COSO 2013 Framework

on Internal Control
Prepare for the changes

On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework 2013
Framework. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements
and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the
original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for
understanding requirements for effective internal control.
The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present,
functioning, and operating together in an integrated manner to have an effective system of internal control.

The five components of internal control and related 17 principles

Control environment

Control activities

Division

Risk assessment

Entity level

Function

Control environment

Operating unit

1.

2.

3.

Information and communication

4.

Monitoring activities
5.
Client considerations and next steps: The four-step approach

The organization demonstrates

a commitment to integrity and
ethical values.
The board of directors
demonstrates independence
from management and
exercises oversight of the
development and performance
of internal control.
Management establisheswith
board oversightstructures,
reporting lines, and appropriate
authorities and responsibilities
in the pursuit of objectives.
The organization demonstrates
a commitment to attract,
develop, and retain competent
individuals in alignment with
objectives.
The organization holds
individuals accountable for their
internal control responsibilities
in the pursuit of objectives.

Risk assessment
6.

7.

8.

9.

The organization specifies

objectives with sufficient
clarity to enable the
identification and
assessment of risks relating
to objectives.
The organization identifies
risks to the achievement of
its objectives across the
entity and analyzes risks as
a basis for determining how
the risks should be
managed.
The organization considers
the potential for fraud in
assessing risks to the
achievement of objectives.
The organization identifies
and assesses changes that
could significantly impact
the system of internal
control.

Information and
communication

Control activities
10. The organization selects
and develops control
activities that contribute to
the mitigation of risks to the
achievement of objectives
to acceptable levels.
11. The organization selects
and develops general
control activities over
technology to support the
achievement of objectives.
12. The organization deploys
control activities through
policies that establish what
is expected and procedures
that put policies into action.

13. The organization obtains or

generates and uses
relevant, quality information
to support the functioning of
internal control.
14. The organization internally
communicates information,
including objectives and
responsibilities for internal
control, necessary to
support the functioning of
internal control.
15. The organization
communicates with external
parties regarding matters
affecting the functioning of
internal control.

Monitoring activities
16. The organization selects,
develops, and performs
ongoing and/or separate
evaluations to ascertain
whether the components of
internal control are present
and functioning.
17. The organization evaluates
and communicates internal
control deficiencies in a
timely manner to those
parties responsible for
taking corrective action,
including senior
management and the board
of directors, as appropriate.

2013 Framework and guidance Key areas of focus

Specific significant enhancements to internal control concepts included in the 2013 Framework
Assess

Plan and
implement
Risk assessment

More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may
be managed, and linkage between risk assessment and control activities
Considering the potential for fraud risk when assessing risks to the achievement of an organizations objectives

Outsources service providers (OSPs)

Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles
Requires management to specifically consider how OSPs are monitored

Understand
and educate

Considerations related to IT are included in 14 out of 17 principles

Communicate

Information technology (IT)

Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics)
Requirements for ensuring quality of information (i.e., data integrity)
Key contacts

COSO will continue to make available the 1992 Framework until December 15, 2014, after which
time it will consider it to be superseded. Companies applying and referencing COSOs internal
control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002
should consider COSOs transition guidance.

Rich Milo
AERS Principal
rmilo@deloitte.com
Deloitte & Touche LLP

John G. Giakouminakis
AERS Senior Manager
jgiakouminakis@deloitte.com
Deloitte & Touche LLP

Traci Mizoguchi
AERS Senior Manager
trmizoguchi@deloitte.com
Deloitte & Touche LLP

Jimmy Yu
AERS Senior Manager
jamesyu@deloitte.com
Deloitte & Touche LLP

17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning)
Control environment
Principles

Control activities
Points of focus

1. The organization demonstrates a commitment to

integrity and ethical values.

Sets the tone at the top

Establishes standards of conduct
Evaluates adherence to standards of conduct
Addresses deviations in a timely manner

2. The board of directors demonstrates independence Establishes oversight responsibilities

from management and exercises oversight of the
Applies relevant expertise
development and performance of internal control.
Operates independently
Provides oversight for the system of internal control
3. Management establishes, with board oversight,
Considers all structures of the entity
structures, reporting lines, and appropriate authorities Establishes reporting lines
and responsibilities in the pursuit of objectives.
Defines, assigns, and limits authorities and responsibilities
4. The organization demonstrates a commitment to
attract, develop, and retain competent individuals in
alignment with objectives.

Establishes policies and practices

Evaluates competence and addresses shortcomings
Attracts, develops, and retains individuals
Plans and prepares for succession

5. The organization holds individuals accountable

for their internal control responsibilities in the pursuit
of objectives.

Enforces accountability through structures, authorities, and responsibilities

Establishes performance measures, incentives, and rewards
Evaluates performance measures, incentives, and rewards for ongoing relevance
Considers excessive pressures
Evaluates performance and rewards or disciplines individuals

Objectives

Operations Objectives

External Financial
6. The organization specifies
Reporting Objectives
objectives with sufficient
clarity to enable the
identification and
External Non-Financial
assessment of risks relating Reporting Objectives
to objectives.

Points of focus

Reflects managements choices

Considers tolerances for risk
Includes operations and financial performance goals
Forms a basis for committing of resources

11. The organization selects and develops general

control activities over technology to support the
achievement of objectives.

Determines dependency between the use of technology in business process and

technology general controls
Establishes relevant technology infrastructure control activities
Establishes relevant security management process control activities
Establishes relevant technology acquisition, development, and maintenance
process control activities

Integrates with risk assessment

Considers entity-specific factors
Determines relevant business processes
Evaluates a mix of control activity types
Considers at what level activities are applied
Addresses segregation of duties

12. The organization deploys control activities through Establishes policies and procedures to support deployment of
policies that establish what is expected and
managements directives
procedures that put policies into action.
Establishes responsibility and accountability for executing policies and procedures
Performs in a timely manner
Takes corrective action
Performs using competent personnel
Reassesses policies and procedures
Information and communication
Points of focus

13. The organization obtains or generates and uses

Identifies information requirements
relevant, quality information to support the functioning Captures internal and external sources of data
of internal control.
Processes relevant data into information
Maintains quality throughout processing
Considers costs and benefits

Communicates internal control information

Communicates with the board of directors
Provides separate communication lines
Selects relevant method of communication

Complies with externally established standards and frameworks

Considers the required level of precision
Reflects entity activities

15. The organization communicates with external

parties regarding matters affecting the functioning of
internal control.

Communicates to external parties

Enables Inbound Communications
Communicates with the board of directors
Provides separate communication lines
Selects relevant method of communication

Compliance Objectives

Reflects external laws and regulations

Considers tolerances for risk

Includes entity, subsidiary, division, operating unit, and functional levels

Analyzes internal and external factors
Involves appropriate levels of management
Estimates significance of risks identified
Determines how to respond to risks

8. The organization considers the potential for fraud in Considers various types of fraud
assessing risks to the achievement of objectives.
Assesses incentive and pressures
Assesses opportunities
Assesses attitudes and rationalizations
Assesses changes in the external environment
Assesses changes in the business model
Assesses changes in leadership

About Deloitte
Deloitte refers to one or more of Deloitte Touch Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touch Tohmatsu Limited and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and
regulations of public accounting.
Copyright 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touch Tohmatsu Limited

14. The organization internally communicates

information, including objectives and responsibilities
for internal control, necessary to support the
functioning of internal control.

Reflects managements choices

Considers the required level of precision
Reflects entity activities

9. The organization identifies and assesses changes

that could significantly impact the system of
internal control.

10. The organization selects and develops control

activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.

Complies with applicable accounting standards

Considers materiality
Reflects entity activities

Internal Reporting
Objectives

7. The organization identifies risks to the

achievement of its objectives across the entity and
analyzes risks as a basis for determining how the
risks should be managed.

Points of focus

Principles

Risk assessment
Principles

Principles

Monitoring activities
Principles

Points of focus

16. The organization selects, develops, and performs

ongoing and/or separate evaluations to ascertain
whether the components of internal control are
present and functioning.

17. The organization evaluates and communicates

internal control deficiencies in a timely manner to
those parties responsible for taking corrective action,
including senior management and the board of
directors, as appropriate.

Assesses results
Communicates deficiencies
Monitors corrective actions

Considers a mix of ongoing and separate evaluations

Considers rate of change
Establishes baseline understanding
Uses knowledgeable personnel
Integrates with business processes
Adjusts scope and frequency
Objectively evaluates

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this document.