The new COSO framework recommends internal controls for legal use of software technology.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO[1]) is an independent private-sector initiative established to provide thought leadership to capital market participants and stakeholders in the areas of enterprise risk management, internal control and fraud deterrence.

The First Edition of COSO’s Internal Control—Integrated Framework, published in 1992, is the principal standard that U.S. companies use to evaluate their compliance with the Foreign Corrupt Practices Act (FCPA) and with Section 404 of the Sarbanes-Oxley Act of 2001 (SOX).

COSO standards for internal control enjoy wide acceptance and use among multinational companies all over the world. Companies in Canada, China, Japan and Korea all refer to the COSO standards. For example, Japanese companies rely on the COSO Framework in preparing Annual Securities Report Statement to comply with filing requirements in the Financial Instruments and Exchange Law of 2007.

COSO in 2013

In May 2013, COSO released a major update of its Internal Control—Integrated Framework, which will be translated into nine languages.[2] As a result of BSA’s engagement, the 2013 COSO standard recognizes that businesses are more technology driven and includes specific language relating to the legal use of software:

  • The methodology provides appropriate controls over changes to technology, which may involve . . . verifying the entity’s legal right to use the technology in the manner in which it is being employed . . . .”[3]

The updated standards will supersede the previous framework on December 15, 2014 and the U.S. Securities and Exchange Commission (SEC) has made it clear that it expects compliance by the end of 2014 and has requested that registrants disclose in their 2014 filings if they aren’t compliant to the new standards. As such, adoption in 2014 is a top priority for companies.

Companies are often unaware that they are not in compliance with their software license agreements or that such noncompliance represents a significant potential cost to their business. Timely monitoring of on-going compliance with software licensing agreements are the cornerstone and first line of defense in improving cybersecurity. BSA’s goal is to encourage companies to understand the value of ensuring software license compliance by having their auditors/advisors highlight the importance of implementing and verifying internal control procedures by pointing to COSO, among other things.

Principle 11

Principle 11 of the updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidelines for assessing the effectiveness of information technology controls. Principle 11 states that the organization selects and develops general control activities over technology to support the achievement of objectives. Points of focus supporting the principle state that the organization:

  • Determines dependency between the use of technology in business processes and technology general controls.
  • Establishes relevant technology infrastructure control activities.
  • Establishes relevant security management process control activities.
  • Establishes relevant technology acquisition, development and maintenance process control activities.

[1] COSO’s sponsoring organizations are: American Accounting Association, American Institute of Certified Public Accountants, Financial Executive International, Institute of Internal Auditors, Institute of Management Accountants

[2] Arabic, Chinese: simplified and traditional, French, Italian, Japanese, Norwegian, Portuguese, Russian and Spanish.

[3]COSO, Internal Control – Integrated Framework:  Framework and Appendices, at 100, May 2013.