The document summarizes the updated 2013 COSO Internal Control-Integrated Framework, which retains the core definition and five components of internal control from the original framework but includes enhancements and clarifications. The key changes are that the original framework's fundamental concepts are now principles associated with the five components, and all 17 principles must be present and functioning for an effective system of internal control. The document also provides an overview of the 17 principles and related points of focus within the five components of internal control framework.

1. COSO 2013 Framework
on Internal Control
Prepare for the changes
2013 Framework and guidance — Key areas of focus
1. The organization demonstrates
a commitment to integrity and
ethical values.
2. The board of directors
demonstrates independence
from management and
exercises oversight of the
development and performance
of internal control.
3. Management establisheswith
board oversightstructures,
reporting lines, and appropriate
authorities and responsibilities
in the pursuit of objectives.
4. The organization demonstrates
a commitment to attract,
develop, and retain competent
individuals in alignment with
objectives.
5. The organization holds
individuals accountable for their
internal control responsibilities
in the pursuit of objectives.
6. The organization specifies
objectives with sufficient
clarity to enable the
identification and
assessment of risks relating
to objectives.
7. The organization identifies
risks to the achievement of
its objectives across the
entity and analyzes risks as
a basis for determining how
the risks should be
managed.
8. The organization considers
the potential for fraud in
assessing risks to the
achievement of objectives.
9. The organization identifies
and assesses changes that
could significantly impact
the system of internal
control.
10. The organization selects
and develops control
activities that contribute to
the mitigation of risks to the
achievement of objectives
to acceptable levels.
11. The organization selects
and develops general
control activities over
technology to support the
achievement of objectives.
12. The organization deploys
control activities through
policies that establish what
is expected and procedures
that put policies into action.
13. The organization obtains or
generates and uses
relevant, quality information
to support the functioning of
internal control.
14. The organization internally
communicates information,
including objectives and
responsibilities for internal
control, necessary to
support the functioning of
internal control.
15. The organization
communicates with external
parties regarding matters
affecting the functioning of
internal control.
16. The organization selects,
develops, and performs
ongoing and/or separate
evaluations to ascertain
whether the components of
internal control are present
and functioning.
17. The organization evaluates
and communicates internal
control deficiencies in a
timely manner to those
parties responsible for
taking corrective action,
including senior
management and the board
of directors, as appropriate.
The five components of internal control and related 17 principles
Client considerations and next steps: The four-step approach
Specific significant enhancements to internal control concepts included in the 2013 Framework
Risk assessment
• More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may
be managed, and linkage between risk assessment and control activities
• Considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives
Outsources service providers (OSPs) • Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles
• Requires management to specifically consider how OSPs are monitored
Information technology (IT)
• Considerations related to IT are included in 14 out of 17 principles
• Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics)
• Requirements for ensuring quality of information (i.e., data integrity)
Key contacts
Rich Milo
AERS Principal
rmilo@deloitte.com
Deloitte & Touche LLP
John G. Giakouminakis
AERS Senior Manager
jgiakouminakis@deloitte.com
Deloitte & Touche LLP
Traci Mizoguchi
AERS Senior Manager
trmizoguchi@deloitte.com
Deloitte & Touche LLP
Jimmy Yu
AERS Senior Manager
jamesyu@deloitte.com
Deloitte & Touche LLP
On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework “2013
Framework”. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements
and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the
original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for
understanding requirements for effective internal control.
The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present,
functioning, and operating together in an integrated manner to have an effective system of internal control.
Understand
and educate
Assess
Communicate
Plan and
implement
COSO will continue to make available the 1992 Framework until December 15, 2014, after which
time it will consider it to be superseded. Companies applying and referencing COSO’s internal
control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002
should consider COSO’s transition guidance.
Control environment Risk assessment Control activities
Information and
communication
Monitoring activities
Monitoring activities
Information and communication
Control activities
Risk assessment
Control environment
Entity
level
Division
Operating
unit
Function

2. Control environment
Principles Points of focus
1. The organization demonstrates a commitment to
integrity and ethical values.
• Sets the tone at the top
• Establishes standards of conduct
• Evaluates adherence to standards of conduct
• Addresses deviations in a timely manner
2. The board of directors demonstrates independence
from management and exercises oversight of the
development and performance of internal control.
• Establishes oversight responsibilities
• Applies relevant expertise
• Operates independently
• Provides oversight for the system of internal control
3. Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
• Considers all structures of the entity
• Establishes reporting lines
• Defines, assigns, and limits authorities and responsibilities
4. The organization demonstrates a commitment to
attract, develop, and retain competent individuals in
alignment with objectives.
• Establishes policies and practices
• Evaluates competence and addresses shortcomings
• Attracts, develops, and retains individuals
• Plans and prepares for succession
5. The organization holds individuals accountable
for their internal control responsibilities in the pursuit
of objectives.
• Enforces accountability through structures, authorities, and responsibilities
• Establishes performance measures, incentives, and rewards
• Evaluates performance measures, incentives, and rewards for ongoing relevance
• Considers excessive pressures
• Evaluates performance and rewards or disciplines individuals
Risk assessment
Principles Objectives Points of focus
6. The organization specifies
objectives with sufficient
clarity to enable the
identification and
assessment of risks relating
to objectives.
Operations Objectives
• Reflects management’s choices
• Considers tolerances for risk
• Includes operations and financial performance goals
• Forms a basis for committing of resources
External Financial
Reporting Objectives
• Complies with applicable accounting standards
• Considers materiality
• Reflects entity activities
External Non-Financial
Reporting Objectives
• Complies with externally established standards and frameworks
• Considers the required level of precision
• Reflects entity activities
Internal Reporting
Objectives
• Reflects management’s choices
• Considers the required level of precision
• Reflects entity activities
Compliance Objectives
• Reflects external laws and regulations
• Considers tolerances for risk
7. The organization identifies risks to the
achievement of its objectives across the entity and
analyzes risks as a basis for determining how the
risks should be managed.
• Includes entity, subsidiary, division, operating unit, and functional levels
• Analyzes internal and external factors
• Involves appropriate levels of management
• Estimates significance of risks identified
• Determines how to respond to risks
8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
• Considers various types of fraud
• Assesses incentive and pressures
• Assesses opportunities
• Assesses attitudes and rationalizations
9. The organization identifies and assesses changes
that could significantly impact the system of
internal control.
• Assesses changes in the external environment
• Assesses changes in the business model
• Assesses changes in leadership
Control activities
Principles Points of focus
10. The organization selects and develops control
activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.
• Integrates with risk assessment
• Considers entity-specific factors
• Determines relevant business processes
• Evaluates a mix of control activity types
• Considers at what level activities are applied
• Addresses segregation of duties
11. The organization selects and develops general
control activities over technology to support the
achievement of objectives.
• Determines dependency between the use of technology in business process and
technology general controls
• Establishes relevant technology infrastructure control activities
• Establishes relevant security management process control activities
• Establishes relevant technology acquisition, development, and maintenance
process control activities
12. The organization deploys control activities through
policies that establish what is expected and
procedures that put policies into action.
• Establishes policies and procedures to support deployment of
management’s directives
• Establishes responsibility and accountability for executing policies and procedures
• Performs in a timely manner
• Takes corrective action
• Performs using competent personnel
• Reassesses policies and procedures
Information and communication
Principles Points of focus
13. The organization obtains or generates and uses
relevant, quality information to support the functioning
of internal control.
• Identifies information requirements
• Captures internal and external sources of data
• Processes relevant data into information
• Maintains quality throughout processing
• Considers costs and benefits
14. The organization internally communicates
information, including objectives and responsibilities
for internal control, necessary to support the
functioning of internal control.
• Communicates internal control information
• Communicates with the board of directors
• Provides separate communication lines
• Selects relevant method of communication
15. The organization communicates with external
parties regarding matters affecting the functioning of
internal control.
• Communicates to external parties
• Enables Inbound Communications
• Communicates with the board of directors
• Provides separate communication lines
• Selects relevant method of communication
Monitoring activities
Principles Points of focus
16. The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain
whether the components of internal control are
present and functioning.
• Considers a mix of ongoing and separate evaluations
• Considers rate of change
• Establishes baseline understanding
• Uses knowledgeable personnel
• Integrates with business processes
• Adjusts scope and frequency
• Objectively evaluates
17. The organization evaluates and communicates
internal control deficiencies in a timely manner to
those parties responsible for taking corrective action,
including senior management and the board of
directors, as appropriate.
• Assesses results
• Communicates deficiencies
• Monitors corrective actions
17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning)
About Deloitte
Deloitte refers to one or more of Deloitte Touché Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touché Tohmatsu Limited and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and
regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touché Tohmatsu Limited
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this document.