COSO Internal Controls: The New Revised Framework
THE ORIGINAL 1992 COSO INTERNAL control framework, as well as some of the events that led up its release, was discussed in Chapter 2. As that chapter highlights, prior to the COSO internal control framework, there was no consistent and agreed-on definition of internal controls, in business, academic, or government circles, and no agreed-on understanding of the elements and activities needed to establish effective internal controls in an enterprise. This 1992 COSO internal control framework, shown in Exhibit 2.1, really changed our understanding and defined the concepts of internal controls. Starting with what some business professionals and external auditors first viewed as just an “interesting” definition, the COSO framework has become the guiding internal control measure, first in the United States and now worldwide.
During the 20 or so years of its life, the initial COSO internal control framework and concept have not changed, but business and technology have. Although all of these changes will be discussed in the following chapters, the growth of IT systems and technology, our increased emphasis on risk management and corporate governance, and enterprise globalization were all prime examples of the need for a COSO refreshment. When the original COSO internal controls framework was released in 1992, large mainframe-based computer systems were still common, and the Internet was not the enterprise support tool it is ...