www.pwc.

com

The Updated COSO

Internal Control-
Integrated Framework

Appendix – Components,
principles and points of focus
Appendix 1 – Components, principles and points of focus

Control Environment – Principles

1. The organization demonstrates a

commitment to integrity and ethical values.
2. The board of directors demonstrates
independence from management and
exercises oversight of the development and
performance of internal control.
3. Management establishes, with board
oversight, structures, reporting lines, and
appropriate authorities and responsibilities
in the pursuit of objectives.
4. The organization demonstrates a
commitment to attract, develop, and retain
competent individuals in alignment with
objectives.
5. The organization holds individuals
accountable for their internal control
responsibilities in the pursuit of objectives.

PwC
2
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #1 and Points of Focus

The organization demonstrates a commitment to integrity and ethical values.

• Sets the Tone at the Top—The board of directors and management at all levels of
the entity demonstrate through their directives, actions, and behavior the importance
of integrity and ethical values to support the functioning of the system of internal
control.
• Establishes Standards of Conduct—The expectations of the board of directors
and senior management concerning integrity and ethical values are defined in the
entity’s standards of conduct and understood at all levels of the organization and by
outsourced service providers and business partners.
• Evaluates Adherence to Standards of Conduct—Processes are in place to
evaluate the performance of individuals and teams against the entity’s expected
standards of conduct.
• Addresses Deviations in a Timely Manner—Deviations from the entity’s
expected standards of conduct are identified and remedied in a timely and consistent
manner.
PwC 3
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #2 and Points of Focus

The board of directors demonstrates independence from management and

exercises oversight of the development and performance of internal control

• Establishes Oversight Responsibilities—The board of directors identifies and

accepts its oversight responsibilities in relation to established requirements and
expectations.
• Applies Relevant Expertise—The board of directors defines, maintains, and
periodically evaluates the skills and expertise needed among its members to enable
them to ask probing questions of senior management and take commensurate actions.
• Operates Independently—The board of directors has sufficient members who are
independent from management and objective in evaluations and decision making.
• Provides Oversight for the System of Internal Control—The board of
directors retains oversight responsibility for management’s design, implementation,
and conduct of internal control…

PwC 4
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #3 and Points of Focus

Management establishes, with board oversight, structures, reporting lines,

and appropriate authorities and responsibilities in the pursuit of objectives.

• Considers All Structures of the Entity—Management and the board of directors

consider the multiple structures used (including operating units, legal entities,
geographic distribution, and outsourced service providers) to support the
achievement of objectives.
• Establishes Reporting Lines—Management designs and evaluates lines of
reporting for each entity structure to enable execution of authorities and
responsibilities and flow of information to manage the activities of the entity.
• Defines, Assigns, and Limits Authorities and Responsibilities—
Management and the board of directors delegate authority, define responsibilities,
use appropriate processes and technology to assign responsibilities, and segregate
duties as necessary at the various levels of the organization, including board of
directors, senior management, management, personnel, and outsourced service
providers.

PwC 5
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #4 and Points of Focus

The organization demonstrates a commitment to attract, develop, and retain

competent individuals in alignment with objectives.

• Establishes Policies and Practices—Policies and practices reflect the

organization’s expectations of competence necessary to support the achievement of
objectives.
• Evaluates Competence and Addresses Shortcomings—The board of directors
and management evaluate competence across the organization and in outsourced
service providers in relation to established policies and practices, and acts as
necessary to address shortcomings.
• Attracts, Develops, and Retains Individuals—The organization provides the
mentoring and training needed to attract, develop, and retain sufficient competent
personnel and outsourced service providers to support the achievement of objectives.
• Plans and Prepares for Succession—Senior management and the board of
directors develop contingency plans for assignments of responsibility important for
internal control.
PwC 6
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #5 and Points of Focus

The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives.

• Enforces Accountability through Structures, Authorities, and

Responsibilities—Management and the board of directors establish the
mechanisms to communicate and hold individuals accountable for performance of
internal control responsibilities across the organization and implement corrective
action as necessary.
• Establishes Performance Measures, Incentives, and Rewards—
Management and the board of directors establish performance measures, incentives,
and other rewards appropriate for responsibilities at all levels of the entity, reflecting
appropriate dimensions of performance and expected standards of conduct, and
considering the achievement of both short-term and longer-term objectives.
• Evaluates Performance Measures, Incentives, and Rewards for Ongoing
Relevance—Management and the board of directors align incentives and rewards
with the fulfillment of internal control responsibilities in the achievement of
objectives.
PwC 7
Appendix 1 – Components, principles and points of focus

Control Environment – Principle #5 and Points of Focus

(Continued)

The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives.

• Considers Excessive Pressures —Management and the board of directors

evaluate and adjust pressures associated with the achievement of objectives as they
assign responsibilities, develop performance measures, and evaluate performance.
• Evaluates Performance and Rewards or Disciplines Individuals —
Management and the board of directors evaluate performance of internal control
responsibilities, including adherence to standards of conduct and expected levels of
competence and provide rewards or exercise disciplinary action as appropriate.

PwC 8
Appendix 1 – Components, principles and points of focus

Risk Assessment – Principles

6. The organization specifies objectives with

sufficient clarity to enable the identification
and assessment of risks relating to
objectives.
7. The organization identifies risks to the
achievement of its objectives across the
entity and analyzes risks as a basis for
determining how the risks should be
managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.

PwC
9
Appendix 1 – Components, principles and points of focus

Risk Assessment – Principle #6 and Points of Focus

The organization specifies objectives with sufficient clarity to enable the

identification and assessment of risks relating to objectives.

External Financial Reporting Objectives

• Complies with Applicable Accounting Standards—Financial reporting
objectives are consistent with accounting principles suitable and available for that
entity. The accounting principles selected are appropriate in the circumstances.
• Considers Materiality—Management considers materiality in financial statement
presentation.
• Reflects Entity Activities—External reporting reflects the underlying transactions
and events to show qualitative characteristics and assertions.

Note that there are additional Point of Focus for non-financial external reporting, internal
reporting, operations, and compliance

PwC 10
Appendix 1 – Components, principles and points of focus

Risk Assessment – Principle #7 and Points of Focus

The organization identifies risks to the achievement of its objectives across
the entity and analyzes risks as a basis for determining how the risks should
be managed.

• Includes Entity, Subsidiary, Division, Operating Unit, and Functional

Levels—The organization identifies and assesses risks at the entity, subsidiary,
division, operating unit, and functional levels relevant to the achievement of
objectives.
• Analyzes Internal and External Factors—Risk identification considers both
internal and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management—The organization puts into place
effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified—Identified risks are analyzed
through a process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks—Risk assessment includes considering
how the risk should be managed and whether to accept, avoid, reduce, or share the
risk.
PwC 11
Appendix 1 – Components, principles and points of focus

Risk Assessment – Principle #8 and Points of Focus

The organization considers the potential for fraud in assessing risks to the
achievement of objectives.

• Considers Various Types of Fraud—The assessment of fraud considers

fraudulent reporting, possible loss of assets, and corruption resulting from the various
ways that fraud and misconduct can occur.
• Assesses Incentive and Pressures—The assessment of fraud risk considers
incentives and pressures.
• Assesses Opportunities—The assessment of fraud risk considers opportunities for
unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting
records, or committing other inappropriate acts.
• Assesses Attitudes and Rationalizations—The assessment of fraud risk
considers how management and other personnel might engage in or justify
inappropriate actions.

PwC 12
Appendix 1 – Components, principles and points of focus

Risk Assessment – Principle #9 and Points of Focus

The organization identifies and assesses changes that could significantly

impact the system of internal control.

• Assesses Changes in the External Environment—The risk identification

process considers changes to the regulatory, economic, and physical environment in
which the entity operates.
• Assesses Changes in the Business Model—The organization considers the
potential impacts of new business lines, dramatically altered compositions of existing
business lines, acquired or divested business operations on the system of internal
control, rapid growth, changing reliance on foreign geographies, and new
technologies.
• Assesses Changes in Leadership—The organization considers changes in
management and respective attitudes and philosophies on the system of internal
control.

PwC 13
Appendix 1 – Components, principles and points of focus

Control Activities – Principles

10. The organization selects and develops control

activities that contribute to the mitigation of
risks to the achievement of objectives to
acceptable levels.
11. The organization selects and develops general
control activities over technology to support
the achievement of objectives.
12. The organization deploys control activities
through policies that establish what is
expected and procedures that put policies into
place.

PwC
14
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #10 and Points of Focus

The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.

• Integrates with Risk Assessment—Control activities help ensure that risk

responses that address and mitigate risks are carried out.
• Considers Entity-Specific Factors—Management considers how the
environment, complexity, nature, and scope of its operations, as well as the specific
characteristics of its organization, affect the selection and development of control
activities.
• Determines Relevant Business Processes—Management determines which
relevant business processes require control activities.
• Evaluates a Mix of Control Activity Types—Control activities include a range
and variety of controls and may include a balance of approaches to mitigate risks,
considering both manual and automated controls, and preventive and detective
controls.

PwC 15
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #10 and Points of Focus

(Continued)

The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.

• Considers at What Level Activities Are Applied—Management considers

control activities at various levels in the entity.
• Addresses Segregation of Duties—Management segregates incompatible duties,
and where such segregation is not practical management selects and develops
alternative control activities.

PwC 16
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #11 and Points of Focus

The organization selects and develops general control activities over

technology to support the achievement of objectives.

• Determines Dependency between the Use of Technology in Business

Processes and Technology General Controls—Management understands and
determines the dependency and linkage between business processes, automated
control activities, and technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities—
Management selects and develops control activities over the technology
infrastructure, which are designed and implemented to help ensure the completeness,
accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Control Activities—
Management selects and develops control activities that are designed and
implemented to restrict technology access rights to authorized users commensurate
with their job responsibilities and to protect the entity’s assets from external threats.

PwC 17
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #11 and Points of Focus

(Continued)

The organization selects and develops general control activities over

technology to support the achievement of objectives.

• Establishes Relevant Technology Acquisition, Development, and

Maintenance Process Control Activities—Management selects and develops
control activities over the acquisition, development, and maintenance of technology
and its infrastructure to achieve management’s objectives.

PwC 18
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #12 and Points of Focus

The organization deploys control activities through policies that establish

what is expected and procedures that put policies into action.

• Establishes Policies and Procedures to Support Deployment of

Management’s Directives—Management establishes control activities that are built
into business processes and employees’ day-to-day activities through policies
establishing what is expected and relevant procedures specifying actions.
• Establishes Responsibility and Accountability for Executing Policies and
Procedures—Management establishes responsibility and accountability for control
activities with management (or other designated personnel) of the business unit or
function in which the relevant risks reside.
• Performs in a Timely Manner—Responsible personnel perform control activities
in a timely manner as defined by the policies and procedures.

PwC 19
Appendix 1 – Components, principles and points of focus

Control Activities – Principle #12 and Points of Focus

(Continued)

The organization deploys control activities through policies that establish

what is expected and procedures that put policies into action.

• Takes Corrective Action—Responsible personnel investigate and act on matters

identified as a result of executing control activities.
• Performs Using Competent Personnel—Competent personnel with sufficient
authority perform control activities with diligence and continuing focus.
• Reassesses Policies and Procedures—Management periodically reviews control
activities to determine their continued relevance, and refreshes them when necessary.

PwC 20
Appendix 1 – Components, principles and points of focus

Information & Communication – Principles

13. The organization obtains or generates and

uses relevant, quality information to support
the functioning of internal control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary
to support the functioning of internal control.
15. The organization communicates with external
parties regarding matters affecting the
functioning of internal control.

PwC
21
Appendix 1 – Components, principles and points of focus

Information & Communication – Principle #13 and

Points of Focus

The organization obtains or generates and uses relevant, quality information

to support the functioning of internal control.

• Identifies Information Requirements—A process is in place to identify the

information required and expected to support the functioning of the other components
of internal control and the achievement of the entity’s objectives.
• Captures Internal and External Sources of Data—Information systems capture
internal and external sources of data.
• Processes Relevant Data into Information—Information systems process and
transform relevant data into information.
• Maintains Quality throughout Processing—Information systems produce
information that is timely, current, accurate, complete, accessible, protected, and
verifiable and retained. Information is reviewed to assess its relevance in supporting
the internal control components.
• Considers Costs and Benefits—The nature, quantity, and precision of information
communicated are commensurate with and support the achievement of objectives.

PwC 22
Appendix 1 – Components, principles and points of focus

Information & Communication – Principle #14 and

Points of Focus
The organization internally communicates information, including objectives
and responsibilities for internal control, necessary to support the functioning
of internal control.

• Communicates Internal Control Information—A process is in place to

communicate required information to enable all personnel to understand and carry
out their internal control responsibilities.
• Communicates with the Board of Directors—Communication exists between
management and the board of directors so that both have information needed to fulfill
their roles with respect to the entity’s objectives.
• Provides Separate Communication Lines—Separate communication channels,
such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are
inoperative or ineffective.
• Selects Relevant Method of Communication—The method of communication
considers the timing, audience, and nature of the information..

PwC 23
Appendix 1 – Components, principles and points of focus

Information & Communication – Principle #15 and

Points of Focus

The organization communicates with external parties regarding matters

affecting the functioning of internal control.

• Communicates to External Parties—Processes are in place to communicate

relevant and timely information to external parties including shareholders, partners,
owners, regulators, customers, and financial analysts and other external parties.
• Enables Inbound Communications—Open communication channels allow input
from customers, consumers, suppliers, external auditors, regulators, financial analysts,
and others, providing management and the board of directors with relevant
information.
• Communicates with the Board of Directors—Relevant information resulting
from assessments conducted by external parties is communicated to the board of
directors.

PwC 24
Appendix 1 – Components, principles and points of focus

Information & Communication – Principle #15 and

Points of Focus (Continued)

The organization communicates with external parties regarding matters

affecting the functioning of internal control.

• Provides Separate Communication Lines—Separate communication channels,

such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are
inoperative or ineffective.
• Selects Relevant Method of Communication—The method of communication
considers the timing, audience, and nature of the communication and legal,
regulatory, and fiduciary requirements and expectations.

PwC 25
Appendix 1 – Components, principles and points of focus

Monitoring Activities – Principles

16. The organization selects, develops, and

performs ongoing and/or separate evaluations
to ascertain whether the components of
internal control are present and functioning.
17. The organization evaluates and communicates
internal control deficiencies in a timely
manner to those parties responsible for taking
corrective action, including senior
management and the board of directors, as
appropriate.

PwC
26
Appendix 1 – Components, principles and points of focus

Monitoring Activities – Principle #16 and Points of

Focus

The organization selects, develops, and performs ongoing and/or separate

evaluations to ascertain whether the components of internal control are
present and functioning.

• Considers a Mix of Ongoing and Separate Evaluations—Management includes

a balance of ongoing and separate evaluations.
• Considers Rate of Change—Management considers the rate of change in business
and business processes when selecting and developing ongoing and separate
evaluations.
• Establishes Baseline Understanding—The design and current state of an internal
control system are used to establish a baseline for ongoing and separate evaluations.
• Uses Knowledgeable Personnel—Evaluators performing ongoing and separate
evaluations have sufficient knowledge to understand what is being evaluated.
• Integrates with Business Processes—Ongoing evaluations are built into the
business processes and adjust to changing conditions.

PwC 27
Appendix 1 – Components, principles and points of focus

Monitoring Activities – Principle #16 and Points of

Focus (Continued)
The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are
present and functioning.

• Adjusts Scope and Frequency—Management varies the scope and frequency of

separate evaluations depending on risk.
• Objectively Evaluates—Separate evaluations are performed periodically to provide
objective feedback.

PwC 28
Appendix 1 – Components, principles and points of focus

Monitoring Activities – Principle #17 and Points of

Focus
The organization evaluates and communicates internal control deficiencies in
a timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate.

• Assesses Results—Management and the board of directors, as appropriate, assess

results of ongoing and separate evaluations.
• Communicates Deficiencies—Deficiencies are communicated to parties
responsible for taking corrective action and to senior management and the board of
directors, as appropriate.
• Monitors Corrective Actions—Management tracks whether deficiencies are
remediated on a timely basis.

PwC 29
© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States
member firm, and may sometimes refer to the PwC network. Each member firm is a separate
legal entity. Please see www.pwc.com/structure for further details.
30