2. What is COSO?
COSO is a committee composed of representatives from five organizations:
1. American Accounting Association
2. American Institute of Certified Public Accountants
3. Financial Executives International
4. Institute of Management Accountants
5. Institute of Internal Auditors
3. Together, the COSO board develops guidance documents that help
organizations with risk assessment, internal controls and fraud
prevention. Their vision is to “be a recognized thought leader in the
global marketplace on the development of guidance in the areas of
risk and control which enable good organizational governance and
reduction of fraud.”
4. What is the COSO Framework?
The original COSO framework was developed in 1992, with
the most recent version published in 2013. To understand the
framework, you must understand what it covers.
5. According to COSO, internal control:
● Focuses on achieving objectives in operations, reporting and/or
compliance
● Is an ongoing process
● Depends on people’s actions, not merely written policies and procedures
● Provides assurance senior management of security to a reasonable
degree
● Can be adapted to the needs of the whole organization as well as each
department, unit or process.
6. 1. Internal Control Goals
The COSO framework divides internal control objectives into three categories:
operations, reporting and compliance.
Operations objectives, such as performance goals and securing the organization’s
assets against fraud, focus on the effectiveness and efficiency of your business
operations.
Reporting objectives, including both internal and external financial reporting as well
as non-financial reporting, relate to transparency, timeliness and reliability of the
organization’s reporting habits.
Compliance objectives are internal control goals based around adhering to laws and
regulations that the organization must comply with.
7. 2. Internal Control Components
The COSO framework further teaches that there are five components to an
internal control system. First, control environment is the “set of standards,
processes, and structures that provide the basis for carrying out internal controls
across the organization.” This component includes your:
● Ethical values
● Organizational structure
● Commitment to employing competent employees
● Human resources policies
8. Next, risk assessment involves your organization’s analysis of the
risks posed by internal and external changes, the ability to establish
objectives and determine their suitability for your business and the
process for weighing risks versus risk tolerances.
Control activities are the tasks and activities (laid out by
organizational policies and procedures) that help you achieve your
internal control objectives. These include actions such as
“authorizations and approvals, verifications, reconciliations, and
business performance reviews.”
9. The information and communication component recognizes these two
things as essential to any internal control system. COSO stresses the
importance of relevant and high-quality information to control functions.
Internal messages emphasizing the importance of control responsibilities,
in addition to clear communication of expectations with external parties, is
key to a strong system.
Finally, monitoring your internal controls is just as important as
establishing them. Use ongoing evaluations built into your business
processes as well as regular
10. The “COSO Cube”
The image of the cube shows the relationship between all the parts of an effective internal
control system.
The columns are the three objective categories (operations, reporting and compliance). The
rows consist of the five components. Your organizational structure fits into the third
dimension of the cube.
11. 3. Developing Your Organization’s Internal Control System
The COSO framework explains that “an effective system of internal control
reduces, to an acceptable level, the risk of not achieving” objectives. When
developing your system, make sure that;
● All five components are present and working properly
● The five components work together as an integrated system
● It allows the organization to predict external circumstances that could impair
the achievement of your objectives and prepare for them appropriately
● It follows reporting regulations, rules and standards
● It complies with applicable laws, regulations, etc