UNIVERSITY OF ECONOMICS HO CHI MINH CITY

SCHOOL OF ACCOUNTING

HOMEWORK:
COMPARISON OF COSO'S 2013 INTERNAL CONTROL
FRAMEWORK AND 2017 ERM FRAMEWORK
By Group 2
Course: Internal Control
Lecturer: Phạm Thị Ngọc Bích, MA

Ho Chi Minh City, January 10th 2024

1
 GROUP 2
LIST OF MEMBERS

Full Name ID Degree of Completion

1 Hồ Trâm Anh 31221022791 100%
2 Đỗ Minh Hương 31221022662 100%
3 Bùi Thị Kim Ngân 31221021581 100%
4 Nguyễn Thị Thanh Nhã 31221023587 100%
5 Trương Quế Nhiên 31220121299 100%
6 Ngô Trần Thanh Thủy 31221025255 100%

2
 COMPARISON OF COSO'S 2013 INTERNAL CONTROL FRAMEWORK AND 2017 ERM FRAMEWORK

The COSO’s 2013 Internal Control Framework and the 2017 ERM Framework are distinct but complementary frameworks. Here are
some similarities between them:

1. Principles-based Approach: Both frameworks follow a principles-based approach.

2. Integration with Business Activities: Both frameworks are integrated with the activities of the business.
3. Contribution to Long-term Success: Both frameworks can be related to overall business models and can contribute to an
organization’s long-term success.
4. Value to Governance and Management Process: Both ERM and internal control contribute value to, and are integrated as part
of, the overall governance and management process.
5. Components and Principles Structure: Both use components and principles structure.
6. Risk Management Focus: Both Internal Control and ERM aim to manage risks within an organization.
7. Communication and Monitoring: Both frameworks emphasize the importance of communication and monitoring. Effective
communication is essential for ensuring that stakeholders understand the risk management processes and are aware of potential risks.
Ongoing monitoring is crucial for assessing the effectiveness of controls and managing emerging risks.
8. Cultural Impact: Both Internal Control and ERM can contribute to the development of a risk-aware organizational culture. They
emphasize the importance of promoting a culture that recognizes and addresses risks as an integral part of decision-making and daily
operations.

3
There are some differences between them, which are presented on the below table

2017 Enterprises Risk Management Framework COSO 2013 Internal Control Framework

Definition Enterprise risk management is not a function or
department. It is the culture, capabilities, and practices
that organizations integrate with strategy-setting and apply
when they carry out that strategy, to manage risk in
creating, preserving, and realizing value.
Internal control is a process, effected by an entity's board of
directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance.

Original Enterprise Risk Management-Integrated Framework Internal Control - Integrated Framework (1992)
Framework (2004)

Purpose of Highlights the importance of considering risk in both the Expanding the financial reporting category of objectives to
new update strategy-setting process and in driving performance include other important forms of reporting (such as non-
financial and internal reporting)

Categories of 4 objectives: 3 objectives:

objective - Operations - Operations
- Reporting - Reporting
- Compliance - Compliance
- Strategies

4
Component 5 components: 5 components:
- Governance and Culture - Control environment
- Strategy and Objective-Setting - Risk assessment
- Performance - Control activities
- Review and Revision - Information and communication
- Information, Communication, and Reporting - Monitoring activities

- Governance and Culture: Governance helps establish - Control environment

responsibilities for enterprise risk management, while The control environment is the set of standards, processes, and
culture pertains to ethical values, desired behaviors, and structures that provide the basis for carrying out internal
understanding of risk in the entity. control across the organization. The set is established by the
board of directors and senior management.
- Strategy and Objective-Setting: Enterprise risk
management, strategy, and objective-setting work together - Risk assessment: involves a dynamic and iterative process
in the strategic planning process. for identifying and assessing risks to the achievement of
objectives.
- Performance: means that a portfolio view of risks
selected by the organization is reported to key risk - Control activities: are the actions that ensure that
stakeholders. management's directives to mitigate risks to the achievement
of objectives are carried out. Control activities are performed
- Review and Revision: Reviews help the entity consider at all levels of the entity, at various stages.
the quality of the ERM function and, therefore, suggest - Information and communication
what revisions are needed. + Management obtains and uses quality information from
internal and external sources.
- Information, Communication, and Reporting: ERM
requires a continual process of obtaining and sharing + Internal communication is the means by which information
useful information, from both internal and external is conveyed across the entity, which enables personnel to
sources, and across the organization. receive a clear message from senior management.
5
Principle There are 20 principles. They are manageable in size and There are 17 principles covering 5 components.
describe practices that can be applied in different ways for
Control Environment
different organizations regardless of size, type, sector.
1. The organization demonstrates a commitment to integrity
Governance and Culture and ethical values.
1. Exercises Board Risk Oversight 2. The board of directors demonstrates independence from
2. Establishes Operating Structures management and exercises oversight of the development and
3. Defines Desired Culture performance of internal control.
4. Demonstrates Commitment to Core Values 3. Management establishes, with board oversight, structures,
5. Attracts, Develops, and Retains Capable Individuals reporting lines, and appropriate authorities and responsibilities
in the pursuit of objectives.
Strategy and Objective-Setting
4. The organization demonstrates a commitment to attract,
6. Analyzes Business Context
develop, and retain competent individuals in alignment with
7. Defines Risk Appetite
objectives.
8. Evaluates Alternative Strategies
5. The organization holds individuals accountable for their
9. Formulates Business Objectives
internal control responsibilities in the pursuit of objectives.
Performance
Risk Assessment
10. Identifies Risk
6. The organization specifies objectives with sufficient clarity
11. Assesses Severity of Risk
to enable the identification and assessment of risks relating to
12. Prioritizes Risks
objectives.
13. Implements Risk Responses
7. The organization identifies risks to the achievement of its
14. Develops Portfolio View
objectives across the entity and analyzes risks as a basis for
Review and Revision determining how the risks should be managed.
15. Assesses Substantial Change 8. The organization considers the potential for fraud in
16. Reviews Risk and Performance assessing risks to the achieve- ment of objectives.

6
17. Pursues Improvement in Enterprise Risk Management 9. The organization identifies and assesses changes that could
Information, Communication, and Reporting
18. Leverages Information and Technology
19. Communicates Risk Information
20. Reports on Risk, Culture, and Performance
significantly impact the system of internal control.
Control Activities
10. The organization selects and develops control activities
that contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
11. The organization selects and develops general control
activities over technology to support the achievement of
objectives.
12. The organization deploys control activities through policies
that establish what is expected and procedures that put policies
into action.
Information and Communication
13. The organization obtains or generates and uses relevant,
quality information to
support the functioning of internal control.
14. The organization internally communicates information,
including objectives and responsibilities for internal control,
necessary to support the functioning of internal control.
15. The organization communicates with external parties
regarding matters affecting
the functioning of internal control.
Monitoring Activities
7
 16. The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.
17. The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.

Benefits of - Increasing the range of opportunities: By considering - Achieving effective and efficient operations.
effectiveness all the aspects of risks, management can find new chances - Understanding the extent to which operations are managed
and related difficulties. effectively and efficiently.
- Identifying and managing risk entity-wide: - Preparing reports in conformity with applicable rules,
management helps discover and handle risks that can regulations, and standards or with the entity's specified
affect many parts of the organization, reporting objectives.
- Increasing positive outcomes and advantages while - Complies with applicable laws, rules, regulations, and
reducing negative surprises: ERM allows entities to external standards.
identify risks, establish proper responses, and reduce
losses while profiting from positive developments.
- Reducing performance variability: ERM allows
entities to anticipate risks that would affect performance
and enable them to take on-time actions to minimize
disruption and maximize chances.
- Improving resource deployment: Obtaining robust
information allows management to assess overall resource
needs, enhancing resource allocation.
- Enhancing enterprise resilience: ERM enables entities

8
 to anticipate and respond to change, contributing to their
survival and thriving.
ERM can be affected by some future trends: The internal control system can experience some failures,
- Dealing with the increase in data. some of which may result from the:
- Leveraging AI and automation. - Suitability of objectives established as a precondition to
- Managing the cost of risk management. internal control.
- Building stronger organizations. - Reality that human judgment in decision making can be
faulty and subject
Influencing
to bias.
Factors
- Breakdowns that can occur because of human failures such as
simple errors.
- Ability of management to override internal control.
- Ability of management, other personnel, and/or third parties
to circumvent controls through collusion.
- External events beyond the organization's control.
Conclusion:
- Internal Control is an integral part of enterprise risk management (ERM) but that ERM is broader in scope
- ERM addresses more than internal control. It also addresses other topics such as strategy-setting, governance, communicating with
stakeholders, and measuring performance. Its principles apply at all levels of the organization and across all functions.