Principles of the COSO Framework

An organization without a secure and well-founded internal control system is like a rowdy teenager without parental guidance; it’ll eventually run into all sorts of trouble. Process errors and fraud instances can immobilize your company and attract poor PR. That when the COSO framework can help. This framework guides corporations to design and implement internal control systems and continually assess their effectiveness.

The grace-to-grass stories of Enron and WorldCom are classic examples of how internal control gaffes can tank even substantial enterprises. By implementing the COSO internal control framework, companies can better manage risks and avoid the steep financial costs of remedying internal control errors and the time-intensive process of repairing reputation damage.

What Is the COSO Framework? Origin and History

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission first developed the Internal Control—Integrated Framework in 1992. The framework’s primary aim was to help companies establish inclusive internal control structures and continually measure them to assess their effectiveness.

This aligns with COSO’s mission of helping companies strengthen their internal control objectives, enterprise risk management, fraud deterrence and governance. The 1992 framework focused on internal controls. The Internal Control — Integrated Framework was substantially revised in 2013 through an initiative funded by COSO’s private sector sponsors:

  • The Institute of Internal Auditors (IIA)
  • American Accounting Association (AAA)
  • Financial Executives International (FEI)
  • Institute of Management Accountants (IMA)
  • American Institute of Certified Public Accountants (AICPA)

The 2013 internal control update was necessitated by different factors that included:

  • Increasing reliance on emerging and evolving technology
  • Elevated regulatory demands and scrutiny
  • Globalization of market and industry operations
  • Increased government oversight
  • Heightened public and stakeholder expectations on institutional accountability

Before we delve into the components and principles of the COSO framework, it’s important to define modern internal controls.

What Is Internal Control?

Internal control is a continuous process spearheaded by an organization’s board of directors, compliance managers, internal audit directors and other relevant personnel. Its main aim is to provide reasonable safeguards towards achieving operations, reporting and compliance goals.

Examples of internal controls include:

  • Duty allocation and segregation: Assigning staff members or teams specific tasks and holding them accountable for the outcomes
  • Physical asset control: Securing and restricting access to your company’s critical assets like cash, inventory and business data, such as by using physical locks and safes or password protection to limit access only to authorized individuals
  • Budgetary reviews: Conducting periodic audits of budget statements by management to establish spending habits and an organization’s financial standing

Internal control isn’t a be-all and end-all affair but a continuous and dynamic process that must be flexible enough to adapt to the various structures of an entity. It guides and facilitates audit and risk management to make sound judgments at every organizational level to eliminate inefficient, ineffective and redundant controls.

The COSO internal control framework gives audit professionals and managers:

  • A medium to implement internal control in organizations in any industry
  • A value-driven approach that provides room for judgment in drafting, executing and managing internal control principles across all organizational levels
  • A set of minimum requirements to set up an effective system of internal control depending on an organization’s operations
  • A methodology to detect and analyze risks and establish acceptable responses
  • An opportunity to eliminate inefficient internal controls that hinder the fulfillment of an organization’s goals

Objectives of the Internal Control Framework

The COSO internal control framework serves operations, reporting and compliance objectives.

Operations goals focus on elevating the performance, effectiveness and efficiency of a company’s activities, such as financial and risk management and asset protection activities. Reporting objectives focus on upholding transparency and authenticity around all forms of internal and external financial reporting and non-financial reporting that a company engages in. Compliance objectives focus on facilitating compliance with pertinent laws and regulations that an organization must follow.

The 5 Components of the COSO Internal Control Framework

The COSO framework isn’t standalone but an integrated system. It consists of five interconnected components, each with a unique role.

1. Control Environment

This is the foundational component upon which an effective internal control system is built. It consists of a cluster of guidelines, processes, standards and structures that organizations follow when installing their internal control systems. The control environment spells out:

  • A company’s operating ethics and culture
  • The organizational structure and delegation of authority and duties
  • The principles upon which the board of directors follows to exercise their oversight duties effectively
  • The organization’s human resource policies and talent attraction and retention strategies

The directors and high-ranking managers are responsible for setting the tone and the standard of conduct expected of the control environment. Because the control environment dictates the performance of the internal control system, audit and risk managers responsible for implementation should strive to get it right from the get-go.

2. Risk Assessment

Companies grapple with different types and levels of emerging risks depending on various factors, such as the nature and magnitude of operations and the type of industry. Risks can be triggered by multiple internal or external factors that an organization is exposed to during daily operations.

Risk assessment is the continuous process of identifying different internal and external risk profiles that can deter the achievement of your company’s goals. After identification, weigh the risk exposure levels against the risk tolerance of your organization’s compliance, reporting and operations department.

Risk assessment should be an ongoing process, as risk levels metamorphose in response to changes in the internal and external environment that may weaken the internal control system.

3. Control Activities

The control environment and risk assessment components yield a host of activities and processes that must be implemented at all levels of the organization to actualize the COSO framework. Control activities epitomize the management’s risk assessment instructions, ensuring the directives are fulfilled.

Typically, control activities fall under three categories:

  • Preventive Controls: For avoiding errors before they infest the framework
  • Detective Controls: For uncovering errors that have already infiltrated the system
  • Corrective Controls: For fixing the detected errors

These control activities happen at various company levels according to the organization’s objectives, as detailed in the first two components. Control activities are the bulk of the COSO internal control framework. They include processes such as verification, audits, asset control, authorizations, approvals, duty segregation, business performance reviews and reconciliations.

4. Information & Communications

Implementing the COSO framework successfully takes a collaborative effort between internal parties (a company’s workforce) and external parties such as auditors, regulatory authorities, and concerned shareholders. This component establishes internal and external communication protocols that all parties follow to implement the internal control responsibilities and set objectives.

It facilitates smooth information exchange and real-time communication among involved parties. This component also includes data security best practices to safeguard the privacy of the information shared among all stakeholders involved.

5. Monitoring Activities

The last component of the COSO framework is the watchdog role that ensures all the other components run optimally. Monitoring can happen through ongoing evaluations built into the control framework or through separate assessments scheduled on a need basis. The activities in this final component include monitoring, measuring and reporting on the progress and performance of the internal control framework relative to the expected standards set by regulators.

promo banner for case study about controls and compliance management

The 17 Principles of the COSO Framework

Each of the five pillars of the COSO framework operates under specific principles that champion operations, reporting and compliance objectives. Let’s outline these principles under each component to get the full picture of what the COSO internal control framework entails.

Control Environment

The control environment sets the tone for a company’s internal control culture. The managers at the top are responsible for establishing the control environment. The principles within this component include:

1. An entity pledges to a code of ethics and integrity standards that all employees adhere to. It outlines provisions for whistle-blower policies and ethics training.

2. The organization’s Board of Directors maintains autonomy from management. This empowers them to perform oversight functions independently to facilitate optimal performance of the internal control system.

3. An entity’s management establishes and defines the organizational structure, power hierarchies and role delegation. This structure dictates the company’s standard operating procedure.

4. The company commits to a talent acquisition and retention standard that complements its set objectives.

5. The organization institutes and enforces accountability standards that hold individuals liable for the performance and execution of their assigned internal control duties.

Risk Assessment

Continuous risk assessment keeps companies on the path to operational success by analyzing a host of potential internal control risks that can obstruct their performance and goal attainment. Principles under this category include:

6. The organization defines objectives precisely, outlining specific details that facilitate risk identification and assessment pursuant to the company’s objectives.

7. An entity outlines potential risks that can obstruct the accomplishment of its company’s objectives. It leverages methodologies like SWOT analysis to pinpoint risks and develop management strategies and concepts.

8. The company accounts for potential fraud in the risk assessment process and develops counteraction strategies.

9. The company forecasts shifts with the potential to substantially influence the entire internal control system.

bar chart showing risks and current risk ratings as part of a controls and compliance framework
Visualizing risks and their corresponding ratings in real time helps manage risk more effectively.

Control Activities

Control activities describe the actual processes, policies and procedures required for the actualization of internal controls. The principles defining this pillar are:

10. The company devises and designates control activities geared towards mitigating risks impeding its objectives in operations, reporting and compliance.

11. The organization develops internal control activities that govern technology usage to facilitate proper application in line with the set goals.

12. The company issues policies and procedures that explain how the control activities should be actualized.

Information and Communication

Information and communication are important for setting specific information-exchange protocols that all stakeholders involved in internal control operations follow. It prevents staff from establishing parallel communication systems that create disarray in a company. These are the principles under this fourth component of the COSO framework:

13. The entity leverages quality, accurate, relevant and verifiable information to validate internal control functions.

14. The company establishes an internal communication system to facilitate information exchange and collaboration among individuals tasked with executing internal control duties.

15. The organization sets up external communication channels and protocols to streamline correspondence with external parties, including regulators and investors.

Monitoring Activities

Ongoing monitoring ensures internal control operations run as originally designed, keeping the company on track to achieve its set objectives. The two principles nested in the final component are:

16. The company conducts regular internal control testing and evaluations to verify that all internal control components function optimally. It also conducts separate external evaluations to ensure the accuracy of all deliverables shared with third parties, for instance, financial statements.

17. The organization’s risk and internal audit professionals report any internal control deficiencies to the relevant personnel tasked with correcting the errors and keeping the framework up and running.

dashboard showing audit performance summary as part of controls management
An audit dashboard can help monitor and manage control deficiencies.

Implementing the COSO Framework

Actualizing the COSO framework is a systematic process that includes the following steps:

  1. Extensive planning: Create an implementation roadmap that aligns with your organizational goals. Procuring compliance and internal audit software helps you streamline COSO control activities.
  2. Assessment and documentation: Organize pertinent documents that validate the need for COSO framework implementation in accordance with the organization’s objectives.
  3. Remediation: Roll out risk mitigation strategies to bridge the internal control gaps established during the evaluation phase.
  4. Testing and reporting: Put your internal control framework to a real-life test and report the outcome to the relevant authorities.
  5. Iterate and upgrade: Fine-tune your COSO framework, identifying and shoring up gaps until it operates smoothly, with all the moving parts playing their functions effectively.

Scope and Limitations of the COSO Framework

The wide scope of the COSO framework is also its primary restriction. Because it’s designed to serve organizations across multiple industries, it lacks specificity in implementing internal control activities for a particular company.

Internal auditors and management personnel tasked with implementing the COSO framework must first internalize it in detail and customize it to fit their organization’s objectives and points.

The other limitation is the complexity of the COSO framework. Without a dedicated team of experienced internal audit/risk management professionals, it’s almost impossible to coordinate all the moving parts and implement them successfully. This makes it costly for small businesses without the resources to support a dedicated internal control team.

Implement the COSO Framework Like a Pro

Implementing the COSO internal control framework can be key for establishing and maintaining effective internal controls. However, the implementation can be challenging, especially for first-timers. With so many internal and external factors at play, it helps to have controls & compliance software aligned with internal audit software to navigate the complexities for smooth implementation.

Contact us today to request a demo and see what the COSO framework looks like in Onspring.

Share This Story. Choose Your Platform.

Related Posts