Professional Documents
Culture Documents
COSO Placemat - Deloitte PDF
COSO Placemat - Deloitte PDF
On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework “2013
Framework”. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements
on Internal Control and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the
original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for
understanding requirements for effective internal control.
Prepare for the changes The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present,
functioning, and operating together in an integrated manner to have an effective system of internal control.
Information and
Control environment Risk assessment Control activities Monitoring activities
communication
1. The organization demonstrates 6. The organization specifies 10. The organization selects 13. The organization obtains or 16. The organization selects,
a commitment to integrity and objectives with sufficient and develops control generates and uses develops, and performs
Function
ethical values. clarity to enable the activities that contribute to relevant, quality information ongoing and/or separate
Operating unit
Control environment 2. The board of directors identification and the mitigation of risks to the to support the functioning of evaluations to ascertain
demonstrates independence assessment of risks relating achievement of objectives internal control. whether the components of
from management and to objectives. to acceptable levels. 14. The organization internally internal control are present
Division exercises oversight of the 7. The organization identifies 11. The organization selects communicates information, and functioning.
Risk assessment
Entity level
development and performance risks to the achievement of and develops general including objectives and 17. The organization evaluates
of internal control. its objectives across the control activities over responsibilities for internal and communicates internal
3. Management establishes⎯with entity and analyzes risks as technology to support the control, necessary to control deficiencies in a
board oversight⎯structures, a basis for determining how achievement of objectives. support the functioning of timely manner to those
Control activities
reporting lines, and appropriate the risks should be 12. The organization deploys internal control. parties responsible for
authorities and responsibilities managed. control activities through 15. The organization taking corrective action,
in the pursuit of objectives. 8. The organization considers policies that establish what communicates with external including senior
Information and communication 4. The organization demonstrates the potential for fraud in is expected and procedures parties regarding matters management and the board
a commitment to attract, assessing risks to the that put policies into action. affecting the functioning of of directors, as appropriate.
develop, and retain competent achievement of objectives. internal control.
individuals in alignment with 9. The organization identifies
Monitoring activities objectives. and assesses changes that
5. The organization holds could significantly impact
individuals accountable for their the system of internal
Client considerations and next steps: The four-step approach internal control responsibilities control.
in the pursuit of objectives.
2013 Framework and guidance — Key areas of focus
Specific significant enhancements to internal control concepts included in the 2013 Framework
Assess Plan and
implement • More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may
Risk assessment be managed, and linkage between risk assessment and control activities
• Considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives
Outsources service providers (OSPs) • Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles
• Requires management to specifically consider how OSPs are monitored
Key contacts
Rich Milo John G. Giakouminakis Traci Mizoguchi Jimmy Yu
COSO will continue to make available the 1992 Framework until December 15, 2014, after which AERS Principal AERS Senior Manager AERS Senior Manager AERS Senior Manager
time it will consider it to be superseded. Companies applying and referencing COSO’s internal rmilo@deloitte.com jgiakouminakis@deloitte.com trmizoguchi@deloitte.com jamesyu@deloitte.com
control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP
should consider COSO’s transition guidance.
17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning)
About Deloitte
Deloitte refers to one or more of Deloitte Touché Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touché Tohmatsu Limited and its member firms. Please see other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
regulations of public accounting. advisor.
Copyright © 2013 Deloitte Development LLC. All rights reserved. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
Member of Deloitte Touché Tohmatsu Limited