COSO – 2013 Internal Control 

Integrated Framework
FRED J. PETERSON, PARTNER
MOSS ADAMS LLP
Disclaimer

The material appearing in this presentation is for informational 
purposes only and should not be construed as advice of any kind, 
including, without limitation, legal, accounting, or investment 
advice. This information is not intended to create, and receipt 
does not constitute, a legal relationship, including, but not 
limited to, an accountant‐client relationship. Although this 
information may have been prepared by professionals, it should 
not be used as a substitute for professional services. If legal, 
accounting, investment, or other professional advice is required, 
the services of a professional should be sought. Content is not all 
inclusive.
Agenda
• Background
• What is COSO?
• Reasons for the New COSO Framework
• COSO 2013 Framework
• What Hasn’t Changed? What Has Changed?
• COSO 2013 Implementation Approach
• Phased Implementation Approach
• Practical Implementation Techniques, Common Gaps and 
Misconceptions
• Summary
• Questions
Background – What Is COSO?

• “Internal Control — Integrated 
Framework” is a four‐volume report 
first published in 1992
• Became the accepted framework 
following financial control failures of 
the early 2000’s
• Most widely adopted SOX 404 
framework in the U.S. as a “suitable, 
recognized control framework”
• Use under SOX 404 focused solely 
on the COSO “Financial Reporting” 
objective
Original “COSO 1992” Cube
Background – Reasons for a New
COSO Framework
• COSO 1992 was nearly 20 years old and becoming outdated.
• Changes in underlying business environment and associated risks including:
– Increased business risks; changing business models
– Greater use of shared services and outsourced service providers
– Complexity and change in rules, regulations, and standards
– Reliance on evolving technology
– Higher expectations for governance oversight, risk management, and 
detection and prevention of fraud from regulators and stakeholders
• Ongoing development and application of internal control framework such as:
– Enrichment of corporate governance and control concepts 
– Significant practical implementation of the COSO 1992 Framework
– Expansion beyond the strictly financial reporting component
• Transition to a principles‐based approach; codify prior implicit concepts
Background – Reasons for a New
COSO Framework
Refreshed Objective Enhancement Result

Address significant  • Updated, enhanced and

changes to the 
business environment 
clarified Framework
and associated risks

Codify criteria to use in  • Added principles and COSO

the development and 
assessment of systems 
points of focus 2013
of internal control

Increase focus on  • Expanded internal and

operations, compliance 
and non‐financial 
non‐financial reporting
reporting objectives guidance
COSO 2013 Framework – Overview
• Sponsored and funded by the same five organizations as COSO 1992 and 
authored by PricewaterhouseCoopers
• Significant public comment and revisions to exposure drafts, in addition to 
the survey of over 700 stakeholders and users of COSO 1992
• COSO 2013 was released in May 2013 and supersedes the 1992 
Framework effective December 15, 2014
• Transitions COSO 1992 to a principles‐based framework
• Intended to include enhancements and clarification on the 1992 
Framework, including both structural and practical application changes
• SOX 404 compliance is not the sole or primary audience/ purpose for 
COSO 2013; broadens the concept of financial reporting
COSO 2013 Framework – Overview
What hasn’t changed... What has changed...

• Core definition of internal  • Changes in business and 
control operating environments 
considered
• Three categories of objectives 
and five components of internal  • Operations and reporting 
control objectives expanded
• Each of the five components of  • Fundamental concepts 
internal control are required for  underlying five components 
effective internal control articulated as PRINCIPLES
• Important role of judgment in  • Additional approaches and 
designing, implementing and  examples relevant to operations, 
conducting internal control, and  compliance, and non‐financial 
in assessing its effectiveness  reporting objectives added
COSO 2013 Framework – What Has
Changed?
• 17 explicitly articulated principles associated with the 5 internal control 
components
– Objective: To increase Management’s understanding as to what 
constitutes effective internal control
• Added points of focus under each principle
– Represent important characteristics that support each principle
– Provide guidance to assist management in assessing whether the 
components of internal control are present, functioning, and operating 
together within the organization
– Provide a much more granular approach, including more detail and clarity 
on implementation
COSO 2013 Framework – What Has
Changed?
• A Visual Example of the Structural Hierarchy
3 Objectives

5 Components

17 Principles

87 Points of Focus

• An entity can achieve effective internal control if all principles are 
present and functioning and the control components are operating 
together
COSO 2013 Framework – Three
Objectives

• Operations
• Relates to achievement of basic mission and vision
• Reporting
• Relates to 1) external financial reporting, 2) external non‐financial 
reporting, and 3) internal financial and non‐financial reporting
• Compliance
• Relates to compliance with laws and regulations
COSO 2013 Framework – Components and
Principles
Components Principles
1. Demonstrates commitment to integrity and ethical values
Control Environment
2. Exercises oversight responsibility
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
Risk Assessment 7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
Control Activities 11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information and 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
Monitoring Activities
17. Evaluates and communicates deficiencies
COSO 2013 Framework – What Else Has
Changed?

• Points of focus represent important characteristics of the 
respective principles and provide support to the principles to 
which they pertain
• Documenting or assessing points of focus is not required for 
effective internal control
• Not all of the points of focus relate to SOX considerations
COSO 2013 Framework – Drilling Down

Control Environment 1. Demonstrate a commitment to integrity and ethical 

values. 

Points of Focus
a. Sets the tone at the top
b. Establishes standards of conduct
c. Evaluates adherence to standards of conduct
d. Addresses deviations in a timely manner

Approaches
a. Leading by example
b. Evaluates management and other personnel
c. Evaluates outside service providers
d. Develop process to report and promptly act on deviations from Standards of 
Conduct
COSO 2013 Framework – What Else Has
Changed?
• Increases the importance of the risk assessment
• Emphasizes the use of management judgment
• Increases relevance of technology
• Enhances discussion of governance concepts
– Board of Directors, Subcommittees of the Board (Audit 
Committees, Compensation Committees, Governance 
Committees, etc.)
• Expands reporting category
– Includes four types of reporting: both internal and external 
financial and non‐financial reporting objectives
– Establishes term internal control over external financial reporting 
(ICEFR) as found in the “Compendium”
COSO 2013 Framework – What Else Has
Changed?
• Enhances consideration of anti‐fraud expectations
– Considers the potential causes of fraud as a separate principle of 
internal control
• Increases the focus on non‐financial reporting objectives
– Expanded focus on operations, compliance, and non‐financial 
reporting objectives
• Increased discussion on the impact of other service organizations (e.g., 
service organizations, joint ventures, etc.)
• Enhances considerations for the use of relevant and quality information
COSO 2013 Implementation Approach
Phase I:
Phase II: Phase III:
Develop Awareness
Conduct Assessment Update Documentation
and Alignment
• Understand changes in the • Map the Framework’s 5 • Update the internal control
COSO Framework components and 17 principles to documentation
the existing internal key controls
• Establish objectives for • Update the assessment and
performing the COSO 2013 • Evaluate whether the 5 testing plan
implementation components and 17 principles
exist and are operating • Conduct testing in conjunction
• Identify implications of the new individually and together with SOX 404 compliance
Framework on the company’s testing (as needed) to
internal control structure • Document result of assessment determine if principles are
and identify control gaps (if any) present and functioning
• Determine the extent of
evaluation needed for full • Identify and assess required • Communication with external
compliance changes (if any) in the company’s auditor and Supervisory
internal controls Committee
• Communication with external
auditor • Communication with external
auditor and Audit Committee
• Communicate with Supervisory
Committee
COSO 2013 Implementation Approach –
A Practical Step-by-Step Guide
1. Create a 3. Identify
matrix where
identifying principles are 5. Document
relevant COSO not addressed controls that
components, by existing key map to each
principles and controls or principle and
points of focus documentation conduct testing

2. Map existing entity‐ 4. Develop a

level key controls remediation plan
(ELCs) to the relevant to address design
COSO 2013 principles, or documentation
using the points of gaps
focus for additional
detail/description
Common Gaps Identified During COSO
2013 Mapping Implementation
• Lack of a documented risk assessment related to Internal Control Over 
Financial Reporting (ICFR) (Principle 7) 
• Not performing a fraud risk assessment; fraud has been identified as a 
separate principle of internal control (Principle 8)
• Inappropriate reliance on system‐generated data and reports, including 
non‐financial data and third‐party data (Principle 13)
• Over‐dependence on third‐party reporting (what COSO considers 
“different business models”) without evaluation of the underlying controls 
performed at the third party
• Informal evaluation and a lack of documentation/testing of the COSO 
components other than “Control Activities”
• Inadequate evaluation of internal control under COSO requirements of 
“present and functioning” and “working in an integrated manner”
• Lack of precision in Management Review Controls
Misconceptions About COSO 2013

• Myth: COSO 2013 requires a clean slate approach to SOX and all new 
controls.
– False. Many controls will remain unchanged. SOX business process and 
general computer controls fit in the “Control Activities” component of 
COSO which is largely unchanged by COSO 2013. Existing entity‐level 
controls should cover many (but not all) of the other COSO 
components.
• Myth: COSO 2013 is focused on management review controls and reports.
– False. This is a specific focus area of the PCAOB. While COSO 2013 is 
consistent with some of the PCAOB findings (e.g., system‐generated 
reports and data), it is different from the areas recently identified by 
the PCAOB as SOX 404 audit deficiencies.
Misconceptions About COSO 2013

• Myth: You can use all of your existing entity‐level control documentation 
to address COSO 2013 and no testing is required.
• False. Additional controls may be needed or require documentation 
based on your COSO 2013 mapping and assessment. Key controls will 
need to be tested, and COSO principles will need to be assessed to 
determine if they are present and functioning.
• Myth: COSO 2013 will change your testing and evaluation methodology.
• False. Neither COSO 1992 nor COSO 2013 specify testing methodologies 
(sample sizes, sample period, etc.).
Misconceptions About COSO 2013

• Myth: No changes are required to comply with COSO 2013.
• False. At a minimum, implementing COSO 2013 will require a mapping 
to the new framework. Implementation could include expanding efforts 
over certain COSO principles or points of focus.
Example Tools

• Indirect and Monitoring Entity Level Controls
• Direct Entity Level Controls and Process Level Controls
• Information Technology General Controls
• Management Reporting Controls
Indirect and Monitoring ELC’s

• Four core COSO Components:
• Control Environment
• Risk Assessment
• Information and Communication
• Monitoring Activities
• These are broken into the 17 Principles (only about 14 apply to this level)
• These are subdivided into Points of Focus (some apply to multiple 
Principles, so about 60 subcategories exist)
• See partial example on next page
Indirect and Monitoring ELC’s
Direct ELC’s and Process-Level controls

• Lists out the Control Activities
• Denotes automated vs. manual control
• Denotes significance of judgment
• There are four relevant Principles (#6 – suitable objectives overlaps with 
indirect ELC’s)
• There are 10 relevant Points of Focus
• See partial example on next page
Direct ELC’s and Process-Level Controls
Information Technology General Controls

• These should address the following:
• Access to Programs and Data
• Program Changes
• Program Development
• Computer Operations
• All key process‐level and direct ELC’s that are automated controls should 
be mapped to ITGC’s
Management Reporting Controls

• Well‐designed MRC’s cover the following:
• Availability of documentation
• Precision of the control
• Requisite knowledge of control operator
• Responsive to the identified risk
• Considers effects from external and external factors
• Appropriately addresses management bias
• Uses high‐quality, relevant information (ie. data)
• Control output is monitored and evaluated
• Consistently applied from period to period
SEC Disclosure and Compliance
Requirements
• As part of the COSO 2013 release in May 2013, COSO included a transition 
period from release through December 15, 2014.
• The SEC stated:
“The longer issuers continue to use the 1992 framework, the more likely they are 
to receive questions from the staff about whether the issuer’s use of the 1992 
framework satisfies the SEC’s requirement to use a suitable, recognized 
framework (particularly after December 15, 2014, when COSO will consider the 
1992 framework to have been superseded by the 2013 framework).”2
• Companies must clearly disclose in their internal control report which framework 
was utilized during the current transition period.
– For example “criteria established in the Internal Control – Integrated 
Framework 2013 issued by the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO).”
– Management and external auditor use the same framework.
• Companies must disclose material changes in internal control.
2http://www.thecaq.org/docs/reports‐and‐publications/2013septembe25jointmeetinghls.pdf
Resources – Internal Control-Integrated
Framework
• Three volumes:
– Executive Summary
– Framework and Appendices
– Illustrative Tools for Assessing 
Effectiveness of a System of 
Internal Control
• Sets out: 
– Definition of internal control
– Categories of objectives
– Components and principles of 
internal control
– Requirements for effectiveness
Resources – Internal Control over
External Financial Reporting
• Illustrates approaches and 
examples of how principles are 
applied in preparing financial 
statements
• Considers changes in business and 
operating environments during 
past two decades
• Provides examples from a variety 
of entities – public, private, not‐
for‐profit, and government
• Aligns with the updated 
Framework
Questions
Fred J. Peterson
Moss Adams LLP
Partner
503‐471‐1262
[email protected]