COSO’s 2013 integrated framework

With the vast advancements in technology, globalization and increasing complexity of operating environments that have transformed the way businesses operate today, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is making important updates to its integrated framework. The updates to the integrated framework are not meant to be a complete overhaul, but rather serve as more clarification to ease use and application of existing guidance. In order to discuss what’s changed, let’s first start with what will stay the same.

What’s the same?

The 5 main components of the original framework will remain intact.


These components continue to represent the requirements to achieve operational, reporting and compliance objectives throughout the organizational structure.

What’s new?

The new framework will include an articulation of 17 principles that are a part of the original 5 components of internal control. Each principle will be accompanied by explicit points of focus to enable users to accurately evaluate whether each principle is present & properly functioning. There is an improved level of specificity which may enable organizations with effective internal controls to simply refocus & refine their current approach & change documentation.

According to COSO Board Member, Doug Prawitt, “these 17 principles really don’t introduce new requirements into internal control. The 17 principles draw out of all of the guidance that was in the 1992 framework.”

Summary of updates.

The following represents the codification of the 17 principles embedded in the original framework:


  • Demonstrates commitment to integrity and ethical values
  • Exercises oversight responsibility
  • Establishes structure, authority, and responsibility
  • Demonstrates commitment to competence
  • Enforces accountability


Information + Communication
  • Use relevant information
  • Communicates internally
  • Communicates externally


Control Activities
  • Selects and develops control activities
  • Selects and develops general controls over technology
  • Deploys through policies and procedures


Risk Assessment
  • Specifies relevant objectives
  • Identifies and analyzes risk
  • Assesses fraud risk
  • Identifies and analyzes significant change


Control Environment
  • Conducts ongoing and/or separate evaluations
  • Evaluates and communicates deficiencies

Timeframe and disclosure.

The transition period from the 1992 version of the COSO framework to the 2013 updated version runs until December 15, 2014. During the transition period, organizations should disclose whether they are using the 1992 framework or the 2013 framework.

Additional resources.

Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition.

Download Full PDF Version here.