COSO Releases Long-Awaited Update to Its Internal Control Framework

COSO Releases Long-Awaited Update to Its Internal Control Framework

May 15, 2013

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence – announced yesterday that it has released its updated Internal Control – Integrated Framework (New Framework). Just over 20 years and eight months ago, COSO released its original version of this framework. Since then, this time-tested publication has gained broad acceptance and has been widely used, particularly as a suitable – and the predominant – framework in conjunction with reporting on the effectiveness of internal control over financial reporting by public companies listed in the United States in accordance with Section 404 of the Sarbanes-Oxley legislation. Today, this framework continues to be recognized as a leading resource for purposes of providing guidance on the design and evaluation of internal control.

Developed over a two-and-a-half-year period, the New Framework and related illustrative documents are intended to help organizations in their efforts to adapt to the increasing complexity and pace of change, to mitigate risks to the achievement of objectives, and to provide reliable information to support sound decision-making. The New Framework consists of an executive summary, the New Framework itself, several appendices, an applications guide providing illustrative tools, and a compendium of approaches and examples for application to internal control over financial reporting. For interested parties, the New Framework is available on the COSO website (

Objectives of the New Framework

One of COSO’s goals in updating the original framework was to reflect changes in the business and operating environments. For example, since the original version of the framework was issued in 1992, there has been an increased focus on governance, a greater attention to risk and risk-based approaches, deeper reliance on new and more complex technologies, adoption of more complex organizational structures and business models (including outsourcing relationships), ever-expanding regulatory requirements, and the continuation of new and evolving reporting requirements that go beyond financial reporting. In addition, we have seen the impact of spectacular, large-scale governance and internal control breakdowns, including the derivatives fiascos of the 1990s, Long-Term Capital Management, the Enron era and the more recent global financial crisis. These breakdowns have taught valuable lessons around a number of themes, e.g., the effects of management override, conflicts of interests, lack of segregation of duties, poor or nonexistent transparency, siloed risk management, ineffective board oversight, and unbalanced compensation structures that enable or drive dysfunctional and/or irresponsible behavior. While an internal control framework cannot possibly address all of

these issues, the events that have transpired since COSO issued the 1992 version of the framework have pointed toward the wisdom of a refresh. The good news is that, in addressing the changes in the environment, COSO retains the core definition of internal control in the New Framework along with the five components of internal control that provide the face of the well-known three-dimensional “cube (which is also retained, as shown). In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal control as in the original version of the framework and the underlying principles supporting the components (as discussed in the next paragraph). The other aspect of the New Framework that is unchanged is that it continues to emphasize the importance of management judgment in evaluating the effectiveness of an internal control system.

The New Framework focuses greater attention on principles. COSO has chosen to formalize more explicitly the principles embedded in the 1992 version of the framework that facilitate development of effective internal control and assessment of its effectiveness. While the 1992 version implicitly reflected the core principles of internal control, the 2013 version explicitly states 17 principles, each mapped to one of the five components, representing fundamental concepts associated with the five components of internal control. These principles remain broad, as they are intended to apply to for-profit companies (including publicly traded and privately held companies), not-for-profit entities, government bodies and other organizations. Supporting each principle are points of focus, representing characteristics associated with the principles. Together, the components and principles constitute the criteria and the points of focus provide guidance that will assist management in assessing whether the components of internal control are present and functioning and are operating together within the organization.

COSO has chosen to increase ease-of-use when applied to an entity objective. The 1992 version of the framework stated that objective-setting was a management process and that having objectives was a pre-condition to internal control. While the New Framework preserves that view, it moves the primary discussion to an earlier chapter from the chapter on risk assessment in order to emphasize the point that objective-setting is not part of internal control. In addition, the New Framework expands the reporting category of objectives to consider other external reporting beyond financial reporting, as well as internal reporting, both financial and non-financial. The 1992 version limited the reporting focus to external financial reporting.

Transitioning from the 1992 Framework

The COSO Board has stated that users should transition to the 2013 New Framework in their applications and related documentation as soon as is feasible given their particular circumstances. As the COSO Board believes that the key concepts and principles embedded in the original version of the framework are fundamentally sound and broadly accepted in the marketplace, it will continue to make available the original 1992 framework through December 15, 2014, after which time COSO will consider it as having been superseded. During the transition period, the COSO Board believes that application of its Internal Control – Integrated Framework for external reporting should clearly disclose whether the original or 2013 version was used.

Key Decisions

Companies applying the 1992 version of the framework in conjunction with their SarbanesOxley compliance process and for other purposes have decisions to make regarding the following questions:

How do we evaluate the effectiveness of internal control?

  • When and how do we transition to the New Framework?
  •  What do we communicate to the certifying officers regarding the New Framework?
  • What do we communicate to the audit committee regarding the New Framework?
  • What are the Sarbanes-Oxley implications in transitioning to the New Framework?
  • What do we do now?
  • Will there be a “street reaction” to companies that choose not to “early apply”?

Protiviti has published Issue 3 of Volume 5 of The Bulletin, in which we address frequently asked questions to provide insights on these and other important questions. Along with other resources, it is available at


Companies using the 1992 version of the COSO framework for their Sarbanes-Oxley compliance and for other purposes should familiarize themselves with the New Framework and companion materials, determine their transition plan, and communicate to the appropriate stakeholders the release of the New Framework and its implications to the organization. Other companies that desire to improve their internal control systems should make use of the New Framework to evaluate and enhance their internal controls.

About Protiviti

Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

Ready to work with us?