In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a flexible framework for designing, implementing, and evaluating internal controls.
On May 14, 2013, COSO issued a new Internal Control-Integrated Framework Executive Summary with revisions and updates to the 1992 framework. As part of the updates, the framework described the core principles of the framework rather than just implying what they were.
However, the main goal of the update was to make the internal control framework more relevant in an increasingly complex and global business environment.
There are five components of effective internal control under the COSO Integrated Framework for Internal Control.
COSO Five Components of Internal Control
These five components of internal control represent the five objectives of an acceptable internal control system: control environment, risk assessment, control activities, information and communication, and monitoring activities.
- The control environment represents a company’s culture of internal controls. This objective aims to determine if the company has a culture of discipline and compliance or culture of lax policies and procedures around internal control.
- During the risk assessment, an organization looks at all the activities and associated risks and identifies each as either low risk or high risk. For example, a risk assessment may identify billing or cash handling as risks that need to be audited.
- Control activities are the internal controls and procedures that are put in place to mitigate risks, especially the risks that management determines were too risky during the risk assessment. Management, staff, and internal auditors test control activities to ensure compliance. For example, if the risk assessment identifies cash handling as a risk, a control activity might be having two employees involved in cash payments.
- Information and communication are how management conveys the culture of compliance and the specific policies people need to follow. Information and communication are key parts of a culture of strict compliance.
- Monitoring activities are activities that managers use to monitor processes or internal controls within a company. For example, if a purchasing manager gets a weekly report of all purchases over $5,000, that person would be performing a monitoring activity.
The Members of COSO
COSO is a joint initiative of five private sector organizations dedicated to providing thought leadership by developing frameworks and guidance on enterprise risk management, internal controls, and fraud prevention:
- American Accounting Association
- American Institute of Certified Public Accountants (AICPA)
- Financial Executives International (FEI)
- The Institute of Internal Auditors (IIA)
- The Institute of Management Accountants (IMA)
The COSO framework aims to help companies establish, assess, and improve their internal controls.
The COSO framework defines internal control as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.”
The control objectives of the COSO integrated framework are at the heart of internal control.
Internal control over financial reporting is important because it determines the accuracy of an organization’s financial statements. A functioning internal control process offers users “reasonable assurance” that a company’s financial statements are accurate and they can rely on them to make informed decisions. Internal controls in financial reporting are created specifically to address the risks of intentional or unintentional misstatements in a company’s financial statements.
Although the COSO internal control framework isn’t a legal requirement, it is considered best practice and therefore adopted by the majority of companies in the United States. The updated version of the framework gives companies more confidence that their internal controls can mitigate risks to acceptable levels.