Table of Contents

Committee of Sponsoring Organizations of the Treadway Commission

Board Members

PwC—Author

Principal Contributors

Advisory Council

Sponsoring Organizations Representatives

Members at Large

Regulatory Observers and Other Observers

Additional PwC Contributors

Foreword

1. Definition of Internal Control

Understanding Internal Control

Geared to the Achievement of Objectives

A Process

Effected by People

Provides Reasonable Assurance

Adaptable to the Entity Structure

2. Objectives, Components, and Principles

Introduction

Relationship of Objectives, Components, and the Entity

Objectives

Categories of Objectives

Operations Objectives

Safeguarding of Assets

Reporting Objectives

Relationship within Reporting Category of Objectives

Compliance Objectives

Overlap of Objectives Categories

Basis of Objectives Categories

Objectives and Sub-Objectives

Components and Principles of Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

Internal Control and the Management Process

Internal Control and Objective-Setting

Limitations of Internal Control

3. Effective Internal Control

Requirements for Effective Internal Control

Suitability and Relevance of Components and Principles

Present and Functioning

Operating Together

Deficiencies in Internal Control

Other Considerations

4. Additional Considerations

Judgment

Points of Focus

Controls to Effect Principles

Organizational Boundaries

Technology

Larger versus Smaller Entities

Benefits and Costs of Internal Control

Benefits

Costs

Other Considerations in Determining Benefits and Costs

Documentation

5. Control Environment

Introduction

Demonstrates Commitment to Integrity and Ethical Values

Points of Focus

Tone at the Top and throughout the Organization

Standards of Conduct

Adherence and Deviations

Exercises Oversight Responsibility

Points of Focus

Authorities and Responsibilities

Independence and Relevant Expertise

Oversight by the Board of Directors

Establishes Structure, Authority, and Responsibility

Points of Focus

Organizational Structures and Reporting Lines

Authorities and Responsibilities

Limitation of Authority

Demonstrates Commitment to Competence

Points of Focus

Policies and Practices

Evaluate Competence

Attracting, Developing, and Retaining Individuals

Plans and Prepares for Succession

Enforces Accountability

Points of Focus

Accountability for Internal Control

Performance Measures, Incentives, and Rewards

Pressures

Performance Evaluation and Reward

6. Risk Assessment

Introduction

Risk Tolerance

Specifies Suitable Objectives

Points of Focus

Operations Objectives

External Financial Reporting Objectives

External Non-Financial Reporting Objectives

Internal Reporting Objectives

Compliance Objectives

Specifying Objectives

Operations Objectives

Goals and Resources

Reporting Objectives

External Financial Reporting Objectives

Complies with Accounting Standards

Qualitative Characteristics

External Non-Financial Reporting Objectives

Complies with Laws, Rules, Regulations Standards, and Frameworks

Considers Precision and Reflects Activities

Internal Reporting Objectives

Compliance Objectives

Identifies and Analyzes Risk

Points of Focus

Risk Identification

Considers Entity and Subunits

Internal and External Factors

Entity-Level Risks

Transaction-Level Risks

Risk Analysis

Levels of Management

Significance of Risk

Inherent and Residual Risk

Risk Response

Evaluating Risk Response Options

Selected Responses

Assesses Fraud Risk

Points of Focus

Types of Fraud

Fraudulent Reporting

Safeguarding of Assets

Corruption

Management Override

Factors Impacting Fraud Risk

Incentives and Pressures

Opportunity

Attitudes and Rationalizations

Other Considerations in Fraud Risk Assessment

Identifies and Analyzes Significant Change

Points of Focus

Assessing Change

External Environment

Business Model

Leadership Changes

7. Control Activities

Introduction

Selects and Develops Control Activities

Points of Focus

Integration with Risk Assessment

Relevant Business Processes

Entity-Specific Factors

Business Process Control Activities

Types of Transaction Control Activities

Technology and Control Activities

Control Activities at Different Levels

Segregating Duties

Selects and Develops General Controls over Technology

Points of Focus

Dependency between the Use of Technology in Business Processes and Technology General Controls

Technology General Controls

Technology Infrastructure

Security Management Processes

Technology Acquisition, Development, and Maintenance Processes

Deploys through Policies and Procedures

Points of Focus

Policies and Procedures

Timeliness

Corrective Action

Competence

Periodic Reassessment

8. Information and Communication

Introduction

Uses Relevant Information

Points of Focus

Information Requirements

Information from Relevant Sources

Processing Data through Information Systems

Information Quality

Communicates Internally

Points of Focus

Internal Control Communication

Internal Control Communication with Board

Communication beyond Normal Channels

Method of Communication

Communicates Externally

Points of Focus

External Communication

Outbound Communication

Inbound Communication to Management and the Board

Communication beyond Normal Channels

Method of Communication

9. Monitoring Activities

Introduction

Conducts Ongoing and/or Separate Evaluations

Points of Focus

Ongoing and Separate Evaluations

Rate of Change

Baseline Information

Ongoing Evaluations

Separate Evaluations

Knowledgeable Personnel

Separate Evaluation Approaches and Objectivity

Outsourced Service Providers

Evaluates and Communicates Deficiencies

Points of Focus

Assess Results

Communicating Internal Control Deficiencies

Monitoring Corrective Actions

10. Limitations of Internal Control

Preconditions of Internal Control

Judgment

External Events

Breakdowns

Management Override

Collusion

Appendices

A. Glossary

B. Roles and Responsibilities

Introduction

Responsible Parties

The Board of Directors and Its Committees

Senior Management

Chief Executive Officer

Other Members of Senior Management

Business-Enabling Functions

Risk and Control Personnel

Legal and Compliance Personnel

Other Personnel

Internal Auditors

External Parties

Outsourced Service Providers

Other Parties Interacting with the Entity

Independent Auditors

External Reviewers

Legislators and Regulators

Financial Analysts, Bond Rating Agencies, and the News Media

C. Considerations for Smaller Entities

Characteristics of Smaller Entities

Meeting Challenges in Attaining Cost-Effective Internal Control

Segregation of Duties

Management Override

Board of Directors

Information Technology

Monitoring Activities

D. Methodology for Revising the Framework

Background

Approach

E. Public Comment Letters

Definition of Internal Control

Reporting, Operations, and Compliance Objectives

Principles

Effectiveness

Achievement of Operations Objectives

Relevant Principles

Components Operating Together

Points of Focus

Classification of Internal Control Deficiencies

Objective-Setting

Objectives

Safeguarding of Assets

Strategic Objectives

Enterprise Risk Management

Smaller Entities and Governments

Technology

Structure and Layout

Due Process

F. Summary of Changes to the COSO Internal Control—Integrated Framework (1992)

Broadbased Changes

Achievement of Objectives

Changes to Components of Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

Overall Framework Layout

G. Comparison with COSO Enterprise Risk Management—Integrated Framework

A Broader Concept

Categories of Objectives

Risk Appetite and Risk Tolerances

Portfolio View

Components

Summary of Similarities and Differences of Components

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities