On May 27, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a public exposure draft of its Corporate Governance Framework (CGF).  According to COSO’s press release announcing the exposure draft and inviting comment, the CGF is intended to provide “principles-based guidance for organizations to establish and strengthen governance practices, starting in the boardroom and cascading throughout the enterprise.”  The CGF was drafted in collaboration with the National Association of Corporate Directors.

COSO has previously issued two other frameworks – Internal Control-Integrated Framework and Enterprise Risk Management.  The public comment request for the CGF states that its goal is to “develop a recognized and respected governance framework that complements and aligns with existing COSO internal control (ICIF) and enterprise risk management (ERM) frameworks.”  The target audience for the CGF is U.S. public companies, although it also offers “valuable guidance” for private entities and public sector organizations. COSO intends the CGF to fill a gap in current guidance:

“While the U.S. leads in capital markets and exchanges, there has been no single, integrated, and comprehensive governance framework to guide boards, management, and stakeholders. Existing guidance is abundant but fragmented—what’s been missing is a unified, practical framework that connects the interrelated aspects of governance in a clear and actionable way.”

The structure of the CGF is similar to that of the ICIF and ERM frameworks. The CGF is organized around six Components -- Oversight, Strategy, Culture, People, Communication, and Resilience -- that represent the foundational elements of effective corporate governance.  The framework also includes 24 Principles.  Principles are broad statements of key corporate governance objectives.  Each Principle relates to one of the six Components.  Governance is effective when all Components and their related Principles are present, functioning, and operating together in an integrated manner.

The six CGF Components and their related Principles are set forth below:

Oversight

• Principle 1: Establish Board Structure and Exercise Oversight

• Principle 2: Appoint Board Leadership and Members

• Principle 3: Select CEO and Delegate Authority

• Principle 4: Establish Executive Structure and Effectively Manage

• Principle 5: Operate the Board Effectively

• Principle 6: Uphold Shareholder Rights and Accountability

Strategy

• Principle 7: Define Purpose and Core Values

• Principle 8: Develop and Communicate the Strategy

• Principle 9: Execute the Strategy

• Principle 10: Measure Performance Against Strategy and Adjust

Culture

• Principle 11: Establish and Model Culture and Behaviors

• Principle 12: Promote Ethics, Respect, and Open Communication

• Principle 13: Assess and Adapt Culture

People

• Principle 14: Deploy People Strategy and Succession Planning

• Principle 15: Manage People and Compensation

• Principle 16: Drive Performance and Development

Communication

• Principle 17: Commit to Information Quality

• Principle 18: Engage Stakeholders Strategically

• Principle 19: Communicate Effectively with Internal Stakeholders

• Principle 20: Communicate Effectively with External Stakeholders

Resilience

• Principle 21: Manage and Oversee Risks and Opportunities

• Principle 22: Manage Compliance Responsibilities

• Principle 23: Establish and Evaluate Internal Control

• Principle 24: Monitor Governance Effectiveness

While the CGF refers to the work of audit committees in several contexts, the central discussion of the role and responsibilities of the audit committee is under Principle 1 (Establish Board Structure and Exercise Oversight).  That discussion states:

“The audit committee oversees the entity’s financial reporting processes, internal control, and IA function, enabling IA’s independence through a direct reporting line to the audit committee. The committee’s core responsibilities include monitoring the integrity of financial statements, overseeing compliance with legal and regulatory requirements related to financial reporting, and assessing the effectiveness of internal control across financial, operational, and compliance areas. It engages with management and both internal and external auditors to approve significant accounting policies and audit plans, review findings, and to address risks, control deficiencies, and reporting issues. As part of its IA oversight, the committee also reviews and approves resource and budget plans, evaluates the function’s performance, and confirms that identified issues are appropriately addressed. In addition, the board typically delegates oversight of risk management processes to the audit committee--unless there is a board-level risk committee--either way confirming that a robust, coherent structure exists for identifying and managing key risks. While financial reporting risks remain central to its remit, the audit committee may also be delegated oversight of specific non-financial risks, such as cybersecurity, environmental compliance, or health and safety, depending on the entity’s risk governance structure. Broader or cross-cutting risks may be allocated to the full board or other committees, as appropriate. For information on board allocation of risk, refer to the Resilience Component.”

Audit Committee Takeaways

The COSO internal control and ERM frameworks are influential and widely followed.  Although the CGF will not have the force of law, it is likely to become a foundational articulation of the principles that define and enhance governance effectiveness.  Audit committees – and boards generally – may want to review the exposure draft and consider whether it is consistent with their company’s governance practices. Public comments on the exposure draft are due July 11.