The COSO internal control framework and your company's internal control processes

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a flexible framework for designing, implementing and evaluating internal controls.

On May 14, 2013, COSO issued a new Internal Control – Integrated Framework Executive Summary with revisions and updates to the 1992 document. Among the updates, the framework explicitly described the core principles of the framework rather than implying them. The primary goal of the update, though, was to increase relevancy in an increasingly complex and global business environment. While the COSO internal control framework is not a legal requirement, it is considered best practice and widely adopted by companies throughout the U.S. As such, the updated version of the framework provides organizations with significant benefits, such as elevated confidence in the controls and their ability to mitigate risks to acceptable levels.

Read on about the updated COSO framework and how it can best serve your organization.

What is COSO?

The Committee of Sponsoring Organizations came to being in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. COSO developed recommendations for public companies and their independent auditors, the Securities and Exchange Commission (SEC) and other regulators, as well as educational institutions.

Today, COSO is a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal controls and fraud deterrence. The members of COSO are: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA). COSO is independent of each organization and is instead comprised of representatives from different industries, public accounting, investment firms and the New York Stock Exchange (NYSE).

What are the benefits of proper internal controls?

Internal controls are the mechanisms, rules and procedures implemented by a company to ensure the integrity of their financial and accounting information, promote accountability and prevent fraud. These procedures and policies help maintain consistent practices across an organization, as well as improve the operational efficiency by improving the accuracy and timeliness of financial reporting.

Since the accounting scandals of the early 2000s, internal controls have become an integral business component of nearly every U.S. company. From the scandals came the Sarbanes-Oxley Act of 2002 (SOX) as a means to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures.

Internal controls are vital to any company or organization. They ensure compliance with regulations and laws and prevent companies from fraud or theft from within. A present and functioning internal control process offers “reasonable assurance” regarding the amounts presented in an organization’s financial statements.

What is the COSO framework?

As mentioned above, the COSO framework for internal control is not a legal requirement, but rather regarded as best practice. The framework is built around five core concepts which are further broken down into 17 principles.

Components of Internal Control

The five integrated concepts, as defined by the 2013 COSO Internal Control – Integrated Framework Executive Summary, are:

1. Control environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal controls against the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

2. Risk assessment

Every entity faces a variety of risks from external and internal sources. Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting and compliance with sufficient clarity to be able to stop identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

3. Control activities

Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventative or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

4. Information and communication

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.

5. Monitoring

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

Components and Principles

The updated COSO framework for internal control details the 17 principles representing the fundamental concepts associated with each component. The five integral components serve as the source of each of the 17 principles; thus, an entity can achieve effective internal control by applying all of the principles.

The principles, organized by relevant component, are defined by COSO as:

Control Environment

1. The organization (meaning the board, management and other personnel) demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
2. The organization selects and develops general control activities over technology to support the achievement of objectives.
3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

What is the purpose of the COSO framework?

The COSO model for internal controls identifies three main objectives for the establishment of an organization’s internal controls process.

• Operations Objectives – The framework aims to address the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, as well as safeguarding assets against loss.
• Reporting Objectives – The framework focuses on internal and external financial and non-financial reporting. It encompasses reliability, timeliness, transparency or other terms set forth by the regulators, recognized by standard setters or the entity’s policies.
• Compliance Objectives – The framework encourages organizations to adhere to relevant and applicable laws and regulations.

The policies outlined in the COSO framework helps you design and assess the effectiveness of your internal controls over financial reporting.

How does the COSO framework for internal control help me and my business?

At the end of the day, the ability to achieve your organizational mission is accomplished through your best and most valuable asset – your reputation. By formally adopting the COSO framework for internal controls, your organization conveys to regulators, employees, volunteers, investors, donors and others that it is committed and focused on good governance and accountability.

Additionally, the COSO internal control framework may help provide assurance to investors or donors about other aspects of your organization, such as sustainability reporting. A detailed report from IMA demonstrated that the COSO principles’ effectiveness applies to all types of performance data including sustainability. Given the growth and increasing reliance of companies and their stakeholders or donors on sustainability information, the benefits of applying the COSO internal control framework to this data is evident.