Risk Chat: Where Do We Begin on the New COSO Framework?


Key principles in the updated version add more depth and substance to the criteria provided to management and the board in designing and evaluating effective internal control systems.

Jim DeLoach, a Protiviti managing director, has delivered advice on governance, risk management and compliance (GRC) matters for more than three decades. He also served on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Advisory Board that helped developed the Enterprise Risk Management – Integrated Framework as well as the COSO advisory council involved in the updated Internal Control-Integrated Framework.

DeLoach chatted via email about the key components of the updated Framework, which was issued May 14, and about how finance, GRC and internal audit professionals can get started understanding and responding to the new Framework.


Business Finance: Finance, risk and compliance professionals will want to know, first and foremost, how the updated framework differs from the previous version. Can you crystallize the most important facets of the update?


Jim DeLoach:The 2013 framework primarily differs from the 1992 version in two significant respects. First, key principles underlying the five components that were implicit in the 1992 version of the framework are now made explicit in the updated version. The principles add more depth and substance to the criteria provided to management and the board in designing and evaluating effective internal control systems.

Second, the framework has been brought up-to-date to reflect the current business and technological environment that organizations operate in today.


This is the result of extensive work, large amounts of input and careful consideration; remind us why there was a need for an update.


DeLoach:A lot has happened since the original version framework was issued in 1992. For example, there has been an increased focus on governance; a greater attention to risk and risk-based approaches; deeper reliance on new and more complex technologies; adoption of more complex organizational structures (including outsourcing relationships); ever-expanding regulatory requirements; and the continuation of new and evolving reporting requirements that go beyond financial reporting.

In addition, we have seen the impact of spectacular, large-scale governance and internal control breakdowns, including the derivatives fiascos of the 1990s, Long-Term Capital Management, the Enron era and the more recent global financial crisis. While an internal control framework cannot possibly address all of these issues, the events that have transpired since COSO issued the 1992 version of the framework have pointed toward the wisdom of a refresh.


If you were a finance, risk, compliance, or internal audit professional, where would you start in terms of learning about the new framework?


DeLoach:This one is easy. Start with understanding the 17 principles mapped to the five components. These principles remain broad, as they are intended to apply to for-profit companies (including publicly traded and privately held companies), not-for-profit entities, government bodies and other organizations. Together, the components and underlying principles constitute the criteria for designing and evaluating internal control. And pay attention to the transition period for converting from the 1992 version to the updated 2013 version.

Discuss this Blog Entry 1

Sello Hlalele (not verified)
on May 24, 2013

The challenge for COO is how the various components of the organization keep the monitoring and impact on the new framework. The transition from the current framework to the new one, how can we better make that transition.

Post new comment
or to use your Business Finance ID
What's Full Disclosure?

GRC expert Eric Krell supplies the Business Finance community in-depth articles and commentary examining governance, risk, and compliance.

Blog Archive