Five Things Not-For-Profit Organizations Should Know About the New
COSO Internal Framework

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated Internal Control-Integrated Framework. COSO’s original Framework was issued in 1992 and has since been adopted by numerous organizations in establishing internal controls.

Many not-for-profit organizations are familiar with the concepts of the original Framework based on their past experiences with financial statement audits. Beginning in the mid-1990s, the auditing profession has used the original Framework in analyzing most organizations’ internal controls.

Additionally, the OMB Circular A-133, which applies to many not-for-profit organizations that receive Federal grant awards, has required auditors to use the original Framework in evaluating internal controls. As a result of these and other factors, the original Framework is one of the most widely adopted internal control frameworks used today.

However, the world has changed significantly since the early 1990s – from increased globalization to more reliance on technology to changing regulations. The new Framework was created to refresh the original Framework and ensure its continued relevance in the future.

Below are five key things to know about the new Framework:

1. Core Concepts Remain Unchanged. The definition of internal control stayed essentially the same. It is defined as “a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” The focus continues to be on those three objective categories: operations, reporting, and compliance. Additionally, the new Framework retains the five components of internal control, which are the control environment, risk assessment, control activities, information and communication, and monitoring activities. The requirement that each of these five components is present and functioning for an effective internal control system remains the same. As a result, the criteria to assess the effectiveness of an organization’s internal controls are relatively unchanged.

2. Codification of Underlying Principles. The original Framework provided implicit concepts on the core principles of internal control. To help users better understand what constitutes effective internal control, the new Framework codifies 17 principles associated with the five components of internal control. These broad-based principles help support the criteria used in establishing internal controls. In addition, these principles are reinforced by 79 total points of focus that provide guidance in designing, implementing, and conducting internal control and in assessing whether relevant principles are present and functioning.

3. Increased Role of the Reporting Objective. As noted above, the three categories of objectives for internal control are operations, reporting, and compliance. The original Framework focused on financial reporting. The new Framework, however, expands the focus to both financial and non-financial reporting and both internal and external reporting. As a result, this change essentially leads to coverage of all reporting aspects within an organization.

 4. More Relevant Context to Today’s Environment. The new Framework, which along with the appendixes is documented in over 170 pages, has updated the context to today’s environment. Specifically, the context has considered changes in expectations for governance oversight, globalization of markets and operations, complexities in business, complexities in various laws, rules, regulations, and standards, expectations for competencies and accountabilities, use of and reliance on technologies, and, finally, expectations relating to preventing and detecting fraud. Each of these areas has significantly changed over the past 20 years, thus the new Framework was updated to better address these changes.

5. Original Framework Will Transition out in 2014. COSO believes the underlying concepts and principals of the original Framework are still fundamentally sound today. However, after December 15, 2014, COSO will consider the original Framework superseded. In other words, the new Framework will be the framework referenced from that point forward. Maintaining a sound control environment is a critical component of mitigating risks. The design of internal control is impacted by the size and complexity of the organization. Not-for-profit organizations large and small should consider the new Framework in evaluating and updating their internal controls. Consistent with the original Framework, judgment is an important part of this process. The updated Framework is available at
Maxine Romano can be reached at 215-441-4600, or Email.