Professional Documents
Culture Documents
(Group 2) (Comparison of Cosos 2013 Internal Control Framework and 2017 Erm Framework)
(Group 2) (Comparison of Cosos 2013 Internal Control Framework and 2017 Erm Framework)
SCHOOL OF ACCOUNTING
HOMEWORK:
COMPARISON OF COSO'S 2013 INTERNAL CONTROL
FRAMEWORK AND 2017 ERM FRAMEWORK
By Group 2
Course: Internal Control
Lecturer: Phạm Thị Ngọc Bích, MA
1
GROUP 2
LIST OF MEMBERS
2
COMPARISON OF COSO'S 2013 INTERNAL CONTROL FRAMEWORK AND 2017 ERM FRAMEWORK
The COSO’s 2013 Internal Control Framework and the 2017 ERM Framework are distinct but complementary frameworks. Here are
some similarities between them:
3
There are some differences between them, which are presented on the below table
2017 Enterprises Risk Management Framework COSO 2013 Internal Control Framework
Definition Enterprise risk management is not a function or Internal control is a process, effected by an entity's board of
department. It is the culture, capabilities, and practices directors, management, and other personnel, designed to
that organizations integrate with strategy-setting and apply provide reasonable assurance regarding the achievement of
when they carry out that strategy, to manage risk in objectives relating to operations, reporting, and compliance.
creating, preserving, and realizing value.
Original Enterprise Risk Management-Integrated Framework Internal Control - Integrated Framework (1992)
Framework (2004)
Purpose of Highlights the importance of considering risk in both the Expanding the financial reporting category of objectives to
new update strategy-setting process and in driving performance include other important forms of reporting (such as non-
financial and internal reporting)
4
Component 5 components: 5 components:
- Governance and Culture - Control environment
- Strategy and Objective-Setting - Risk assessment
- Performance - Control activities
- Review and Revision - Information and communication
- Information, Communication, and Reporting - Monitoring activities
6
17. Pursues Improvement in Enterprise Risk Management 9. The organization identifies and assesses changes that could
significantly impact the system of internal control.
Information, Communication, and Reporting
18. Leverages Information and Technology Control Activities
19. Communicates Risk Information 10. The organization selects and develops control activities
20. Reports on Risk, Culture, and Performance that contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
11. The organization selects and develops general control
activities over technology to support the achievement of
objectives.
12. The organization deploys control activities through policies
that establish what is expected and procedures that put policies
into action.
Monitoring Activities
7
16. The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.
17. The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
Benefits of - Increasing the range of opportunities: By considering - Achieving effective and efficient operations.
effectiveness all the aspects of risks, management can find new chances - Understanding the extent to which operations are managed
and related difficulties. effectively and efficiently.
- Identifying and managing risk entity-wide: - Preparing reports in conformity with applicable rules,
management helps discover and handle risks that can regulations, and standards or with the entity's specified
affect many parts of the organization, reporting objectives.
- Increasing positive outcomes and advantages while - Complies with applicable laws, rules, regulations, and
reducing negative surprises: ERM allows entities to external standards.
identify risks, establish proper responses, and reduce
losses while profiting from positive developments.
- Reducing performance variability: ERM allows
entities to anticipate risks that would affect performance
and enable them to take on-time actions to minimize
disruption and maximize chances.
- Improving resource deployment: Obtaining robust
information allows management to assess overall resource
needs, enhancing resource allocation.
- Enhancing enterprise resilience: ERM enables entities
8
to anticipate and respond to change, contributing to their
survival and thriving.
ERM can be affected by some future trends: The internal control system can experience some failures,
- Dealing with the increase in data. some of which may result from the:
- Leveraging AI and automation. - Suitability of objectives established as a precondition to
- Managing the cost of risk management. internal control.
- Building stronger organizations. - Reality that human judgment in decision making can be
faulty and subject
Influencing
to bias.
Factors
- Breakdowns that can occur because of human failures such as
simple errors.
- Ability of management to override internal control.
- Ability of management, other personnel, and/or third parties
to circumvent controls through collusion.
- External events beyond the organization's control.
Conclusion:
- Internal Control is an integral part of enterprise risk management (ERM) but that ERM is broader in scope
- ERM addresses more than internal control. It also addresses other topics such as strategy-setting, governance, communicating with
stakeholders, and measuring performance. Its principles apply at all levels of the organization and across all functions.