COSO 2013 Framework On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued

On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework “2013
Framework”. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements

on Internal Control and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the
original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for
understanding requirements for effective internal control.

Prepare for the changes The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present,
functioning, and operating together in an integrated manner to have an effective system of internal control.

The five components of internal control and related 17 principles

Information and
Control environment Risk assessment Control activities Monitoring activities
communication

1. The organization demonstrates 6. The organization specifies 10. The organization selects 13. The organization obtains or 16. The organization selects,
a commitment to integrity and objectives with sufficient and develops control generates and uses develops, and performs

Function
ethical values. clarity to enable the activities that contribute to relevant, quality information ongoing and/or separate

Operating unit
Control environment 2. The board of directors identification and the mitigation of risks to the to support the functioning of evaluations to ascertain
demonstrates independence assessment of risks relating achievement of objectives internal control. whether the components of
from management and to objectives. to acceptable levels. 14. The organization internally internal control are present
Division exercises oversight of the 7. The organization identifies 11. The organization selects communicates information, and functioning.
Risk assessment
Entity level

development and performance
of internal control.
3. Management establishes⎯with
board oversight⎯structures,
Control activities
reporting lines, and appropriate
authorities and responsibilities
in the pursuit of objectives.
Information and communication 4. The organization demonstrates
a commitment to attract,
develop, and retain competent
individuals in alignment with
Monitoring activities objectives.
5. The organization holds
individuals accountable for their
Client considerations and next steps: The four-step approach internal control responsibilities
in the pursuit of objectives.
2013 Framework and guidance — Key areas of focus
risks to the achievement of
its objectives across the
entity and analyzes risks as
a basis for determining how
the risks should be
managed.
8. The organization considers
the potential for fraud in
assessing risks to the
achievement of objectives.
9. The organization identifies
and assesses changes that
could significantly impact
the system of internal
control.
and develops general
control activities over
technology to support the
achievement of objectives.
12. The organization deploys
control activities through
policies that establish what
is expected and procedures
that put policies into action.
including objectives and
responsibilities for internal
control, necessary to
support the functioning of
internal control.
15. The organization
communicates with external
parties regarding matters
affecting the functioning of
internal control.
17. The organization evaluates
and communicates internal
control deficiencies in a
timely manner to those
parties responsible for
taking corrective action,
including senior
management and the board
of directors, as appropriate.

Specific significant enhancements to internal control concepts included in the 2013 Framework
Assess Plan and
implement • More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may
Risk assessment be managed, and linkage between risk assessment and control activities
• Considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives

Outsources service providers (OSPs) • Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles
• Requires management to specifically consider how OSPs are monitored

• Considerations related to IT are included in 14 out of 17 principles

Understand
Communicate Information technology (IT) • Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics)
and educate
• Requirements for ensuring quality of information (i.e., data integrity)

Key contacts
Rich Milo John G. Giakouminakis Traci Mizoguchi Jimmy Yu
COSO will continue to make available the 1992 Framework until December 15, 2014, after which AERS Principal AERS Senior Manager AERS Senior Manager AERS Senior Manager
time it will consider it to be superseded. Companies applying and referencing COSO’s internal rmilo@deloitte.com jgiakouminakis@deloitte.com trmizoguchi@deloitte.com jamesyu@deloitte.com
control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP
should consider COSO’s transition guidance.
17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning)

Control environment Control activities

Principles Points of focus Principles Points of focus
1. The organization demonstrates a commitment to • Sets the tone at the top 10. The organization selects and develops control • Integrates with risk assessment
integrity and ethical values. • Establishes standards of conduct activities that contribute to the mitigation of risks to • Considers entity-specific factors
• Evaluates adherence to standards of conduct the achievement of objectives to acceptable levels. • Determines relevant business processes
• Addresses deviations in a timely manner • Evaluates a mix of control activity types
2. The board of directors demonstrates independence • Establishes oversight responsibilities • Considers at what level activities are applied
from management and exercises oversight of the • Applies relevant expertise • Addresses segregation of duties
development and performance of internal control. • Operates independently 11. The organization selects and develops general • Determines dependency between the use of technology in business process and
• Provides oversight for the system of internal control control activities over technology to support the technology general controls
achievement of objectives. • Establishes relevant technology infrastructure control activities
3. Management establishes, with board oversight, • Considers all structures of the entity
structures, reporting lines, and appropriate authorities • Establishes reporting lines • Establishes relevant security management process control activities
and responsibilities in the pursuit of objectives. • Defines, assigns, and limits authorities and responsibilities • Establishes relevant technology acquisition, development, and maintenance
process control activities
4. The organization demonstrates a commitment to • Establishes policies and practices
12. The organization deploys control activities through • Establishes policies and procedures to support deployment of
attract, develop, and retain competent individuals in • Evaluates competence and addresses shortcomings
policies that establish what is expected and management’s directives
alignment with objectives. • Attracts, develops, and retains individuals procedures that put policies into action. • Establishes responsibility and accountability for executing policies and procedures
• Plans and prepares for succession
• Performs in a timely manner
5. The organization holds individuals accountable • Enforces accountability through structures, authorities, and responsibilities • Takes corrective action
for their internal control responsibilities in the pursuit • Establishes performance measures, incentives, and rewards • Performs using competent personnel
of objectives. • Evaluates performance measures, incentives, and rewards for ongoing relevance • Reassesses policies and procedures
• Considers excessive pressures
• Evaluates performance and rewards or disciplines individuals Information and communication
Principles Points of focus
Risk assessment
13. The organization obtains or generates and uses • Identifies information requirements
Principles Objectives Points of focus relevant, quality information to support the functioning • Captures internal and external sources of data
• Reflects management’s choices of internal control. • Processes relevant data into information
• Considers tolerances for risk • Maintains quality throughout processing
Operations Objectives
• Includes operations and financial performance goals • Considers costs and benefits
• Forms a basis for committing of resources 14. The organization internally communicates • Communicates internal control information
• Complies with applicable accounting standards information, including objectives and responsibilities • Communicates with the board of directors
External Financial for internal control, necessary to support the
6. The organization specifies • Considers materiality • Provides separate communication lines
Reporting Objectives functioning of internal control.
objectives with sufficient • Reflects entity activities • Selects relevant method of communication
clarity to enable the
• Complies with externally established standards and frameworks 15. The organization communicates with external • Communicates to external parties
identification and External Non-Financial
assessment of risks relating Reporting Objectives • Considers the required level of precision parties regarding matters affecting the functioning of • Enables Inbound Communications
to objectives. • Reflects entity activities internal control. • Communicates with the board of directors
• Reflects management’s choices • Provides separate communication lines
Internal Reporting • Selects relevant method of communication
• Considers the required level of precision
Objectives
• Reflects entity activities
Monitoring activities
• Reflects external laws and regulations
Compliance Objectives Principles Points of focus
• Considers tolerances for risk
7. The organization identifies risks to the • Includes entity, subsidiary, division, operating unit, and functional levels 16. The organization selects, develops, and performs • Considers a mix of ongoing and separate evaluations
achievement of its objectives across the entity and ongoing and/or separate evaluations to ascertain • Considers rate of change
• Analyzes internal and external factors
analyzes risks as a basis for determining how the whether the components of internal control are • Establishes baseline understanding
• Involves appropriate levels of management present and functioning.
risks should be managed. • Estimates significance of risks identified • Uses knowledgeable personnel
• Determines how to respond to risks • Integrates with business processes
• Adjusts scope and frequency
8. The organization considers the potential for fraud in • Considers various types of fraud
• Objectively evaluates
assessing risks to the achievement of objectives. • Assesses incentive and pressures
• Assesses opportunities 17. The organization evaluates and communicates • Assesses results
internal control deficiencies in a timely manner to • Communicates deficiencies
• Assesses attitudes and rationalizations
those parties responsible for taking corrective action, • Monitors corrective actions
9. The organization identifies and assesses changes • Assesses changes in the external environment including senior management and the board of
that could significantly impact the system of • Assesses changes in the business model directors, as appropriate.
internal control. • Assesses changes in leadership

About Deloitte
Deloitte refers to one or more of Deloitte Touché Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touché Tohmatsu Limited and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and
regulations of public accounting.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.

Copyright © 2013 Deloitte Development LLC. All rights reserved. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
Member of Deloitte Touché Tohmatsu Limited