COSO Internal Control Framework

Committee of Sponsoring Organizations of the Treadway Commission

What is COSO?

The COSO framework provides a comprehensive approach to internal control, helping organizations achieve objectives in operations, reporting, and compliance. It consists of 5 components and 17 principles that work together to establish effective internal control systems.

Five Components of Internal Control

Click on each component to explore its principles

1

Control Environment

The foundation - sets tone of organization

2

Risk Assessment

Identify and analyze risks to achieving objectives

3

Control Activities

Policies and procedures to mitigate risks

4

Information & Communication

Generate and communicate relevant information

5

Monitoring Activities

Ongoing evaluations of control effectiveness

Three Categories of Objectives

🏛️

Component 1: Control Environment

5 Principles

  • Principle 1: The organization demonstrates a commitment to integrity and ethical values
  • Principle 2: The board of directors demonstrates independence from management and exercises oversight of internal control
  • Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities
  • Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals
  • Principle 5: The organization holds individuals accountable for their internal control responsibilities

💡 Why This Matters

The control environment is the foundation of all other components. It sets the tone at the top and establishes the discipline and structure for the entire organization. Without a strong control environment, other control activities may be ineffective. This includes organizational culture, ethical values, management's operating style, and the competence of personnel.

⚠️

Component 2: Risk Assessment

4 Principles

  • Principle 6: The organization specifies objectives with sufficient clarity to enable identification and assessment of risks
  • Principle 7: The organization identifies risks to achievement of its objectives and analyzes risks as a basis for determining how the risks should be managed
  • Principle 8: The organization considers the potential for fraud in assessing risks to achievement of objectives
  • Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control

💡 Why This Matters

Risk assessment is a dynamic, iterative process that identifies and assesses risks to achieving organizational objectives. It forms the basis for determining how risks should be managed. Organizations must consider both internal and external factors, including the risk of fraud. Understanding risks allows management to determine which controls are necessary and how resources should be allocated.

⚙️

Component 3: Control Activities

3 Principles

  • Principle 10: The organization selects and develops control activities that contribute to mitigation of risks to acceptable levels
  • Principle 11: The organization selects and develops general control activities over technology to support achievement of objectives
  • Principle 12: The organization deploys control activities through policies that establish expectations and procedures that put policies into action

Common Types of Control Activities

  • Authorization and Approval: Proper authorization for transactions
  • Segregation of Duties: Separating incompatible functions
  • Physical Controls: Securing assets and records
  • Reconciliations: Comparing records and taking corrective action
  • Reviews of Performance: Analyzing results vs. expectations
  • Information Processing: IT controls including access and change management

💡 Why This Matters

Control activities are the actions established through policies and procedures that help ensure management directives to mitigate risks are carried out. They occur throughout the organization, at all levels and in all functions. Effective control activities are appropriate to the risk, selected to operate at the required level of precision, and consistently applied.

💬

Component 4: Information & Communication

3 Principles

  • Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
  • Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support functioning of internal control
  • Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control

Key Aspects of Information & Communication

  • Quality Information: Accurate, timely, relevant, and accessible
  • Internal Communication: Up, down, and across the organization
  • External Communication: With customers, suppliers, regulators, and shareholders
  • Communication Channels: Multiple channels to ensure message delivery
  • Reporting Lines: Separate lines for reporting control deficiencies

💡 Why This Matters

Information is necessary for the organization to carry out internal control responsibilities and support achievement of objectives. Communication occurs both internally and externally and provides the organization with the information needed to conduct day-to-day controls. Quality information and effective communication enable personnel to understand their roles and how their activities relate to the work of others.

📊

Component 5: Monitoring Activities

2 Principles

  • Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether components of internal control are present and functioning
  • Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Types of Monitoring Activities

  • Ongoing Evaluations: Built into business processes, performed in real-time
  • Separate Evaluations: Conducted periodically by internal audit or external parties
  • Management's Self-Assessment: Managers evaluate controls in their area
  • Automated Monitoring: System-generated reports and exception reports
  • External Audits: Independent assessment by external auditors

💡 Why This Matters

Monitoring ensures that internal controls continue to operate effectively over time. It involves assessing the quality of internal control performance on an ongoing basis and identifying and reporting control deficiencies in a timely manner. Without monitoring, controls may deteriorate or become ineffective due to changing conditions. Deficiencies should be communicated to those responsible for corrective action and to senior management and the board as appropriate.