COSO Internal Control–Integrated Framework: What is it and how does it work?

Sarbanes-Oxley (SOX) Section 404 requires management at publicly traded companies to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of public companies have adopted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework (Framework).  

While SOX may not apply to your government, the Framework is a best practice in design of internal controls, and following it would be good for your entity.

Three factors within COSO’s Internal Control―Integrated Framework make it easier to design and evaluate the effectiveness of internal control:

  1. Inclusion of internal control principles. Seventeen principles explain concepts associated with the five internal control components. Each of the five components of internal control and relevant principles must be present and functioning.
  2. Consideration of operational changes. The framework includes guidance for assessing risk and updating related controls that consider how operations may have changed, particularly through outsourcing of processes and reliance on information technology.
  3. Beyond financial reporting. Objectives are expanded beyond financial reporting, to include internal and non-financial external reporting.

Overall Framework

The overall COSO Framework has not changed. This states that an effective control structure is designed to address the following three objectives:

  1. A‒Operations – effective and efficient use of resources
  2. B‒Reporting – reliability of reporting
  3. C‒Compliance objectives – compliance with applicable laws and regulations

These objectives are met within the Framework through five components and seventeen principles as shown in the following table.

Framework principles

There are seventeen COSO principles by component:

Information and communicationMonitoring
1. Demonstrates commitment to integrity and ethical values6. Specifies suitable objectives10. Selects and develops
control activities
13. Uses relevant information16. Conducts ongoing and/or separate evaluations
2. Exercises oversight responsibility7. Identifies and analyzes risk11. Selects and develops general controls over technology14. Communicates internally17. Evaluates and communicates deficiencies
3. Establishes structure, authority, and responsibility8. Assesses fraud risk12. Deploys through policies and procedures15. Communicates externally 
4. Demonstrates commitment to competence9. Identifies and analyzes significant change   
5. Enforces accountability    

Fundamental concepts remain similar to the 1992 original, but the updated Framework released in 2013 also includes points of focus describing the characteristics that underlie each principle. Management can use the points to design, implement, and evaluate internal controls. The points also help assess if relevant principles are present and functioning. The framework also explicitly considers potential sources of fraud when assessing risks to the achievement of an organization’s objectives. These sources include management override, safeguarding of assets, incentives, pressures, and opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify these acts.

Many organizations that are not subject to SOX compliance have adopted the COSO Framework. Whether you choose to adopt the Framework or not, the components and principles shared above provide a solid overview of entity-wide controls that should be in place for organizations. It is important for your government to review your control environment to ensure proper controls are in place to ensure effective and efficient operations, proper reporting and compliance exist, governance oversight is in place, and that your control environment supports the obtainment of the government’s mission and strategy.

For more information on this topic, or to learn how Baker Tilly state and local government specialists can help, contact our team.