In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control—Integrated Framework (the original framework). The original framework has gained broad acceptance and is widely used around the world. It is recognized as a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control.

In the twenty years since the inception of the original framework, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven, and global. At the same time, stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of internal control that support business decisions and governance of the organization.

COSO is pleased to present the updated Internal Control—Integrated Framework (Framework). COSO believes the Framework will enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business and operating environments.

The experienced reader will find much that is familiar in the Framework, which builds on what has proven useful in the original version. It retains the core definition of internal control and the five components of internal control. The requirement to consider the five components to assess the effectiveness of a system of internal control remains unchanged fundamentally. Also, the Framework continues to emphasize the importance of management judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of a system of internal control.

At the same time, the Framework includes enhancements and clarifications that are intended to ease use and application. One of the more significant enhancements is the formalization of fundamental concepts that were introduced in the original framework. In the updated Framework, these concepts are now principles, which are associated with the five components, and which provide clarity for the user in designing and implementing systems of internal control and for understanding requirements for effective internal control.

The Framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting. Also, the Framework reflects considerations of many changes in the business and operating environments over the past several decades, including:

This Executive Summary, provides a high-level overview intended for the board of directors, chief executive officer, and other senior management. The Framework and Appendices publication sets out the Framework, defining internal control, describing requirements for effective internal control including components and relevant principles, and providing direction for all levels of management to use in designing, implementing, and conducting internal control and in assessing its effectiveness. Appendices within the Framework and Appendices provide additional reference, but are not considered a part of the Framework. The Illustrative Tools for Assessing Effectiveness of a System of Internal Control, provides templates and scenarios that may be useful in applying the Framework.

In addition to the Framework, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples has been published concurrently to provide practical approaches and examples that illustrate how the components and principles set forth in the Framework can be applied in preparing external financial statements.

COSO previously issued Guidance on Monitoring Internal Control Systems to help organizations understand and apply monitoring activities within a system of internal control. While this guidance was prepared to assist in applying the original framework, COSO believes this guidance has similar applicability to the updated Framework.

COSO may, in the future, issue other documents to provide assistance in applying the Framework. However, neither the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, Guidance on Monitoring Internal Control Systems, nor any other past or future guidance takes precedence over the Framework.

Among other publications published by COSO is the Enterprise Risk Management—Integrated Framework (ERM Framework). The ERM Framework and the Framework are intended to be complementary, and neither supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap. The ERM Framework encompasses internal control, with several portions of the text of the original Internal Control–Integrated Framework reproduced. Consequently, the ERM Framework remains viable and suitable for designing, implementing, conducting, and assessing enterprise risk management.

Finally, COSO would like to thank PwC and the Advisory Council for their contributions in developing the Framework and related documents. Their full consideration of input provided by many stakeholders and their insight were instrumental in ensuring that the core strengths of the original framework have been preserved, clarified, and strengthened.

David L. Landsittel
COSO Chair