Please ensure Javascript is enabled for purposes of website accessibility

COSO’s Internal Control Framework Update Has Some Material Weaknesses

Oh my God. Last month, COSO released a post-public exposure version of its update of Internal Control – Integrated Framework. In February, George Lucas released Phantom Menace in 3D. Both of these caused nerds to cream their jeans. For Star Wars nerds who work in internal control, 2012 has been better than sex (a comparison that none of them truly understand). 

The rest of us wondered if either update was actually necessary.
 
Before I was a CPA, I was a math teacher. We periodically purchased new textbooks for our students. Math doesn't change, but the pictures in the margins do. It's very difficult to learn math nowadays with pictures of Alf, Michael Keaton as Batman, and the Millennium Falcon next to the words that no one reads. Today, math only make sense when adjacent to pictures of the guy from The Big Bang Theory, Christian Bale as Batman, and the Millennium Falcon. 
 
Similarly, the principles of internal control haven't changed. There's just slightly different shit surrounding it. 
 
Here are some of the mind-blowing changes to the internal control framework:
 
1. "While the original framework implicitly reflected the core principals of internal control, the 2012 version explicitly states the 17 principles."
 
I mean, it was principles-based before, but now, OMG, even people with minimal reading comprehension skills can see that it's principles-based. In contrast to the 1992 version, the new framework "considers expectations for competencies and accountability" because apparently 20 years ago, no one expected accountants to be competent. Bullshit.
 
2. "The original framework contained one chapter that presented the definition of internal control, the components of internal control, the relationship of objectives and components, and effectiveness. In the revised framework, these topics are covered in three different chapters."
 
Truly disruptive change. An update in the section on "Control Environment" included "clarifying the expectations of integrity and ethical values to reflect lessons learned." Because of Enron, we now understand that people are supposed to act with integrity, and lying can hurt people.
 
3. "[Changes to the Information and Communication component include] emphasizing the discussion of importance of quality of information." 
 
What the hell does that even mean? Is it the same discussion but now every sentence ends with an exclamation point?
 
4. "The title of [the fifth] component [of internal control] has been updated to Monitoring Activities." 
 
They changed it from "Monitoring." It's now "Monitoring Activities" to emphasize the fact that those internal controls ain't gonna monitor themselves. 
 
If your job requires a wonky command of the minutiae of internal control, you may benefit from the update. Technology continues to evolve, creating new risks that must be addressed, and it is much more common today for businesses to use "a wide network of third parties and business partners" that must be considered to maintain effective internal control.
 
Regardless, your life won't be changed materially by this update, and Jar Jar Binks is still unnecessary and annoying in 3D.