Internal audit and compliance departments benefit from having a comprehensive framework to use to perform corporate risk assessment and internal control testing as well as fight fraud. The most popular framework is the COSO Framework.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was originally formed in the United States in 1985 to combat corporate fraud. This commission developed recommendations for public companies, internal audit departments, and educational institutions.

COSO was created and designed to provide thought leadership by developing comprehensive frameworks and guidance on internal controls, fraud prevention, and enterprise risk management.

COSO Internal Control-Integrated Framework

The COSO Internal Control-Integrated Framework provides an applied risk management approach to internal controls that’s relevant to both external financial reporting and internal control activities.

The COSO Framework aims to help companies, particularly publicly traded ones, reduce fraud and better manage risk via internal controls and executive oversight. Organizations that don’t meet COSO’s objectives can open themselves up to potentially disastrous problems, such as corruption and fraud, and also damage their reputations.

Five organizations sponsor COSO: the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI).

The International Standards for the Professional Practice of Internal Auditing require internal audit activities to “evaluate and contribute to the improvement of governance, risk management, and control processes.” As such, internal auditors play a key role when it comes to assessing how effective an organization’s internal control system is. The independent internal auditors offer guidance to senior management and accordingly, they can evaluate the internal control system the organization implemented and contribute to its continued effectiveness.

The internal auditors often play a crucial monitoring role. However, to maintain their independence, your internal auditors shouldn’t have any direct responsibility when it comes to designing, creating, or maintaining the controls that they’re supposed to evaluate. Rather, your internal auditors can only advise on how you can improve the internal controls.

The COSO Framework provides an applied enterprise risk management approach to internal controls. The COSO Framework, which applies to internal control activities and external financial reporting, helps your organization develop a system of internal control that adapts to your ever-changing business and operating environments. The COSO Framework also helps you mitigate corporate risks to acceptable levels and enables you to make better business decisions.

The COSO Framework defines an internal control system as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

According to the IIA, a control environment is the foundation on which an effective system of internal control is built and operated in a company that aims to:

  • Achieve its strategic objectives
  • Provide reliable financial reporting to internal and external stakeholders
  • Operate its business efficiently and effectively
  • Comply with all applicable laws and regulations
  • Safeguard its assets.

The 2013 update to the COSO Internal Control-Integrated Framework broadens the application of internal control in addressing operations and reporting objectives and clarifies the requirements for determining what constitutes effective internal control. The 2017 update to the COSO Enterprise Risk Management – Integrated Framework integrated risk considerations into the design as well as the implementation of internal controls and strategic objectives.

Five Components of the COSO Internal Control-Integrated Framework

The COSO Internal Control-Integrated Framework, a cornerstone in effective business and financial management, is structured around five key components that form the foundation of a robust internal control system. These components are:

  1. Control Environment: This foundational element sets the tone for the organization, encompassing integrity, ethical values, and the environment in which internal control operates. It establishes the discipline and structure that influence the effectiveness of internal controls.
  2. Risk Assessment: A systematic approach to identifying and managing business and financial risks, this component ensures that potential threats are recognized, assessed, and managed effectively.
  3. Control Activities: These are the policies and procedures that help ensure management’s directives are carried out. Control activities include a diverse range of mechanisms, from approvals and verifications to reconciliations and security measures, all designed to address and mitigate specific risks.
  4. Information and Communication: Central to the framework, this component involves the identification, capture, and communication of pertinent information in a form and timeframe that enables people to carry out their responsibilities. Effective communication also needs to occur in a broader sense, flowing down, across, and up the organization.
  5. Monitoring: Continuous or periodic evaluations are conducted to ascertain whether each component of the internal control system is functioning as intended. Monitoring ensures that shortcomings are identified and addressed timely.

Beyond these core components, the COSO Framework is further refined by delineating 17 principles associated with these components, offering a detailed structure for implementing and evaluating internal control. These principles provide a comprehensive approach for organizations to assess and enhance their internal control systems, ensuring effectiveness and efficiency in achieving business objectives, reliable financial reporting, and compliance with laws and regulations.

Control Environment

The control environment is the set of standards, processes, and structures that provide the foundation for carrying out internal control across a company. The control environment is the most important component in the COSO-based audit framework. During an audit, the control environment is assessed via discussions with management and employees.

At the top, your board of directors and senior management set the tone as to the importance of internal control, including the standards of conduct your organization expects. Then your company managers reinforce these expectations throughout your organization. Adequate training, written policies, and procedures, and the general control structure are components of the control environment evaluation.

The resulting control environment has an all-encompassing impact on your company’s overall system of internal control.

The five principles of the COSO control environment component are:

  • Your company’s integrity and ethical values;
  • The parameters that allow your board of directors to carry out their governance oversight responsibilities;
  • Your company’s organizational structure and the assignment of responsibility and authority;
  • The process for attracting, developing, and retaining competent employees;
  • The care and thoroughness around performance measures, incentives, and rewards to ensure employees are accountable for their work.

Risk Assessment

Every organization faces a number of risks from external and internal sources. Risk is defined as the possibility that an event will happen and have a negative effect on the achievement of objectives.

Risk assessment involves a process of identifying and assessing the risks to the achievement of objectives. Risks to the achievement of objectives from across an organization are thought to be related to established risk tolerances. Consequently, risk assessment is the basis for determining how a company will manage its risks.

Risk assessment requires that your company’s management consider the impacts of possible changes in the internal and external environments that may render its internal controls ineffective and then take action to manage those impacts.

The four principles of the COSO risk assessment component are:

  • Specify appropriate objectives,
  • Identify and analyze risks,
  • Evaluate fraud risks, and
  • Identify and analyze changes that could significantly affect internal controls.

Control Activities

Control activities are those policies, procedures and internal controls put in place to mitigate risks to the achievement of objectives, particularly those that your company’s leadership deemed to be too risky during the risk assessment.

These are activities that management and their staff members, as well as your company’s internal auditors, test to ensure compliance. For example, if improper cash handling is the risk identified in the risk assessment, your company’s control activity might be to have two employees involved in cash payments.

Control activities are performed throughout a company, at all levels, and in all areas. Control activities encompass a range of manual and automated activities, including verifications, reconciliations, authorizations and approvals, asset safety, and business performance reviews.

The three principles of the COSO control activities component are:

  • Select and develop control activities that mitigate risks,
  • Select and develop technology controls, and
  • Deploy control activities through policies and procedures.

Information and Communication

Information systems play a major role in internal control systems because they produce reports, including operational and financial reports, as well as compliance-related information, which together make the operation and control of the business possible.

Information is necessary for an organization to carry out its internal control responsibilities to support the achievement of its objectives. Management obtains-or generates-and uses the relevant and quality information from internal and external sources to support the functioning of the internal control system.

And effective communication must ensure that the information your workers need to fulfill their responsibilities, such as the procedures for people to report suspected fraud, flows down, across, and up the company. This enables employees to receive the clear message from the organization’s senior management that they must take control responsibilities seriously.

Effective communication with third parties, such as customers, suppliers, regulators, and shareholders, is also necessary. Effective inbound communication lets your employees receive relevant information from third parties and it provides information to third parties about your company’s requirements and expectations.

The three principles of the COSO information and communication component are:

  • The organization obtains-or generates-and uses, relevant, quality information to support the functioning of internal control.
  • The organization internally communicates the information, including objectives and responsibilities for internal control, that’s necessary to support the functioning of internal control.
  • The organization communicates with third-party providers about things that affect the functioning of internal control.

Monitoring Activities

Your organization must monitor your internal control system, a process that evaluates the quality of system performance over time. You can do this via ongoing monitoring evaluations, separate evaluations, or a combination of the two.

Ongoing evaluations, built into business processes at different levels of your company, provide timely information. Separate evaluations, which are conducted periodically, will vary depending on your risk assessment, effectiveness of the ongoing evaluations, and other management considerations.

The deficiencies in your internal control system that are detected through these monitoring activities have to be reported to senior management, who must correct them to ensure the continuous improvement of the system.

The two principles of the COSO monitoring activities component are:

  • The organization selects, develops, and performs ongoing and/or separate evaluations to determine if the components of internal control exist and are functioning.
  • The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including your board of directors and senior management.

How does COSO Framework Integrate with Risk Management in an Audit Process?

The COSO Framework plays a pivotal role in integrating risk management within the audit process. It provides a structured approach for identifying, assessing, and managing risks, which is essential for thorough auditing. By aligning risk management with the framework’s five components – control environment, risk assessment, control activities, information and communication, and monitoring – auditors can ensure a comprehensive evaluation of an organization’s risk profile. This integration helps in identifying potential risk areas, evaluating the effectiveness of current controls, and recommending enhancements to mitigate identified risks. The framework encourages a proactive approach to risk management, ensuring that risks are continuously identified, analyzed, and managed throughout the audit cycle. This holistic view of risk management within the audit process leads to more effective decision-making and strengthens the organization’s overall internal control system.

How does the COSO Framework Assist Auditors in Evaluating Internal Controls?

The COSO Framework is an invaluable tool for auditors in evaluating an organization’s internal controls. It provides a well-defined structure that auditors can use to assess the effectiveness and efficiency of internal control systems. Each of the five components of the COSO Framework offers specific criteria and principles that guide auditors in their evaluation. For instance, the control environment component helps assess the tone at the top and the overall governance structure of the organization. The risk assessment component aids in understanding how well the organization identifies and manages its risks. Control activities focus on the policies and procedures in place to mitigate identified risks. The information and communication component evaluates how information flows within the organization and how well the control-related information is communicated. Lastly, the monitoring component assists in determining how effectively the organization assesses the performance of its internal controls over time. By using the COSO Framework, auditors can provide a more thorough, consistent, and objective evaluation of internal controls, leading to more reliable and actionable audit results.

Developing Your Organization’s Internal Control System

Developing an effective internal control system within your organization is crucial for ensuring operational efficiency, reliability of financial reporting, and compliance with laws and regulations. The COSO Framework provides a comprehensive model for this development. Start by establishing a strong control environment, setting the tone for integrity and ethical behavior at all levels of the organization. This involves defining clear roles, responsibilities, and lines of authority. Next, conduct thorough risk assessments to identify and prioritize potential risks, followed by designing and implementing control activities tailored to mitigate these risks. Ensure that information pertinent to internal controls is captured and communicated effectively, enabling informed decision-making. Lastly, institute a robust monitoring process to evaluate the internal control system’s effectiveness over time, making adjustments as necessary. By systematically implementing these steps, your organization can build a robust internal control system that supports business objectives and fosters a culture of accountability and continuous improvement.

Prepare for Your Internal Audit with ZenGRC

Preparing for your internal COSO (Committee of Sponsoring Organizations of the Treadway Commission) audit is significantly streamlined with ZenGRC’s comprehensive software solutions. ZenGRC offers an integrated framework that aligns seamlessly with COSO’s internal control principles, ensuring thorough risk assessment and management. Its intuitive dashboard provides real-time visibility into your organization’s compliance status, enabling you to identify and address any gaps proactively. The software’s robust reporting tools simplify the audit preparation process, offering clear and concise documentation that aligns with COSO’s guidelines. Additionally, ZenGRC’s automated features reduce the manual workload, allowing your team to focus on strategic aspects of the audit while ensuring accuracy and efficiency in compliance tracking.

Improve How You Manage
Internal Controls