- Home
- Internal Control COSO
INTERNAL CONTROLS
What is the COSO Internal Control Framework?
The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) established a model for evaluating internal controls for organizations. This model was adopted as the generally accepted framework for internal control, and it is widely recognized as the definitive standard against which organizations measure the effectiveness of their internal control systems. An overview of the COSO internal control framework is available here.
The COSO model defines internal control as a process effected by an organization’s board of directors, management, and other personnel designed to provide reasonable assurance of the achievement of objectives in the following three categories:
-
Operational Effectiveness and Efficiency
-
Financial Reporting Reliability
-
Applicable Laws and Regulations Compliance
In an effective internal control system, the following five components work to support the achievement of an organization’s mission, strategies, and related organizational objectives:
1. Control Environment
-
The organization demonstrates a commitment to integrity and ethical values.
-
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
-
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
-
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
-
The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
2. Risk Assessment
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the organization and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly affect the system of internal control.
3. Control Activities
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
4. Information and Communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of internal control.
5. Monitoring
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
These five components work to establish the foundation for a sound internal control system within an organization through directed leadership, shared values, and a culture that emphasizes accountability for control. The various risks facing an organization should be identified and assessed routinely at all levels and within all functions of the organization. Control activities and other mechanisms should be proactively designed to address and mitigate identified risks, and information critical to identifying risks and meeting organizational objectives should be communicated through established channels across the organization. Lastly, the entire internal control system should be continuously monitored and problems addressed in a timely manner. An overview of the COSO internal control framework is available here.