Some respondents suggested that effective internal control can provide management and the board with more than an understanding of the extent to which operations are managed effectively and efficiently. Some respondents suggested that if operations objectives are specified with sufficient clarity and the limitations imposed by external events are either not significant or can be mitigated to an acceptable level, internal control can provide reasonable assurance of achieving those operations objectives.

The Framework has been updated to recognize that when external events are considered unlikely to have a significant impact on the achievement of objectives or where the organization can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level, internal control can provide reasonable assurance that operations are being managed effectively and efficiently.

However, there may still be instances when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level. In those instances effective internal control can only provide management and the board with an understanding of the extent to which operations are managed effectively and efficiently.

Comments on the post-exposure version focused on the requirements for effective internal control and whether management can conclude that a system of internal control is effective when principles are not present and functioning. The Framework presumes that principles are relevant. However, there may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to the associated component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity. The Framework clarifies the requirement that relevant principles must be present and functioning to achieve effective internal control.

Respondents also requested clarification of the requirement that components operate together. A definition and further discussion was added to Chapter 3 on components operating together.

Some respondents expressed concern that including point of focus (named as attributes in the initial public exposure draft) may trigger an undesirable checklist mentality by management, auditors, and regulators. Other respondents requested clarity on whether the attributes represent requirements relating to whether principles are present and functioning or whether the Framework presumes that attributes are present and functioning.

The Framework now replaces the term "attributes" with "points of focus," consistent with the original framework, to reduce the perception that the use of points of focus is a requirement. The Framework clarifies the relevance of points of focus by positioning them as important characteristics of principles. The Framework allows management greater flexibility to exercise judgment in considering which points of focus are relevant for the entity. The Framework was revised to remove the presumption that points of focus must be in place and separately assessed.

Points of focus have been removed from Chapter 3, Effective Internal Control, to clarify that they are not to be considered requirements associated with the relevant principles. Instead, they are introduced and their relevance clarified in Chapter 4, Additional Considerations. Within the respective component chapters, they are listed after the principle to which they apply.

Some respondents suggested removing major and minor non-conformities, and using a consistent terminology for all categories of objectives in the Framework. Some suggested using terms "significant deficiency" and "material weakness" for all categories.

The Framework presents a revised terminology when generally referring to the severity of deficiencies, and uses the terms "internal control deficiencies" and "major deficiencies." However, for certain objectives, the Framework acknowledges that management should use only the relevant criteria established in laws, rules, regulations, and standards with respect to the severity classification of internal control deficiencies.