ATTENTION: Risk Managers and Audit Directors! Do you know what is so important about December 15TH?
No, it’s not just the final countdown to holiday vacation. Rather, today the new COSO 2013 Framework officially supersedes the 1992 Framework. The COSO Framework is the most widely recognized and adopted enterprise risk 
management framework, and is the primary framework used by public companies for SOX compliance. If your organization uses the COSO framework for compliance, you need to understand the key changes that have been made in the latest revision.
Overall, the COSO 2013 framework is very similar to the original framework that was released in 1992, with the same five components of internal control. However, the new framework includes 17 principles with detailed guidance in the form of 77 points of focus.
Impact of COSO 2013
The new framework will absolutely have an impact on your current control environment. The level of impact, however, will depend on your organization’s risk management maturity and how closely aligned your risk management program is with the new principles and points of focus. At a high level, the largest changes will be experienced in the following areas.
- Entity-Level Controls – additional requirements for HR and Communications include:
- evaluation of performance and competency of control owners and performers;
- management structure including roles, responsibilities, and properly segregating duties; and
- internal and external communication about your control environment and deficiencies.
- Technology Reliance – leverage technology to perform more continuous monitoring over your control environment.
- Risk Management Program – ensure thatyourriskmanagementprogramaddressesall of the following areas:
- in-depth risk assessment, inclusive of organization, business processes, entities, locations, and functional areas;
- definition of risk tolerance;
- triggers for conducting a risk assessment; and
- fraud risk assessment.
- Vendor Risk – focus on oversight and performance monitoring of vendors.
These new requirements have the potential to increase the number of controls you will have to perform. They may also increase the level of documentation you will have to produce for the controls you already perform. This increase in documentation will be especially burdensome to organizations that attempt to manage their risk management program with spreadsheets and flat files. This is one of the major reasons why organizations are considering implementing governance, risk, and control (GRC) applications.
Using the ServiceNow IT GRC application makes it easier to centralize risk management processes, operationalize control activities, and automate audit evidence gathering. Centralizing risk management can significantly reduce cost, process overhead, and the risk of audit findings due to missing documentation.
COSO 2013 Timeline
To date, there has been no formal guidance from the Securities and Exchange Commission (SEC) or Public Company Accounting Oversight Board (PCAOB) as to when or if companies have to adopt the new framework. You should therefore sit down with your internal and external auditors to understand the impact to your 2015 fiscal year audit. Over the next year, external auditors will continue to release guidelines and requirements.
We suggest that you begin by performing a mapping exercise to identify gaps in your current control environment, if you have not done so already. Afterwards, design and implement control activities to fill the gaps. ServiceNow makes it easier to centralize, automate, and simply all of the activities required under the new framework.
More COSO 2013 News
Stay tuned, as Intreis GRC experts publish blogs on the changes you’ll see from COSO 2013, in each of the five components of internal control. They’ll also describe how an ITSM platform such as ServiceNow, can help with the new requirements for these areas.
In the next post, our GRC experts will define the Control Environment, its key principles, and the way it will change with COSO 2013. Don’t miss it!
Check Out the Entire COSO 2013 Series
COSO 2013: Control Environment
COSO 2013: Information and Communication
COSO 2013: Monitoring Activities
