COSO Internal Control Framework Treadway Commission: PwC

COSO is an organization dedicated to providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence.



COSO releases draft update to its 2004 Enterprise Risk Management – Integrated Framework (Framework) for a public comment period ending on September 30th.

As part of COSO’s efforts to solicit public feedback in the development of the COSO Framework, we encourage you to download the updated draft Framework at and provide comments by September 30th.

The draft update, titled: Enterprise Risk Management – Aligning Risk with Strategy and Performance (updated Framework) reflects input from hundreds of business and risk professionals, senior executives and board members, academics and government representatives from across the globe.

Visit, your gateway to learn more about the major concepts and themes of the updated draft Framework and how they may impact your business.



Key developments within the COSO Internal Control Framework

In a separate initiative, COSO released the updated Internal Control–Integrated Framework in May 2013. The 2013 Framework superseded the original 1992 Framework and went into effect at the end of the transition period on December 15, 2014.

  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the updated Internal Control–Integrated Framework (2013 Framework) in May 2013. COSO announced that the 2013 Framework will supersede the original 1992 Framework at the end of the transition period (December 15, 2014).
  • The SEC commented that the Staff plans to monitor the transition for issuers using the 1992 Framework to evaluate whether and if any Staff or Commission actions become necessary or appropriate in the future. The Staff more recently commented that the longer issuers continue to use the 1992 Framework, the more likely they are to receive questions from the Staff about whether the issuer’s use of the 1992 Framework satisfies the SEC's requirement to use a suitable, recognized framework, particularly after December 15, 2014 when COSO will consider the 1992 Framework to have been superseded.
  • We strongly recommend that SEC Registrants subject to reporting requirements relating to internal control over financial reporting (ICFR) use the 2013 Framework for reporting periods ending on or after December 15, 2014. PCAOB Auditing Standard 5 requires external auditors to use the same internal control framework used by management to assess the design and operating effectiveness of the company’s ICFR.

Why the COSO Internal Control Framework is important

  • COSO’s primary objectives for updating the Internal Control—Integrated Framework included (i) clarifying requirements for effective internal control, (ii) addressing changes in business (e.g., globalization, use and dependence on technology, complexity) that introduce or elevate risk of achieving entity objectives, and (iii) encouraging users to apply internal control to additional entity objectives (such as regulatory reporting, operations and compliance).
  • The 2013 Framework describes two additional requirements (in italics) for an effective system of internal control:
    - Each of the five components of internal control and relevant principles is present and functioning
    - The five components of internal control operate together in an integrated manner
  • The seventeen principles set out in the 2013 Framework are fundamental concepts associated with the five components of internal control. These concepts were implicit in the 1992 Framework. The 2013 Framework explicitly requires that each relevant principle be present and functioning (i.e. designed and operating effectively) to demonstrate that all five components of internal control are present and functioning. The Firm has developed templates and guidance to help clients assess and document how the company’s ICFR satisfies the seventeen principles.
  • We do not believe the additional criteria fundamentally change what is required for an effective system of internal control over financial reporting. However, as management and internal auditors assess the design and operating effectiveness of the company’s ICFR in accordance with the 2013 Framework, they may identify internal control deficiencies that require remediation during 2014.


Select COSO news releases

COSO white paper explains how to leverage COSO framework across three lines of defense

This new COSO white paper advocates applying the Three Lines of Defense model for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.

Contact us

Beth Paul
US Strategic Thought Leader, National Professional Services Group

David Schmid
IFRS & US Standard Setting Leader, National Professional Services Group

Follow us