The COSO framework has three distinct, but overlapping categories of objectives – opera t ions, reporting, and compliance – and reiterates the opportunity to expand the framework's application beyond its traditional adoption for external financial reporting to include operations and compliance. Because of the scrutiny of regulators and other third parties, there is an intensified need for the reporting to be the end-product of a well-controlled process, one in which the effectiveness of controls is periodically assessed. To that end, many organizations are encouraged to use the principles of the COSO framework and should begin applying them to design quality assurance review functions over other areas, including operational and regulatory reporting.

The COSO framework reemphasizes the control environment as the basis for carrying out internal control responsibilities across the organization. The framework also stresses the role of the board and senior management in setting the tone regarding the importance of internal control and expectations concerning standards of conduct (principles 1-5).

Banks and other financial institutions in general likely have several existing governance programs, processes, and monitoring activities that may help comply with the 2013 COSO framework.

The COSO framework calls for companies to have a dynamic risk assessment program (principles 6-9) that considers significant changes in business operations and adapts to internal, external, and emerging risks.

To achieve such a dynamic risk assessment process, input from business units and appropriate levels of management should be formally captured as part of the risk assessment and scoping process, including the initial and continuous assessment of:

• Fraud risk;
• Complex non-routine processes;
• Processes requiring the “hand-off” of data between departments;
• Manual processes or those dependent on end-user computing tools;
• Potential changes in the internal control environment;
• Emerging risks and issues at peer organizations and the industry

Further, the risk assessment should be periodically updated to capture changes, both internal and external to the company, which may impact the qualitative assessment of risks and corresponding selection of in-scope entities and controls, including general information technology controls, to be assessed as part of the evaluation process (principles 10-12).