Beruflich Dokumente
Kultur Dokumente
on Internal Control
Prepare for the changes
On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework 2013
Framework. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements
and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the
original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for
understanding requirements for effective internal control.
The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present,
functioning, and operating together in an integrated manner to have an effective system of internal control.
Control activities
Division
Risk assessment
Entity level
Function
Control environment
Operating unit
1.
2.
3.
4.
Monitoring activities
5.
Client considerations and next steps: The four-step approach
Risk assessment
6.
7.
8.
9.
Information and
communication
Control activities
10. The organization selects
and develops control
activities that contribute to
the mitigation of risks to the
achievement of objectives
to acceptable levels.
11. The organization selects
and develops general
control activities over
technology to support the
achievement of objectives.
12. The organization deploys
control activities through
policies that establish what
is expected and procedures
that put policies into action.
Monitoring activities
16. The organization selects,
develops, and performs
ongoing and/or separate
evaluations to ascertain
whether the components of
internal control are present
and functioning.
17. The organization evaluates
and communicates internal
control deficiencies in a
timely manner to those
parties responsible for
taking corrective action,
including senior
management and the board
of directors, as appropriate.
Plan and
implement
Risk assessment
More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may
be managed, and linkage between risk assessment and control activities
Considering the potential for fraud risk when assessing risks to the achievement of an organizations objectives
Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles
Requires management to specifically consider how OSPs are monitored
Understand
and educate
Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics)
Requirements for ensuring quality of information (i.e., data integrity)
Key contacts
COSO will continue to make available the 1992 Framework until December 15, 2014, after which
time it will consider it to be superseded. Companies applying and referencing COSOs internal
control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002
should consider COSOs transition guidance.
Rich Milo
AERS Principal
rmilo@deloitte.com
Deloitte & Touche LLP
John G. Giakouminakis
AERS Senior Manager
jgiakouminakis@deloitte.com
Deloitte & Touche LLP
Traci Mizoguchi
AERS Senior Manager
trmizoguchi@deloitte.com
Deloitte & Touche LLP
Jimmy Yu
AERS Senior Manager
jamesyu@deloitte.com
Deloitte & Touche LLP
17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning)
Control environment
Principles
Control activities
Points of focus
Objectives
Operations Objectives
External Financial
6. The organization specifies
Reporting Objectives
objectives with sufficient
clarity to enable the
identification and
External Non-Financial
assessment of risks relating Reporting Objectives
to objectives.
Points of focus
12. The organization deploys control activities through Establishes policies and procedures to support deployment of
policies that establish what is expected and
managements directives
procedures that put policies into action.
Establishes responsibility and accountability for executing policies and procedures
Performs in a timely manner
Takes corrective action
Performs using competent personnel
Reassesses policies and procedures
Information and communication
Points of focus
Compliance Objectives
8. The organization considers the potential for fraud in Considers various types of fraud
assessing risks to the achievement of objectives.
Assesses incentive and pressures
Assesses opportunities
Assesses attitudes and rationalizations
Assesses changes in the external environment
Assesses changes in the business model
Assesses changes in leadership
About Deloitte
Deloitte refers to one or more of Deloitte Touch Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touch Tohmatsu Limited and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and
regulations of public accounting.
Copyright 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touch Tohmatsu Limited
Internal Reporting
Objectives
Points of focus
Principles
Risk assessment
Principles
Principles
Monitoring activities
Principles
Points of focus
Assesses results
Communicates deficiencies
Monitors corrective actions
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this document.