Implementing the Revised COSO Internal Control Framework

AS WE HAVE STATED IN previous chapters, the COSO internal control framework is not a standard or firm set of rules requiring compliance but represents best practices guidance. In that context, COSO’s May 2013 revisions have introduced some changes to allow enterprises to better implement and understand their internal control processes. However, as part of an enterprise’s Sarbanes-Oxley Act (SOx) Section 404 internal control requirements, it is required to attest that its internal controls are in compliance with the COSO internal control framework. Yet with the new revisions to the framework, a manager might ask, “Which COSO framework should I use—the 1992 or the new version?”

To help in this process, COSO has outlined transition rules for converting to the revised internal control framework. In the final chapter in this book, we outline COSO’s proscribed transition rules for converting to the revised framework and attesting to their SOx Section 404 compliance. The revised standards do not require major changes to enterprise operating procedures, but enterprise executives should be aware of changes that need to be put in place.


Perhaps the most significant changes to the revised COSO framework are the 17 principles highlighted in Chapter 3 and discussed further in subsequent chapters. Each of these principles is assigned to one of the five components of internal control, ...

Get Executive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.