COSO 2013 Framework – Where Are We Now?

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Internal Control - Integrated Framework (2013 Framework), which is an update to the original Internal Control Framework issued by COSO in 1992 (1992 Framework). The 1992 Framework provided guidance that was adopted by a vast majority of companies, both public and private, as the framework used to evaluate their internal controls. However, over time, the 1992 Framework did not keep current with many challenges in today’s environment such as advances in technology, increased use of outsourced service providers and increased expectations for governance oversight.

The 2013 Framework was intended to refresh and modernize the 1992 Framework, while ensuring it remained relevant. The 2013 Framework formalized fundamental concepts underlying COSO’s five components of internal control into 17 principles. The concepts behind these 17 principles were included in the 1992 Framework but are now more pronounced in the 2013 Framework. Further defining the principles are points of focus that provide practical considerations as to how a bank might design and implement controls to address each principle.


As of December 31, 2014, many banks and other SEC registrants have implemented the 2013 Framework to assess the effectiveness of their internal control over financial reporting for the Sarbanes-Oxley Act of 2002 (SOX) and Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) purposes. Generally, the implementation process begins with “mapping” the bank’s current key internal controls over financial reporting to the 17 principles included in the 2013 Framework, in order to identify any principles that were not addressed by the controls. Many refer to this process as identifying “gaps.” In most cases for banks, controls were typically in place to address those gaps, but they were not identified as a key control for purposes of SOX and FDICIA testing. As a result, banks simply had to document the control they had in place and include it in their SOX and FDICIA test plans, rather than having to implement a new control to address the gap.

In our experience, principles six through nine, which relate to the risk assessment component of internal controls in the 2013 Framework, were generally the principles where banks had to do the most work to address the requirements of the 2013 Framework. In particular, principle eight, “the organization considers the potential for fraud in assessing risks to the achievement of objectives,” was commonly seen as a principle where the controls were in place at the bank, but additional documentation and testing were needed to be included in the SOX and FDICIA processes to address this principle. Banks are managing risk continuously in the normal course of business, but historically, many of these risk management activities were not documented and tested as part of SOX and FDICIA. The formalization of these risk-related principles in the 2013 Framework generally has increased the documentation and testing around the bank’s risk management function.   

Tips for a successful implementation

We have observed many banks achieve a successful implementation of the 2013 Framework. The following summarizes the methods that were consistently seen across those banks.

  • Start early and establish buy-in

Banks that started the process in early 2014 had the most success in achieving a seamless implementation of the 2013 Framework. For instance, many banks started the implementation process in the first calendar quarter or early in the second calendar quarter. This gave them plenty of time to address any gaps in controls and implement new controls, if needed, giving those controls ample time to function before they were assessed for effectiveness. Further, developing awareness with executive officers and board members and establishing “buy-in” to the process were also key to successful implementation. The implementation will require significant time and effort from bank resources, and bank leadership must be committed to the effort.

  • Evaluate bank resources and line up assistance if needed … early

Many banks were successful with the implementation using bank resources solely. However, some banks utilized the expertise of third parties to assist with the implementation. As previously discussed, the implementation effort is time consuming and involved. If your bank requires outside assistance, it is better to make that decision early and engage a third party from the beginning, rather than after the implementation process has begun.

  • Map your existing controls to the 2013 Framework

Since the 2013 Framework does not significantly change the general concepts that are in the 1992 Framework, your existing SOX and FDICIA key controls will likely address many principles formalized in the 2013 Framework. The best way to identify what may be missing is to compare or “map” your existing SOX and FDICIA controls to the principles included in the 2013 Framework. This method offers the perspective to see what principles are already covered and which ones are not, requiring identification and documentation of new controls to address them.

  • Use a top-down approach

A “big picture” view is important when starting the implementation process. Most banks spend the majority of their time documenting and testing activity level controls (i.e., controls over the processing and recording of specific transactions), yet four of the five components of internal control in the 2013 Framework are entity-level controls (i.e., higher level oversight and broader reaching controls impacting the entire organization). In fact, 14 of the 17 principles in the 2013 Framework are entity-level type controls with only three principles being dedicated to control activities. Therefore, a renewed focus on entity-level controls is warranted.

  • Revisit your existing SOX and FDICIA approaches prior to implementing the 2013 Framework

Take this opportunity to critically evaluate or “rationalize” what you are currently doing with respect to SOX and FDICIA control testing. Many banks continue to find that they are documenting and testing controls that are either more operational than financial reporting in nature, or they are testing controls that are not considered key controls or are redundant. That is, they are testing supporting controls that are not the primary controls in place to prevent or detect a material misstatement in the financial statements. Banks that have rationalized their SOX and FDICIA controls end up with a more effective, efficient approach as they focus on the controls that really matter, and have reduced the number of key controls from the scope of their efforts.

  • Involve your auditors … early

Communication with and participation from both your internal and external auditors is critical for successful implementation and will be the best way to avoid surprises following implementation. Keep your auditors informed about your implementation plan, including how it will be done, the timeline for implementation and how you want them involved. Banks that shared their planned approach and mapping document drafts with their auditors were able to adjust the approach early enough in the process, generally avoiding any disagreements on whether gaps were addressed and how new controls should be tested.

What about those banks that stayed on the 1992 Framework?

Surprisingly, some banks did not implement the 2013 Framework as of December 31, 2014. There are various reasons for this, but the more common reasons seem to be lack of internal resources to dedicate to this project, given other competing initiatives such as acquisitions, merger integrations and system conversions, or simply underestimating the time that would be required to implement, and they ran out of time.

There was not a requirement to implement the 2013 Framework in 2014. However, COSO stated on its website that users should transition to the updated Framework as soon as feasible for their particular circumstances. The SEC has also stated that they would monitor the transition for registrants using the 1992 Framework to evaluate whether any SEC actions become necessary or appropriate at some point in the future. The SEC also indicated that the longer registrants continue to use the 1992 Framework, the more likely they are to receive questions from the SEC about why they have not transitioned.

Therefore, banks that utilized the 1992 Framework in 2014 were fine in doing so. However, the longer banks continue using the 1992 Framework, the more likely questions will arise from the SEC, auditors and other regulators. If your bank is not currently using the 2013 Framework for SOX and FDICIA, we recommend implementing it in 2015. 

Plans for 2015 - What are the consequences of staying on the 1992 Framework?

The consequences of staying on the 1992 Framework for 2015 are not clear. We believe the SEC will start to write comment letters to registrants asking why they have not transitioned yet. It is possible the FDIC will do the same as it relates to FDICIA internal control reports. 

If your bank chooses to continue using the 1992 Framework in 2015, you may need to be prepared to answer the following questions:

  • Will the FDIC and SEC accept the reports on the effectiveness of internal control over financial reporting using an outdated Framework?
  • As of December 31, 2015, the 2013 Framework will have been issued more than two years prior. Is there corporate governance or a tone at the top issue with executive management and the board regarding the lack of importance and priority placed on the assessment of internal control over financial reporting?
  • Is there a control deficiency related to lack of adoption? If yes, what severity is the control deficiency? If a tone at the top issue is identified, how will that impact the severity of the control deficiency? Will the control deficiency rise to the level of required communication to the Audit Committee?
  • How will a bank be viewed by the market if it remains on the 1992 Framework, while the rest of its peers are using the 2013 Framework?
  • Will remaining on the 1992 Framework impact investor confidence? 

Although the FDIC, SEC and Public Company Accounting Oversight Board (PCAOB) have not issued any guidance on their views of the consequences from the lack of adoption of the 2013 Framework, there was discussion of this topic by CPA firms at the AICPA Conference on Current SEC and PCAOB Developments in December 2014 during a panel discussion. The general consensus of the panel was that a control deficiency would exist if banks continued to use the 1992 Framework in 2015. While this certainly is not formal guidance, it provides some insight as to what positions accounting firms may take on those banks that continue using the 1992 Framework.


For those that have already adopted the 2013 Framework, the hard work is behind you. Dedicate some time this year to fine tune your internal control documentation and testing plans with lessons learned from last year.

For those that are planning to adopt the 2013 Framework this year, please consider the tips discussed above. The earlier you start implementation efforts and the more you consult with your auditors, the more likely you will be to achieve a smooth implementation and mitigate the risk of surprises during the financial statement and internal control audits.

For those planning to remain on the 1992 Framework, we highly encourage you to consider the potential implications of remaining on the outdate framework. Amongst the concerns is the risk that the SEC and FDIC will not accept your internal control reports, and there are likely internal control implications that may need to be reported to your Audit Committee.

To subscribe to future publications and manage your subscription: