Key changes to the 2013 COSO Framework The fundamental internal control components of the original COSO Framework were retained in the updated 2013 Framework and include: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring activities However, the 2013 Framework includes a few significant changes, including: Establishing 17 “principles” to describe each component of internal control • All 17 principles must be “present and functioning” for a company’s system of internal control to be deemed effective. • As a result, the 2013 Framework creates a more formal structure for the design and evaluation of the effectiveness of internal control. Rey Telugu 2015. Providing “points of focus” to support each of the 17 principles • The points of focus are helpful when evaluating the design and operating effectiveness of a company’s controls to address the principles.

The Committee of Sponsoring Organizations of. 2013 Internal Control — Integrated Framework Released. COSO has issued the 2013. The implementation of the updated 2013 COSO Framework provides audit committees and management teams an opportunity to take a fresh look at internal.

Updating guidance within each of the components of internal control, including: • The 2013 COSO Framework provides more detailed discussions about risk assessment concepts, including the explicit consideration of the potential for fraud importance of fraud risk assessments. • The 2013 COSO Framework includes considerations related to IT and provides guidance for ensuring the quality of information. • As clients increase their reliance on Outsourced Service Providers (OSPs), the 2013 COSO Framework provides guidance on third-party risk management and monitoring. ​How we can help Deloitte’s COSO specialists have extensive experience in internal control, serving global clients across all industries. ​COSO implementation: Challenges and best practices To truly unlock the value that can be achieved by adopting the 2013 Framework, clients should take a step back and evaluate how they are addressing risks to their organization in light of their company’s size, complexity, global reach and risk profile. When implementing the 2013 Framework, there is a difference between doing the minimum to address the framework’s principles and doing the right thing to effectively address the principles. Companies that choose to do the right thing may unlock value, reduce fraud risk, avoid financial reporting surprises and support sustained business performance over the long term.

The table below summarizes the 2013 Framework’s principles by component, and the bullets that follow list common challenges that companies are experiencing as they work to implement the framework. ​Beyond ICFR: Using the Framework for operational and regulatory compliance Use of the 2013 Framework outside the financial reporting context can provide helpful and necessary discipline to boards and audit committees as they address the increasingly complex array of risks they oversee. It can also provide management with a consistent and efficient framework to define, implement and monitor its control structure, helping to continually improve its overall risk management processes.

Clients can use the 2013 Framework to address: Banking regulatory compliance • Many banks and capital markets firms are applying the principles of the COSO framework to design quality-assurance review functions over operational and regulatory reporting. For more information about compliance trends in the financial services industry, see Deloitte’s. Cyber security risks • Principle 6 in the 2013 Framework provides several points of focus that give organizations perspective on how to evaluate their objectives in a manner that could influence the cyber risk-assessment process.

Supply-chain risk management • As a result of certain regulatory and operational risks, such as food and product safety, conflict minerals and consumer discontent with product performance, companies have increased their focus on proactively identifying and managing risks in the supply chain. For more information, see Deloitte’s Vendor management Clients are using the 2013 Framework’s concepts to establish new programs or enhance existing ones to: • Ensure that the OSPs understand management’s commitment to integrity and ethical values.

• Incorporate risks originating in the OSPs in the company’s risk assessment process. • Develop monitoring procedures for key performance indicators related to service-level agreements as a means of identifying issues. Change management • Clients may want to consider developing a process to apply Principle 9 and related concepts when major changes are identified to sustain and continuously improve internal controls related to operational or regulatory compliance. See for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ('DTTL'), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities.