10Minutes
on why the COSO Update deserves your attention
Are your controls
keeping pace with
your business?
Highlights
Applying the Update can help you strengthen
controls and bolster confidence in meeting your
operational, reporting, and compliance objectives.
New features in the Update help you uncover
hidden risks and apply appropriate controls.
The Update helps you identifyand potentially
avoidhow people, technology, and processes can
cause control breakdowns.
Begin assessing how you can use the Update
to build upon your current controls to address
business changes.
Hidden exposures in businessthese are
what effective internal control can help
uncover. In recent years, weve witnessed and
suffered the higher costs that can result when
these threats remain unchecked.
Where do the blind spots lurk in your business:
In social media, where customer problems
brew before a recall becomes necessary?
In sprawling legal entities not monitored
for satisfying compliance and reporting
requirements? In high-frequency trading
records that may conceal a staggering loss?
The 1992 Internal Control-Integrated
Framework developed by COSO has been
widely adopted to support external financial
reporting requirements. After 20 years,
COSO decided it was time for a refresh.
The 2013 update,1 authored by PwC, is
designed to address reporting, compliance,
and operational objectives. This provides
businesses and their stakeholders with a
common vocabulary for getting a handle on
the ever-changing environment.
As business evolves, leading companies evolve
their internal control systems. The newly
released framework provides the perfect
opportunity to consider: Are your controls
really keeping up?
1 Update to the Committee of Sponsoring Organizations Internal
Control-Integrated Framework, http://coso.org/IC.htm.
May 2013
A fresh look at controls may especially
benefit your company if youre going
through...
A major change. Your growth,
restructurings, or new markets, products,
and partnersthey introduce new risks.
Ongoing regulatory oversight and
scrutiny. If youre complying with more
regional or global requirements, there may
be little room for error.
Greater complexity in your operating
model and structure. Taking on new
service providers or other partners can
create risks that may be far removed from
the business.
Expanding reliance on technology. New
uses of existing technology and new tech
investments may impact risks for internal
and external interactions.
New and evolving expectations for non-
financial reporting. Stakeholders and
regulators seek greater transparency and
confidence in reporting.
Business failures and brand-damaging
events. Businesses in many industries
need to re-build trust with customers and
stakeholders.
At a glance Effective internal control adapts to change

What are some changes in business and how does the COSO Update help?

Regulatory scrutiny Accounts for a growing web of global regulations, like financial
reporting requirements and environmental standards

Increased reliance on technology Provides a principle directed at controls over technology

infrastructure, development, use, and links with other processes

Expectation for additional Extends to cover non-financial reporting objectives, like

reporting sustainability reports and customer satisfaction measures

Complex, interconnected business Helps you customize controls and see if theyre supporting multiple
objectives and principles. And these updates will help you check
whats covered and whats missing across the businessincluding
dispersed and outsourced operations

Accelerating pace of businesses Provides principles that help you adapt controls for planned
changes and unforeseen circumstancesand keep them in sync
with the business

Greater complexity in management Explicitly considers business models and helps you apply controls
models and legal structures across management operating models and legal entity structures
01
Gain confidence How can you be sure your system of control remains
up to the task? The COSO Framework was updated
around what matters in three important ways to make it easier for your
controls to evolve with the business.
1. Reflective of the current environment. The
Update reflects how doing business has changed
and provides guidance to assess risk and keep
related controls current. For instance, the negative
impact from a product defect can now be amplified
Most businesses are planning changes through social media. However, if a company
that can impact controls applies controls that enable it to monitor social
Do you anticipate a major change at your company channels, it could receive early warning.
in the following areas over the next 12 months?
2. Applicable to more business objectives. The
Update helps you apply internal control to your
growing list of objectives. It now addresses internal
Customer
strategies 31%_ reporting, which can satisfy requirements set
by senior management and boards. The Update
Managing also covers external non-financial reporting
talent 23%_ requirements driven by laws, regulations, or even
heightened stakeholder expectations. As with its
Organizational predecessor, the Update still applies to financial
structure 22%_
reporting to support your compliance with
Sarbanes-Oxley and enables you to strengthen
M&A, joint venture or existing controls, often without significant
strategic alliance 22%_
modification.2
The Update makes it easier for you to address these
Technology
investment 21%_ objectives in an integrated waymore objectives
dont necessarily translate into more work. For
example, a biotech company may have compliance
requirements around purity standards. It can apply
Base: 1,330 global CEOs.
Source: PwC, 16th Annual Global CEO Survey, January 2013.
2 See PwCs Dataline (May 2013) for a discussion of implications
of the Update for external financial reporting.
controls to help prevent a breach in purity while
at the same time meeting a second objective of
bolstering confidence in its reporting.
3. Flexible and customizable. The Update
is principles-based, making it more flexible,
adaptable, and broadly applicable than a rules-
based framework. It provides 17 principles that
formalize fundamental concepts in the original
framework. These principles help you specify
objectives, assess risks, and deploy controls that
you can adapt to meet your unique requirements.
They can also help you meet objectives across
the organization. For example, principles that
you apply to prevent and detect fraud in financial
reporting could also help you address fraud risks
in wide-ranging operations that, if left unchecked,
could impact local compliance objectives.
Ramp up in the right areas
You can apply internal control to many aspects
of your business, but the key is targeting where
its really needed. The Update can help you
clearly identify and communicate where there
are important objectives and select the right
controls to apply. For example, over half of CEOs
say availability of key skills is a top priority.3 The
Update has principles you can use to identify the
specific, critical objectives that may be jeopardized
if youre unable to find the right talent. This lets you
target where other controls may be needed, like
greater management oversight or use of technology.
3 PwC, 16th Annual Global CEO Survey, January 2013.
02
Remove the blind Without a full view of your business, hidden
exposures can put you at risk. The Update is
spots designed to help reveal risks you may be unaware of.
Reaching deep to pinpoint problems
The Update helps you focus on objectives, related
risks, and controls in all reaches of your business
its legal entities, divisions, operating units, and
functions.
Most businesses have experienced recent changes that Consider an executive whos responsible for a legal
can impact controls
entity but lacks the authority over some operations
Companies that have undergone a major business
that roll up to it. As weve seen in recent crises,
transformation in response to market shifts since mid-2011
public and regulatory backlash is directed at the
nominal leaders, even if they didnt have authority
over the operations where problems occurred.
Controls should also keep business partners in clear
view. One manufacturing company thought it had
diversified its suppliersonly to discover that all the
suppliers were actually buying from a single source.
So when that single source broke down, it disrupted
The Update includes principles for identifying
and assessing the impact of significant changes on
internal control. For example, a manufacturer that
acquires an online distributor might take on new
inventory management risks. The company needs
to determine if existing controls cover risks that
could get in the way of achieving its operational
objectives.
Seeing across the business
Risks can become problems far from where they
begin. The Update can help you make sure your
controls dont miss any of these.
Suppose you invest in an emerging market. The new
entity could bring unexpected risks from new rules
of business, tax and regulatory requirements, and
distant operations, to name a few. Just as youve
used controls for complying with Sarbanes-Oxley,
you can apply them here to help you identify and
mitigate the most critical risks before they become

67% the manufacturers operations despite its efforts to

Base: Over 800 global executives and risk managers
Source: PwC, Risk in reviewGlobal risk in the transformation age, 2013.
diversify.
The Update includes principles for specifying
objectives and assessing risks across the business,
and for establishing structures, authorities, and
responsibilities that could head off issues like these.
Keeping up with change
Any changenew leaders and managers,
new markets and products, growth, mergers
and acquisitions, restructurings, or emerging
technologiesintroduces risks.
problems.
If internal control is applied to achieve multiple
objectives, the Update helps you see the entire
business and prevent domino effects. In one case,
a companys financial reporting failure ultimately
jeopardized its operations: A restatement of
financial results drove down the stock price. This
forced the company to break its debt covenants, and
banks called in their loans, which led to a cash flow
squeeze. The principles around risk assessment and
monitoring activities help you identify potential
problems before they happen.
03
Take control through The Updates principles can help you keep potential
gaps from developing, often by looking at how
people, technology, controls intersect with how business gets done.
information, and Preparing your people
Your control environment establishes the
processes structures, standards, accountabilities, and
oversight for carrying out your businesss
internal control. Your role here and that of other
Businesses need to shore up controls company leaders is crucial. To see why, just scan
the media reports of recent crises, which dug
into executive emails to determine if leadership
46% of boards have held set the right example, even if the breakdowns
discussions regarding tone were far removed. Principles guide you through
at the top, July 2011July 20121 establishing a solid control environment.
The Update helps you address people at all levels
of the organization. It includes a principle for
attracting, developing, and retaining competent
Availability of key skills
personnel. Managers with key roles in operating
concerns 58% of CEOs2
units and functions, like supply chain, IT security,
and portfolio management, are closest to the risks
and changes that could impact them. Theyre
well-positioned to spot new risks, identify when
Speed of technological change
issues are likely to occur, and select controls
concerns 42% of CEOs2
to mitigate risks. For instance, some financial
services roles require professionals who can
determine when transaction risk profiles are
57% of boards plan to changing and take corrective actions.
10110010
10011101 devote more time to Understanding technology risks
10011010
information technology
01000111
opportunities and issues1
Even as technology is the engine of many
businessesconnecting employees, partners,
and customersoverreliance on technology
1. Base: 860 public company directors. can introduce risks and mask problems. This is
Source: PwC, Insights from the Boardroom, 2012.
2. Base: 1,330 global CEOs.
Source: PwC, 16th Annual Global CEO Survey, January 2013.
especially true for mobile, social, cloud, and other
emerging technologies. The Update includes a
principle explicitly focused on controls over the
use of technology. Data theft, for example, has
become commonplace and companies should
be prepared for handling a breach. Yet many
businesses that have experienced data theft
dont have sufficient controls in place to even
know how the breakdowns occurred and which
systems or technologies made it vulnerable.
Zeroing in on the right information and
processes
The Update includes several principles for
using relevant information and communicating
the right information to the right people. For
example, a business could be surprised to
find itself in a high risk position if it monitors
only net financial positions without seeing the
individual pieces that could push it into danger.
The Update also addresses your significant
processes and reminds businesses that they cannot
delegate responsibility for achieving key objectives
to business partners or service providers. For
instance, many Internet-based businesses relied on
a cloud service provider that experienced a service
disruption. Those companies that had controls over
the outsourced service with contingency plans in
place kept operating; those that lacked such controls
were forced to suspend operations. Principles
address these kinds of situations and help you make
sure controls support those processes relevant
to achieving objectives across your business.
04
Time to refresh your How can you bring your controls up to speed
with the COSO Update? Consider these
internal control starting points and questions as you assess
the controls you have today and determine
where you need to focus your efforts.4
See the big picture
Specify objectives that matter to your business and
would benefit from applying a comprehensive,
integrated control system.
Which recent strategic, business, or operating
decisions have introduced new risks?
How do our controls adapt to change? Is our
organization prepared to respond to change?
Do we apply controls to objectives relating to
internal reporting, non-financial reporting,
operations, and compliance?
Can any of our controls be applied to more
reporting, compliance, or operational objectives?
Have we considered the entire organization?
Learn from the past
Take a fresh look at your existing controls in relation
to the risks of achieving objectives.
What breakdowns have we experienced with
our existing controls? Why didnt we anticipate
them?
What issues could have been prevented if we had
greater internal control at the root cause?
4 See PwCs Resilience: A journal of strategy and risk (May 2013) for a
discussion of how your business can use the Update to be more agile.
How can we strengthen our systems of internal
control by better connecting objectives,
risks, and controls?
Look at your controls through the Update
Map relevant principles to existing controls. Doing
this now allows you to leverage the benefits of the
Update for important objectives. It also prepares your
internal control over financial reporting to use the
updated framework, which COSO has announced
will supersede the original in December 2014.
How thoroughly have we implemented the
fundamental concepts set out in the 1992
framework?
Have we overlooked any principles?
Lead the refresh
Appoint a leader to marshal the transition to the
updated framework.
What is our boards view on broadening
use of internal control and implementing
the COSO Update?
How can we use the COSO Update to re-engage
executives and the board in strengthening our
systems of internal control?
How do we engage divisions, operating units,
operations, internal audit, risk management,
compliance, finance, technology, and human
resources in adopting the updated framework?
Upcoming Prepare your balance sheet for new leasing rules Getting eco-efficiency right
The IASB and FASB are expected to issue their latest Nearly half (48%) of global CEOs in PwCs 16th
10Minutes topics proposal on leases, and the potential impact could Annual Global CEO Survey say they plan to support
echo through the entire business. If your company eco-efficiency in the coming year by reducing
uses leases, take notice: The proposed rules could environmental impacts. But chances are good
change the way you present and recognize expenses these efforts will stall. Projects that are both cost-
in your income statement, make lease-vs- buy effective and good for the environment may never
decisions, and execute agreements. And these get off the ground. In this 10Minutes well look at
changes could ultimately affect your companys current approaches for making the business case for
financial performance. environmental initiatives, give examples of indirect
benefits, and show how intangibles can be factored
into your decisions.
Managing tax uncertainty through operational
effectiveness
The tax function is an overlooked area for
improvement. It is frequently bogged down by
rigidity and antiquated systems, and unprepared
for change. Even worse, its antiquated systems
represent a hidden source of risk to the company
and to the longevity of company CFOs. The tax
function is ripe for systemic change, similar to how
Lean, Six Sigma, and enterprise resource planning
have transformed other company functions. The
result: improved risk management, forecasting,
analytical abilitieseven cash savings.
How PwC To have a deeper discussion about COSO Update
and internal control, please contact:
can help
Author & Project Team Leaders PwC Practice Leaders

Miles Everson Tim Ryan

Engagement Leader Assurance US Leader
646 471 8620 617 530 7376
miles.everson@us.pwc.com tim.ryan@us.pwc.com

Stephen Soske Dean Simone

Project Lead Partner Risk Assurance US Leader
617 530 5731 267 330 2070
stephen.soske@us.pwc.com dean.c.simone@us.pwc.com

10Minutes are now available in Charles Harris Dennis Chesley

60 seconds. Assurance Partner Risk Advisory Global Leader
Download the FREE 10Minutes app. 973 236 5340 703 918 6154
Learn more through videos, interactive charles.e.harris@us.pwc.com dennis.l.chesley@us.pwc.com
graphics, slideshows, and podcasts.
Cara Beston Jason Pett
Risk Assurance Partner Internal Audit US Leader
408 817 1210 410 659 3380
cara.m.beston@us.pwc.com jason.pett@us.pwc.com

2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and
may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further
details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional
advisors. 10Minutes is a trademark of PwC US.

PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 158 countries with more than
180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out
more by visiting us at www.pwc.com. ST-13-0050