In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control—Integrated Framework (the original framework). The original framework has gained broad acceptance and is widely used around the world. It is recognized as a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control.

In the twenty years since the inception of the original framework, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven, and global. At the same time, stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of internal control that support business decisions and governance of the organization.

COSO is pleased to present the updated Internal Control—Integrated Framework (Framework). COSO believes the Framework will enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business and operating environments.

The experienced reader will find much that is familiar in the Framework, which builds on what has proven useful in the original version. It retains the core definition of internal control and the five components of internal control. The requirement to consider the five components to assess the effectiveness of a system of internal control remains fundamentally unchanged. Also, the Framework continues to emphasize the importance of management judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of a system of internal control.

At the same time, the Framework includes enhancements and clarifications that are intended to ease use and application. One of the more significant enhancements is the formalization of fundamental concepts that were introduced in the original framework. In the Framework, these concepts are now principles, which are associated with the five components, and which provide clarity for the user in designing and implementing systems of internal control and for understanding requirements for effective internal control.

The Framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting. Also, the Framework reflects considerations of many changes in the business and operating environments over the past several decades, including:

An Executive Summary provides a high-level overview intended for the board of directors, chief executive officer, and other senior management. This Framework and Appendices publication sets out the Framework, including the definition of internal control, requirements for effective internal control including components and relevant principles, and direction for all levels of management in designing, implementing, and conducting internal control and in assessing its effectiveness. Included within the Framework and Appendices publication are ten chapters that constitute the Framework.

Appendices within the Framework and Appendices publication provide reference, but are not considered a part of the Framework. The Illustrative Tools for Assessing Effectiveness of a System of Internal Control provides templates and scenarios that may be useful in applying the Framework.

In addition to the Framework, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples has been published concurrently to provide practical approaches and examples that illustrate how the components and principles set forth in this Framework can be applied in preparing external financial statements.

COSO previously issued Guidance on Monitoring Internal Control Systems to assist organizations in understanding and applying monitoring activities within a system of internal control. While this guidance was prepared to help in applying the original framework, COSO believes that it has similar applicability to the updated Framework. COSO may, in the future, issue other documents to provide assistance in applying the Framework. However, neither the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, Guidance on Monitoring Internal Control Systems, nor any other past or future guidance takes precedence over the Framework.

Among other publications published by COSO is the Enterprise Risk Management—Integrated Framework (ERM Framework). The ERM Framework and the Framework are intended to be complementary, and neither supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap. The ERM Framework encompasses internal control, with several portions of the text of the original framework reproduced within that document. The ERM Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of enterprise risk management.

Finally, the COSO Board would like to thank PwC and the Advisory Council for their contributions in developing the Framework and related documents. Their full consideration of input provided by many stakeholders and their insight were instrumental in ensuring that the core strengths of the original framework have been preserved, clarified, and strengthened.

David L. Landsittel
COSO Chair