Some respondents suggested including safeguarding of assets as a category of objectives based on established laws, rules, regulations, and standards. Others suggested that safeguarding of assets is part of each category of objectives.

The Framework retains safeguarding of assets as an operations objective, consistent with the original framework. The Internal Control—Integrated Framework, Addendum to Reporting Parties (May 1994) affirmed that the definition of internal control relates to operations, compliance, and financial reporting objectives, as set out in the original framework, and remains appropriate. The Addendum also concluded that when management reports on internal control over financial reporting there is a reasonable expectation that such reporting covers controls to help prepare financial statements and prevent or detect in a timely manner any unauthorized acquisition, use, or disposition of assets.

The Framework acknowledges that some laws, rules, regulations, and standards have established safeguarding of assets as a separate category of objective. When management reports on an entity's system of internal control, there may be established objectives or sub-objectives relating to physical security, prevention, or timely detection of unauthorized acquisition, use, or disposition of assets. The Framework retains the view that safeguarding of assets is primarily related to operations, but may be viewed within the context of reporting and compliance objective categories.

Some respondents suggested the addition of strategic objectives as a category of objectives. Some also suggested that this change was already made in Enterprise Risk Management–Integrated Framework (ERM Framework) and that the Framework should adopt a similar change.

The Framework retains operations, reporting, and compliance objective categories and the concept that strategic objectives are not part of internal control. Including strategy-setting and strategic objectives would require adding other concepts, including risk appetite and risk tolerance, to provide a complete discussion of this objective category. These concepts are more appropriate in the context of enterprise risk management, as discussed below.