As companies, directors (audit and risk committees), internal audit and independent auditors continue to gear-up for COSO 2013, I am posting the below bullet point outline without discussion primarily for future reference and application. You will note that the COSO 2013 framework remains broad, lacking detail and arguably vague. You can take any category and any principle and ask, “what does that mean” “what are our responsibilities” and “at what point have we satisfied our responsibilities”? For example, look at the Risk Assessment category. Methods or processes of risk assessment certainly have already become more involved. See for example my August 31, 2014 blog post discussion about the NIST Cybersecurity Framework click here and my paper outlining 20 risk management process steps https://auditcommitteeupdate.files.wordpress.com/2014/07/risk-uncertainty-management-processes-oversight-dave-tate-esq-07052014.pdf.

More to follow.  Dave Tate, CPA, Esq. (San Francisco / California)

COSO 2013 Internal Control Framework & Sarbanes-Oxley Act (SOX) Section 404

Three Categories of Objectives:
-Operations
-Reporting
-Compliance

The Five Integrated Components of Internal Control and Their 17 Principles:

Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

* * * * * * *