What is COSO 2013?

COSO 1992 has been the most widely adopted internal control framework used since the passage of the Sarbanes-Oxley Act of 2002. COSO 2013 is an update to the original COSO 1992 internal control framework.

COSO 2013 is:

  • Due 12/15/2014
  • Expands the risk assessment significantly
  • Management must define & demonstrate compliance with Objectives & Principles
  • Expands the compliance requirements to the “Operations” and “Compliance” areas
  • COSO 2013 Cube


Why has COSO Changed?

COSO 2013 is an update to the original COSO 1992 internal control framework that most people have used to demonstrate compliance with the Sarbanes-Oxley Act of 2002 or SOX.

COSO 2013 is Intended to:

•Refresh objectives relating to changes in business & operating environments.

•Broaden the application of a typical COSO application to operations & compliance rather than just reporting.

•Provide clarification and instruction on how to facilitate and evaluate internal controls.
COSO2013FrustratedMan  COSO 2013 Change

The COSO 2013 requirements are additional steps required to complete an internal controls implementation. The documentation created to comply with COSO 2013 is needed in addition to any existing internal control documentation you may have already created to demonstrate compliance with SOX.


Who has to Comply with COSO 2013?

The COSO 2013 change applies to all companies listed on the US public exchanges.

COSO 2013 Applies to


What Changes Should I Expect?

COSO 2013 Where to Start

Simply Stated, COSO 2013 Requires:

   1. Objective Setting
   2. Broadened Risk Assessment Procedures
   3. Principle Setting
   4. Additional Controls


All of these items are required in addition to the need to define your internal controls per the Sarbanes-Oxley Act of 2002 and COSO 1992. 

We have provided more information below on each of the above bullets.  


1. Objective Setting

COSO 2013 Objective

This step includes documenting your business operations objectives, internal / external financial & non-financial reporting objectives, and compliance objectives.

•  Management, with BOD oversight, sets entity-level objectives that align with the entity's mission, vision, and strategies.

•  Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning.


1. Continued Objective Definitions

Three categories indicate what can be expected from internal control: 

COSO 2013 Cube

Operations: These pertain to effectiveness & efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

Reporting: These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.

Compliance: These pertain to adherence to laws and regulations to which the entity is subject.

 A particular objective can fall under more than one category.


1. Continued Visual Aid: Objective Setting

Vibato is pleased to announce the launch of COSO 2013 Made Simple!

Learn more about our product by calling 1-888-4-VIBATO or by starting your complimentary COSO 2013 Assessment today by filing out the contact sheet at the top of this page. 

Alternative, shoot us an email and we'll get right back to you. 

COSO 2013 Objective Settings


2. Broadened Risk Assessment Procedures

COSO 2013 expands on the original Sarbanes-Oxley / COSO 1992 risk assessment procedures to include:

COSO 2013 Crying Man

  • An operational risk analysis
  • A financial statement analysis
  • Adding documented definitions for:
    • Materiality
    • Location scoping
    • Risk tolerance
    • Material process objectives
    • Acceptable levels of risk
    • Non-financial disclosures & associated risks

2. Continued Visual Aid: Vibato Risk Assessment Procedures

Vibato has created detailed COSO 1992 & COSO 2013 compliant Financial & Business Operational Risk Assessments.

Our products are based on industry-specific best practices refined over the last 15 years and hundreds of implementations worldwide. Our offerings are sold at a fixed-price and include one-on-one time with our Internal Control Experts to ensure the results are complete, you understand the process, and that the resulting documentation is ready to hand off to your external auditors or stakeholders.

Vibato COSO 2013 Risk Assessment


3. Principle Setting

COSO 2013 Point of Focus

  • There are 17 key “Principles” detailed within the COSO 2013 guidance and another 100+ specific “Points of Focus” that management must address to meet the new requirements.


Points of Focus are specific sub-topics defined within the Framework that assist management in designing, implementing, and conducting internal control and in assessing whether the relevant principles are, in fact, present & functioning. 


3. Continued Visual Aid: Principle Setting

Vibato has prepared an intuitive, visually beneficial and systematic guide to complying with COSO 2013. Our COSO 2013 Made Simple product is sold at a fixed-price and includes one-on-one time with our Internal Control Experts to ensure the results are complete, you understand the process, and that the resulting documentation is ready to hand off to your external auditors or stakeholders.

COSO 2013 Principle Setting


4. Additional Controls

COSO 2013 is Intended to:

Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting, and compliance.*


* COSO.org

COSO2013FrustratedMan Internal Controls must be:
  • Designed to the achieve objectives across the organization.
  • Consisting of ongoing tasks and activities.
  • Effected by people and the actions they take at every level of an organization.
  • Able to provide reasonable assurance.
  • Adaptable across the organization.

4. Continued Visual Aid: The Vibato Internal Control Suite®


Vibato has embedded the COSO 2013 requirements into the Vibato Internal Control Suite® thereby allowing users to demonstrate compliance with the new requirements all throughout their internal control infrastrucutre. 

Vibato Internal Control Suite   COSO 2013

I am a Non-Accelerated Filer so this doesn't apply to me, right?

COSO 2013 Man 2

WRONG! If your company is required to attest to Section 404(a) compliance typically via your 10-Q Item 4, 10-K Item 9, 302, or 906 certifications (so all public companies of any size), this change applies to you.

So are there any COSO 2013 Best Practices yet?

This is an interesting question and we feel there are likely several people out there asking the same thing. Companies were allowed to adopt the COSO 2013 Framework early, but only a handful of companies actually did so there is likely little information out there about COSO 2013 best practices.

Fortunately, we at Vibato started researching the requirements of COSO 2013 in May, 2013 and we've been updating our Vibato® Internal Control Suite® to take all of the guesswork out of exactly what companies will need to do to comply with the new requirements.  The Vibato Internal Control Suite has been available for over 10 years and is made up of thousands of man-hours of research and refinement that have taken place over 150 internal control implementations worldwide. We wrote the book on best practice procedures across many types of organizations but the COSO 2013 requirements are new for everyone so they require a fresh look at what we need to do in order to bring a viable solution to our customers.


COSO 2013 Made Simple - A Vibato Client's Perspective

Here is some insight on COSO 2013 from our client Gary Burns, Associate Director of Internal Audit, MannKind Corporation:

COSO 2013

"These are the things I’ve done to learn about COSO 2013:

  1. Print every article I could find on the Internet that pertained to COSO 2013. As I read the articles I highlighted areas that I thought were relevant. I found that many of these articles were just a rehash of what other articles were saying;
  2. Attended several COSO 2013 seminars and webinars put on by the “Big Four” and Protivity;
  3. Ordered all of the materials (books and spreadsheets) published by COSO and read through them several times. Again, highlighting things that I thought were relevant to our specific implementation;
  4. Held discussions with our external auditors;
  5. Created my own COSO 2013 Implementation Plan since there were no good examples available to follow."

"What I’ve seen about Vibato’s approach to demonstrate compliance with COSO 2013: It didn’t take long to realize that all of the articles and COSO materials I’ve read only discussed WHAT is included in the new COSO 2013 framework. While this was educational, it did not give any insight into HOW to actually implement the new framework, nor HOW to document our company’s compliance with it. What really impressed me with Vibato’s new Internal Control Suite for COSO 2013 was how thoroughly Vibato incorporated the COSO 2013 framework into their new product. By using Vibato’s new Internal Control Suite for COSO 2013 it automatically generates the evidence needed to show our external auditors that we formally addressed the framework’s Objectives, Components, Principles and Points of Focus."

"Vibato took the mystery out of the COSO 2013 implementation process." -Gary Burns, Mannkind Corporation

Vibato has the tools and procedures you will need to make the transition to COSO 2013 as smooth as possible. Remember, this new requirement is due by 12/15/2014 but it is a SUBSTANTIAL change and it will require time to incorporate into your procedures. Do not underestimate the complexity of this change.


I'm an external auditor looking for information

We hold regular web-based training's on available via our Webinars page. We also offer on site training and technology licensing options. Please call 1-888-4-VIBATO or 415.240.4867 for more information. CPE is available for all training options.


How should I get started?

COSO 2013 Contact Us
  • Give us a call! We would be happy to talk to you about your unique needs and share war stories about things we've encountered. 1-888-4-VIBATO or 415.240.4867.
  • We hold regular web-based training's available via our Webinars page. Additionally, we will be holding several "Lunch & Learn" sessions across the US. Talk to a COSO 2013 Expert for our upcoming schedule or to be put on our notification list. Private, on site training is also available. CPE is available for all training options.
  • The official guidance material is also available for purchase from COSO called “Internal Control – Integrated Framework (2013)” via this link: COSO.org Guidance

Will the SEC's Financial Reporting Requirements change because of COSO 2013?

It appears that the SEC is in a wait and see mode right now:

"I understand that COSO intends to supersede their 1992 Framework as of December 15, 2014, and we expect there will be questions about whether the SEC will provide management with any transition or implementation guidance to change from the existing framework to the new framework...SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition." Paul Beswick, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission, May 30, 2013"


Why should I talk to Vibato about COSO 2013?

Vibato has created a complete COSO 2013 Made Simple solution to help complete the transition in an efficient and effective manner. We would be happy to speak with you about where you are now and what you will need to do to demonstrate compliance with the new requirements. Please call us at 1-888-4-VIBATO, 415.240.4867, or email us by clicking this link: COSO 2013 Inquiry