Mon, Mar 9, 2020
ByProtiviti KnowledgeLeader

Evolving Assurance: Key Updates to the COSO Integrated Control Framework

In January 2013, the updated version of the Committee of Sponsoring Organizations of the Treadway Commission Integrated Internal Control Framework went into effect (COSO). If you’re wondering what this model is, you probably work for a privately held corporation or a non-profit or are very new to internal audit.

The Internal Control — Integrated Framework, a product of primary and secondary research, was originally published in 1992. However, in 2002 the framework catapulted into the spotlight as a result of the Sarbanes-Oxley Act Section 404.

A lot has happened since the framework was first published in 1992. There have been several natural disasters around the world, including tsunamis, earthquakes, blizzards and hurricanes. Reliance on technology—particularly in the areas of internet dependency, networking, mobile device proliferation and cloud computing—have increased the risk of data leakage and identity theft. There has been increased financial globalization and interdependency: Consider the impact of auction-rate security market failures and LIBOR rate rigging. Bernard Madoff and others have perpetrated significant frauds, increasing the need for fraud risk assessments and appropriate countermeasures. And of course, there’s been a global impact from the Liquidity Crisis and the Eurozone Crisis, not to mention the effects of war and political unrest. It was time for a refresh so that the framework could continue to be contemporary and meaningful.

As part of the update, two noteworthy changes occurred that could (or should) affect your auditing methodology and organizational risk management practices:

  • The scope and definition of “reporting” as one of the dimensions of organizational goals
  • The articulation of principles associated with each of the components

Let’s consider each of these changes and their implications for your organization.


The original framework defined “internal control” as a process affected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Operation effectiveness and efficiency
  • Financial reporting reliability
  • Applicable laws and regulations compliance

Following is the updated framework definition: “Internal control is a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance.”

The emphasis added makes it easy to see that “financial” was dropped as the modifier, signaling that all reporting needs to be reliable. While this may seem to be an obvious point, in many organizations, financial reporting—specifically the reporting associated with financial statement preparation—is given attention and priority. The value and importance of non-financial or operational reporting are eclipsed, if not overlooked. Similarly, in many organizations, financial and financial reporting risks take priority over operational and compliance risk. And if it were a contest between compliance and operational risk, compliance would take priority because organizations want to avoid fines, penalties and sanctions. 

The updated framework recognizes that the reporting of non-financial data is as important as the reporting of financial data. Non-financial data is used to make key business decisions that affect an organization’s financial condition. For example, consider the way your organization reports on the number of customer complaints, service calls, sales inquiries and potential prospects. Each of these activities is operational in nature and none directly affects the financial reporting process. Yet, if any of these were over or underreported, the organization could make erroneous decisions regarding expansion, consolidation or pricing. These decisions, in turn, would drive organizational behavior and ultimately affect financial performance. 

For internal audit departments, consider the extent to which the operational component of your organization’s objectives and the associated risk are prioritized when you formulate your annual audit plan. To what extent are operational considerations and risks the focus of individual audits? Also, consider to what extent your organization values control over nonfinancial information security and reporting. To what extent is attention focused solely on financial reporting


In keeping with the adage, “what gets measured gets done,” the updated framework describes 17 principles associated with the five components, which make it easier to evaluate organizational effectiveness. Audit departments and organizations that have been COSO-compliant have probably defined their own criteria and behavioral indicators. By articulating these principles, the updated framework makes it easier for organizations—and the departments that comprise them—to achieve consistent implementation and assess their results.

Following is a summary of the principles by component:

Control Environment
  1. Commitment to integrity and ethical values is demonstrated.
  2. Oversight responsibility is exercised.
  3. Structure, authority and responsibility are established.
  4. Commitment to competence is demonstrated.
  5. Accountability is enforced. 
Risk Assessment
  1. Relevant objectives are specified.
  2. Risk is identified and analyzed.
  3. Fraud risk is assessed.
  4. Significant changes are identified and analyzed.
Control Activities
  1. Control activities are selected and developed.
  2. General controls over technology are selected and developed.
  3. Policies and procedures deploy actions. 
Information and Communication
  1. Relevant information is used.
  2. Internal communication is utilized.
  3. External communication is facilitated. 
Monitoring Activities
  1. Ongoing and/or separate evaluations are conducted.
  2. Deficiencies are evaluated and communicated. 

If you are already COSO-compliant, how do your organization’s current behavioral success indicators compare to the framework’s principles? If you are considering the framework’s adoption, the principles provide a clear starting point for your implementation efforts.


The world has sustained a lot of change since 1992 and internal control practices need to keep pace. The framework’s updates came at an opportune time and provide more prescriptive information, making it easier to achieve consistency in our internal control practices and evaluate their effectiveness.

The extent to which these changes matter depends on your organization’s structure and culture, and the degree to which your organization is COSO-compliant. 

If you are in a non-publicly traded environment, the updates may provide you with a clear road map to advance the enterprise risk management (ERM) culture within your organization. If you are contemplating the framework’s implementation, the addition of the 17 principles makes it easier to evaluate internal control effectiveness and determine the critical activities that comprise each internal control component.

If your organization is already COSO-compliant, these updates provide you with a basis for evaluating your audit methodology and may help you identify opportunities to enhance it. 

Learn more about ERM and COSO through these related items on KnowledgeLeader: