
COSO added greater definition and guidance in regard to the five internal control components created back in 1992:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
As the 1992 framework states, these five components should be holistically integrated to create a healthy and safe control environment for business, nonprofits, and other organizations.
And what does this integration look like?
Every entity needs ethical leadership (the control environment). Those leaders identify key risk areas, usually in terms of likelihood and dollar impact. Once the risk areas are known, controls are designed and implemented (control activities) to ensure the creation of financial information (information and communication). Lastly, the organization monitors the system to ensure that it all works as planned (monitoring).
Most auditors (and those who design internal controls) usually emphasize the control activities component. The reason? Audit opinions relate to financial statements and deficiencies in control activities often allow misstatements to occur. The result? The reporting of significant deficiencies and material weaknesses. As auditors issue control deficiency letters, they tend to focus on control activities, though those communications can and should address deficiencies in the other four internal control components.
What changed in the new COSO framework?
Key changes in the 2013 framework include:
- The addition of 17 principles (each related to one of the five control components listed above)
- The addition of points of focus (each applicable to one of the 17 principles)
- An increased focus on fraud
- An increased focus on governance
- An increased focus on information technology
- An increased focus on compliance with laws and regulations
Why should I care about these changes?
Think of the COSO framework as the fountainhead of all that is good in internal control land. And once COSO speaks, other important bodies (e.g., the AICPA Auditing Standards Board) listen and absorb what is published. Remember SAS 109, Understanding the Entity and Its Control Environment, issued in 2006? Guess where the five control components (control environment, risk assessment, control activities, information and communication, and monitoring) came from? Don’t be surprised if you see the 17 new COSO principles–and possibly the points of interest–embedded in future audit standards.
In any event, the new COSO guidance is a great place for any business or organization to develop a control system that identifies and mitigates risks.
Then disasters–like the one in Dixon, Illinois–can be avoided.
If you are interested in more information about the new COSO guidance, consider purchasing the book Executive’s Guide to COSO Internal Controls by Robert Moeller. Mr. Moeller provides a nice summary of the framework along with implementation steps.
You can buy the COSO Framework here.