Committee of Sponsoring Organizations of the Treadway Commission
Encyclopedia
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization, established in the United States
, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics
, internal control, enterprise risk management
, fraud
, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.
(AICPA), American Accounting Association
(AAA), Financial Executives International (FEI), Institute of Internal Auditors
(IIA) and the Institute of Management Accountants
(IMA). The Treadway Commission recommended that the organizations sponsoring the Commission work together to develop integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission.
The original chairman of the Treadway Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber
and a former Commissioner of the U.S. Securities and Exchange Commission. Hence, the popular name "Treadway Commission". David L. Landsittel is COSO's current Chairman; he replaced Larry E. Rittenberg.
(FCPA) which criminalized transnational bribery and required companies to implement internal control programs. In response, the Treadway Commission, a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.
The Treadway Commission studied the financial information reporting system over the period from October 1985 to September 1987 and issued a report of findings and recommendations in October 1987, Report of the National Commission on Fraudulent Financial Reporting. As a result of this initial report, the Committee of Sponsoring Organizations (COSO) was formed and it retained Coopers & Lybrand, a major CPA
firm, to study the issues and author a report regarding an integrated framework of internal control.
In September 1992, the four volume report entitled Internal Control— Integrated Framework was released by COSO and later re-published with minor amendments in 1994. This report presented a common definition of internal control and provided a framework against which internal control systems may be assessed and improved. This report is one standard that U.S. companies use to evaluate their compliance with FCPA. According to a poll by CFO Magazine released in 2006, 82% of respondents claimed they used COSO’s framework for internal controls. Other frameworks used by respondents included COBIT
, AS2 (Auditing Standard No. 2, PCAOB), and SAS 55/78 (AICPA).
as a process, effected by an entity’s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:
, The five components are the following:
Control environment: The control environment
sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties
.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. For example, formalized procedures exist for people to report suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions.
Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
) or coercion by top management.
CFO magazine reported that companies are struggling to apply the complex model provided by COSO. “One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, those objectives are applied to five key components (monitoring, information and communication, control activities, risk assessment, and control environment). Given the number of possible matrices, it's not surprising that the number of audits can get out of hand.”. CFO magazine continued by stating that many organizations are creating their own risk-and-control matrix by taking the COSO model and altering it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.
, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management. High-profile business scandals and failures (e.g. Enron
, Tyco International
, Adelphia
, Peregrine Systems
and WorldCom) led to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act
was enacted. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The Internal Control – Integrated Framework continues to serve as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management - Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.
Internal environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk response: Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
Control activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and communication: Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
COSO believes the Enterprise Risk Management – Integrated Framework provides a clearly defined interrelationship between an organization's risk management components and objectives that will fill the need to meet new law, regulation, and listing standards and expects it will become widely accepted by companies and other organizations and interested parties.
Although COSO claims their expanded model provides more risk management, companies are not required to switch to the new model if they are using the Internal Control-Integrated Framework.
Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.
COSO’s Monitoring Guidance builds on two fundamental principles originally established in COSO’s 2006 Guidance:
The monitoring guidance further suggests that these principles are best achieved through monitoring that is based on three broad elements:
is able to assess the internal control systems implemented by the organization and contribute to ongoing effectiveness. As such, internal audit often plays a significant monitoring role. In order to preserve its independence of judgment Internal Audit should not take any direct responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise on potential improvement to be made.
, management and the external auditors are required to report on the adequacy of the company’s internal control over financial reporting. Auditing Standard No. 5, published by the Public Company Accounting Oversight Board
, requires auditors to “use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting”.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics
Business ethics
Business ethics is a form of applied ethics or professional ethics that examines ethical principles and moral or ethical problems that arise in a business environment. It applies to all aspects of business conduct and is relevant to the conduct of individuals and entire organizations.Business...
, internal control, enterprise risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
, fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.
Organizational Overview
COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The Treadway Commission was originally jointly sponsored and funded by five main professional accounting associations and institutes headquartered in the United States: the American Institute of Certified Public AccountantsAmerican Institute of Certified Public Accountants
Founded in 1887, the American Institute of Certified Public Accountants is the national professional organization of Certified Public Accountants in the United States, with more than 370,000 CPA members in 128 countries in business and industry, public practice, government, education, student...
(AICPA), American Accounting Association
American Accounting Association
The American Accounting Association is an "organization of persons interested in accounting education and research". It was formed in 1916. Its main publication, The Accounting Review, was first published in 1926. It is the principal professional association of accounting academics in the United...
(AAA), Financial Executives International (FEI), Institute of Internal Auditors
Institute of Internal Auditors
Established in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
(IIA) and the Institute of Management Accountants
Institute of Management Accountants
Institute of Management Accountants is a professional organization headquartered in Montvale, New Jersey more than 60,000 professionals worldwide...
(IMA). The Treadway Commission recommended that the organizations sponsoring the Commission work together to develop integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission.
The original chairman of the Treadway Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber
Paine Webber
Paine Webber and Company was an American stock brokerage and asset management firm that was acquired by the Swiss bank UBS AG in 2000. The company was founded in 1880 in Boston, Massachusetts, by William Alfred Paine and Wallace G. Webber. Operating with two employees, they leased premises at 48...
and a former Commissioner of the U.S. Securities and Exchange Commission. Hence, the popular name "Treadway Commission". David L. Landsittel is COSO's current Chairman; he replaced Larry E. Rittenberg.
History
Due to questionable corporate political campaign finance practices and foreign corrupt practices in the mid -1970s, the U.S. Securities and Exchange Commission (SEC) and the U.S. Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices ActForeign Corrupt Practices Act
The Foreign Corrupt Practices Act of 1977 is a United States federal law known primarily for two of its main provisions, one that addresses accounting transparency requirements under the Securities Exchange Act of 1934 and another concerning bribery of foreign officials.- Provisions and scope...
(FCPA) which criminalized transnational bribery and required companies to implement internal control programs. In response, the Treadway Commission, a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.
The Treadway Commission studied the financial information reporting system over the period from October 1985 to September 1987 and issued a report of findings and recommendations in October 1987, Report of the National Commission on Fraudulent Financial Reporting. As a result of this initial report, the Committee of Sponsoring Organizations (COSO) was formed and it retained Coopers & Lybrand, a major CPA
Certified Public Accountant
Certified Public Accountant is the statutory title of qualified accountants in the United States who have passed the Uniform Certified Public Accountant Examination and have met additional state education and experience requirements for certification as a CPA...
firm, to study the issues and author a report regarding an integrated framework of internal control.
In September 1992, the four volume report entitled Internal Control— Integrated Framework was released by COSO and later re-published with minor amendments in 1994. This report presented a common definition of internal control and provided a framework against which internal control systems may be assessed and improved. This report is one standard that U.S. companies use to evaluate their compliance with FCPA. According to a poll by CFO Magazine released in 2006, 82% of respondents claimed they used COSO’s framework for internal controls. Other frameworks used by respondents included COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
, AS2 (Auditing Standard No. 2, PCAOB), and SAS 55/78 (AICPA).
Key Concepts of The COSO Framework
The COSO framework involves several key concepts:- Internal controlInternal controlIn accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
is a process. It is a means to an end, not an end in itself. - Internal control is affected by people. It’s not merely policy, manuals, and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
Definition of Internal Control and Framework Objectives
The COSO framework defines internal controlInternal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
as a process, effected by an entity’s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
The Five Framework Components
The COSO internal control framework consists of five interrelated components derived from the way management runs a business. According to COSO, these components provide an effective framework for describing and analyzing the internal control system implemented in an organization as required by financial regulations (see Securities Exchange Act of 1934Securities Exchange Act of 1934
The Securities Exchange Act of 1934 , , codified at et seq., is a law governing the secondary trading of securities in the United States of America. It was a sweeping piece of legislation...
, The five components are the following:
Control environment: The control environment
Control environment
Control environment also called "Internal control environment". It is a term of financial audit, internal audit and Enterprise Risk Management. It means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance to the entity...
sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. For example, formalized procedures exist for people to report suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions.
Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
Limitations
Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of dutiesSeparation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
) or coercion by top management.
CFO magazine reported that companies are struggling to apply the complex model provided by COSO. “One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, those objectives are applied to five key components (monitoring, information and communication, control activities, risk assessment, and control environment). Given the number of possible matrices, it's not surprising that the number of audits can get out of hand.”. CFO magazine continued by stating that many organizations are creating their own risk-and-control matrix by taking the COSO model and altering it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.
Enterprise Risk Management - Integrated Framework
In 2001, COSO initiated a project, and engaged PricewaterhouseCoopersPricewaterhouseCoopers
PricewaterhouseCoopers is a global professional services firm headquartered in London, United Kingdom. It is the world's largest professional services firm measured by revenues and one of the "Big Four" accountancy firms....
, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management. High-profile business scandals and failures (e.g. Enron
Enron
Enron Corporation was an American energy, commodities, and services company based in Houston, Texas. Before its bankruptcy on December 2, 2001, Enron employed approximately 22,000 staff and was one of the world's leading electricity, natural gas, communications, and pulp and paper companies, with...
, Tyco International
Tyco International
Tyco International Ltd. is a highly diversified global manufacturing company incorporated in Switzerland, with United States operational headquarters in Princeton, New Jersey...
, Adelphia
Adelphia
Adelphia Communications Corporation , named after the Greek word αδελφοί adelphoi "brothers", was a cable television company headquartered in Coudersport, Pennsylvania. Adelphia was the fifth largest cable company in the United States before filing for bankruptcy in 2002 as a result of internal...
, Peregrine Systems
Peregrine Systems
Peregrine Systems, Inc., an enterprise software company, was founded in 1981 and sold enterprise asset management, change management, and ITIL-based IT service management software. Following an accounting scandal and bankruptcy in 2003, Peregrine was acquired by Hewlett-Packard in 2005...
and WorldCom) led to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
was enacted. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The Internal Control – Integrated Framework continues to serve as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management - Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.
Four Categories of Business Objectives
This enterprise risk management framework is still geared to achieving an entity’s objectives; however now includes four categories:- Strategic: high-level goals, aligned with and supporting its mission
- Operations: effective and efficient use of its resources
- Reporting: reliability of reporting
- Compliance: compliance with applicable laws and regulations
Eight Framework Components
The eight components of enterprise risk management encompass the previous five components of the Internal Control-Integrated Framework while expanding the model to meet the growing demand for risk management:Internal environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk response: Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
Control activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and communication: Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
COSO believes the Enterprise Risk Management – Integrated Framework provides a clearly defined interrelationship between an organization's risk management components and objectives that will fill the need to meet new law, regulation, and listing standards and expects it will become widely accepted by companies and other organizations and interested parties.
Limitations
COSO admits in their report that while enterprise risk management provides important benefits, limitations exist. Enterprise risk management is dependent on human judgment and therefore susceptible to decision making. Human failures such as simple errors or mistakes can lead to inadequate responses to risk. In addition, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entity’s objectives.Although COSO claims their expanded model provides more risk management, companies are not required to switch to the new model if they are using the Internal Control-Integrated Framework.
COSO Guidance on Monitoring Internal Control Systems
Companies have invested heavily in improving the quality of their internal controls; however, COSO noted that many organizations do not fully understand the importance of the monitoring component of the COSO framework and the role it plays in streamlining the assessment process. In January 2009, COSO published its Guidance on Monitoring Internal Control Systemsto clarify the monitoring component of internal control.Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner.
COSO’s Monitoring Guidance builds on two fundamental principles originally established in COSO’s 2006 Guidance:
- Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time, and
- Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
The monitoring guidance further suggests that these principles are best achieved through monitoring that is based on three broad elements:
- Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority; and (c) a starting point or “baseline” of known effective internal control from which ongoing monitoring and separate evaluations can be implemented;
- Designing and executing monitoring procedures focused on persuasive information about the operation of key controls that address meaningful risks to organizational objectives; and
- Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if needed.
The Role of Internal Audit
Internal auditors play an important role in evaluating the effectiveness of control systems. As an independent function reporting to the top management, internal auditInternal audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk...
is able to assess the internal control systems implemented by the organization and contribute to ongoing effectiveness. As such, internal audit often plays a significant monitoring role. In order to preserve its independence of judgment Internal Audit should not take any direct responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise on potential improvement to be made.
The Role of External Audit
Under Section 404 of the Sarbanes-Oxley ActSarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
, management and the external auditors are required to report on the adequacy of the company’s internal control over financial reporting. Auditing Standard No. 5, published by the Public Company Accounting Oversight Board
Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board is a private-sector, non-profit corporation created by the Sarbanes–Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to 'protect the interests of investors and further the public interest...
, requires auditors to “use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting”.