A COSO internal control questionnaire is a document auditors use to help determine an organization’s compliance with internal control system requirements issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control-Integrated Framework.
The internal control framework, commonly referred to as “COSO,” was first developed in 1992 to help protect organizations against fraud by providing an internal control structure to ensure that entities function as they should. A major update to the framework was released in 2013. For a detailed history of COSO and a complete guide on compliance with this important document, check out our Guide to COSO Framework and Compliance.
COSO defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel; designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
The COSO framework provides guidance on effective internal controls and control activities. In practice, that means the framework helps an organization assure that:
- Employees adhere to ethical values;
- Financial statements are free of material mistakes and misstatements;
- Business processes and transactions operate in accordance with applicable laws and regulations;
- Assets and shareholders are protected from fraud; and
- the efficiency of operations is robust.
COSO’s guidance encompasses the entire organization from auditing to human resources to IT and more; and includes senior management, the board of directors (including the audit committee), and information technology employees. The framework lists five components of internal control:
1. Control environment
- Commitment to integrity and ethical values
- Independent board of directors’ oversight
- Structures, reporting lines, authorities, and responsibilities
- Attract, develop, and retain competent people
- People held accountable for internal control responsibilities
2. Risk assessment
- Clear objectives specified
- Risks identified to the achievement of objectives
- Potential for fraud considered
- Significant changes identified and assessed
3. Control activities
- Select and develop control activities that mitigate risk
- Select and develop technology controls
- Implement control activities through policies and procedures
4. Information and communication
- Quality information obtained, generated, and used
- Internal control information internally communicated
- Internal information externally communicated
5. Monitoring activities
- Ongoing and/or separate evaluations conducted
- Internal control deficiencies evaluated and communicated
COSO also helps organizations comply with a number of laws and regulations such as the Sarbanes-Oxley Act (SOX), a U.S. law enacted in 2002 to protect public companies and their stakeholders from accounting errors and fraud; and the Foreign Corrupt Practices Act (FCPA), a corporate anti-corruption law. For compliance with SOX and FCPA, COSO is the definitive tool.
Using the Questionnaire
An internal control questionnaire can be useful in determining an organization’s state of COSO compliance, and understanding which compliance gaps require corrective action. Internal and external auditors alike can use a questionnaire in conjunction with site visits and interviews to determine the completeness and effectiveness of an organization’s system of internal control, including its organizational structure, risk management activities, segregation of duties, policies, and procedures, and more.
A comprehensive group of questionnaire documents from the NASC Internal Controls Information Sharing Group can be useful for conducting COSO internal controls questionnaires. These documents cover:
- Accounting Systems
- Budgets and Planning
- Buy American Act
- Capital Assets
- Civil Rights
- Control Environment
- Davis-Bacon Act
- Drug-Free Workplace Section
- Federal Student Financial Aid
- Financial Reporting
- Grant Administration Guidance
- Information Systems and Technology
- Personnel and Payroll
- Risk Assessment
- System Interfaces with State Accounting System
COSO Compliance, Simplified
Questionnaires can help auditors to determine your organization’s compliance with SOX or FCPA using the COSO framework, but to do that task manually can be painstakingly slow and rife with error. Our governance, risk management, and compliance solution, ZenGRC, makes the process simpler.
ZenGRC provides visibility into your system and networks to show where you comply with COSO (and more than a dozen other frameworks) and where you don’t, and how to fill any gaps.
Zen tracks workflows so you know what’s getting done and what isn’t, and why.
Zen helps you create and send vendor questionnaires, and collects and compiles the results.
Zen even allows you to self-audit in a few clicks, as often and as many times as you want; and collects all your audit trail evidence in a handy “single source of truth” repository.
There’s a reason why some of the world’s best companies use ZenGRC for their risk and compliance programs. There’s also a reason why some risk and compliance managers sleep better than others. Worry-free risk management and compliance is the Zen way. Contact us today to schedule your free consultation.