COSO 2013 vs COSO Supplemental Guidance 2023: What Changed for IT Controls

The COSO Internal Control — Integrated Framework (2013) remains the primary framework for SOX Section 404 assessments. However, COSO's 2023 supplemental guidance introduces important new considerations for organizations using AI, operating in digital environments, and reporting on ESG data. Here is what changed and what it means for ITGC.

The 17 Principles Are Unchanged — But Their Application Has Evolved

The 2023 supplemental guidance does not amend the original 17 principles. Instead, it provides updated illustrative examples and points of focus that reflect the technology landscape of 2023 and beyond.

Key Changes for Technology Controls

• Principle 11 (Technology Controls): New points of focus explicitly address cloud-based controls, automated controls in SaaS environments, and the evaluation of controls embedded in AI/ML systems used for financial reporting
• Principle 7 (Fraud Risk): Expanded to include AI-enabled fraud — including manipulation of training data and prompt injection attacks on AI systems used in accounting
• Principle 13 (Communication): New guidance on communicating cybersecurity risk to the board in a manner that is timely and actionable

ESG Data Integrity

The 2023 supplemental guidance includes a new section on ESG reporting controls — directly relevant as the SEC's climate disclosure rules bring ESG data within the scope of internal controls over financial reporting for many registrants.

What Has Not Changed

The fundamental structure — five components, 17 principles, and the requirement that all components be present and functioning — remains unchanged. PCAOB inspectors continue to evaluate ITGC under AS 2201 using the COSO framework as the primary reference.