COSO was adopted in 1992 as a framework for a basis to design and test internal controls’ effectiveness. In 2010, updating this more than 20-year-old COSO Framework was deemed necessary to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). , I believe the SEC will use this to review a company’s compliance with internal controls. This means that you need to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. From these five Objectives come 17 Principles which we explore in more detail.
Three key takeaways:

1. You must use the 2013 Internal Controls Framework or a similar source for your internal controls structure.
2. The 2013 Internal Controls Framework identifies the following areas: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring.
3. Your internal controls must be sustainable.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.