Applies a principles-based approach—The Framework focuses greater attention on principles. While the original framework implicitly reflected the core principles of internal control, the Framework explicitly states the seventeen principles, which represent the fundamental concepts associated with the components of internal control. These principles remain broad as they are intended to apply to (1) any category of objectives and (2) any type of entity, for-profit companies, both publicly traded and privately held companies; not-for-profit entities; government bodies; and other organizations. Supporting each principle are points of focus, representing important characteristics of principles.

Clarifies requirements for effective internal control—The components and principles comprise the criteria that will assist management in assessing whether an entity has effective internal control. The Framework requires that each of the components and relevant principles be present and functioning and the five components be operating together.

Expands the reporting category of objectives—The financial reporting objective category is expanded to consider other external reporting beyond financial reporting, as well as internal reporting, both financial and non-financial.

Clarifies the role of objective-setting in internal control—The original framework stated that objective-setting was a management process, and that establishing objectives is a precondition to internal control. The Framework preserves that view and expands the discussion on specifying objectives and considered suitability of established objectives. This discussion is included in Chapter 2, Objectives, Components, and Principles.

Considers globalization of markets and operations—Organizations expand beyond domestic markets in the pursuit of value, entering into international markets, and executing cross-border mergers and acquisitions. The Framework discusses changes in management operating models, legal entity structures, and related roles, responsibilities, and accountabilities for internal control at the entity and subunit level. In addition, it considers the identification and analysis of internal and external risk factors relating to mergers and acquisitions.

Enhances governance concepts—The Framework includes expanded discussion on governance relating to the board of directors and committees of the board, including audit, compensation, and nomination/governance committees.

Considers different business models and organizational structures—Business models and structures have evolved over the past twenty years, and many entities now expand their business models to encompass the use of outsourced service providers for products or services necessary to the ongoing operation of the entity. The competitive landscape, globalization, dynamic industry and technological changes, evolving business models, competition for talent, cost management, and other factors have required management to look beyond internal operations to access needed resources. The Framework explicitly considers the extended business model, including the responsibilities for internal control in this model and the achievement of effective internal control.

Considers demands and complexities in laws, rules, regulations, and standards—Regulators and standard setters promote greater stakeholder protection and confidence in external reporting through changes in laws, rules, regulations, and standards. The Framework recognizes the roles of regulators and standard-setters in establishing objectives and in providing criteria to assess the severity and to report internal control deficiencies.

Considers expectations for competencies and accountabilities—Demands for greater competence and accountability increase as organizations grow more complex, acquire entities, restructure, introduce new products and services, and implement new processes and technologies. Organizations may flatten and shift management operating models and delegate greater authority or accountability. The Framework broadens the discussion on these topics.

Reflects the increased relevance of technology—The number of entities that use or rely on technology has grown substantially since 1992, along with the extent that technology is used in most entities. Technologies have evolved from large standalone mainframe environments that process batches of transactions to highly sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across many systems, organizations, processes, and technologies. The change in technology can impact how all components of internal control are implemented.

Enhances consideration of anti-fraud expectations—The original framework considered fraud, although the discussion of anti-fraud expectations and the relationship between fraud and internal control was less prominent. The Framework contains considerably more discussion on fraud and also considers the potential of fraud as a principle of internal control.