United States

What you need to know: Implementing the 2013 COSO Framework


On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated Internal Control Integrated Framework (Framework) and related illustrative documents.  This update, the first since COSO's original 1992 Framework, contains a number of changes that may significantly impact the way your organization approaches internal controls, including implementation, monitoring and reporting.

The following is a high-level summary of the update.

Why was the Framework updated?

  • Business and operating environments have changed dramatically and are more complex, technically driven and global in scope.
  • Stakeholders are more engaged, seeking greater transparency and accountability for the integrity of the internal control systems that supports business decisions and governance.
  • Significant events have occurred over the past 20 years that have had a lasting impact on risks, control environments and control activities.

What did not change:

  • Core definition of internal control
  • The five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities)
  • The requirement to address all five components in an effective internal control environment
  • Importance of judgment in all aspects of internal control

What was added or revised:

  • Introduction of 17 principles aligned with the five components of internal control that are necessary for effective internal control
  • Addition of 81 points of focus supporting the 17 principles
  • Additional guidance around technology, antifraud, the use of third parties, and businesses with multiple or global locations
  • Clarification of the requirements for effective internal control and the role of objective setting in internal control
  • Expanded Reporting category of objectives, including financial, non-financial and operational
  • Consideration of the demands and complexities of laws, rules, regulations and standards
  • Approaches and examples for determining internal control effectiveness
  • Acknowledgement of changes in business and operating environments
  • Addition of "major deficiency" as a third type of deficiency
  • Enhancement of governance concepts

When is it effective?

  • The updated Framework will supersede the original Framework on Dec. 15, 2014.
  • Early implementation is encouraged.
  • During the transition, external reporting should disclose which Framework was used.

Recommended steps for implementation:

  • Familiarize team with 2013 Framework and provide training
  • Identify and educate the appropriate stakeholders to be involved in the transition
  • Map existing controls to the 2013 Framework principles
  • Prepare a gap analysis for the principles
  • Develop a plan to remediate identified gaps
  • Update methodology, tools, templates and relevant documentation

Implementation and transition to the 2013 Framework will take a fair amount of time and effort. Consider engaging the right resources and level of support from outside your organization in order to seamlessly implement and transition to the 2013 Framework without overburdening your internal resources.