Home‎ > ‎

Committee of Sponsoring Organizations of the Treadway Commission

COSO internal control integrated framework

COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, charged with studying and reporting on the factors that can lead to fraudulent financial reporting.

The COSO internal control framework identifies five components,

1.       Control environment. Senior management must set an appropriate tone at the top that positively influences the control consciousness of entity personnel. This is the foundation for all other internal controls and provides discipline and structure.

a.       Demonstrate commitment to integrity and ethical values

b.       Exercise oversight responsibility

c.       Establish structure, authority, and responsibility

d.       Demonstrate commitment to competence

e.       Enforce accountability

2.       Risk assessment. An entity must be aware of and deal with financial reporting risks. It must set objectives.

a.       Specify clear objectives

b.       Identify and analyse risk

c.       Assess fraud risk

d.       Identify and analyse significant changes

3.       Control activities. Control policies and procedures must be established and executed to ensure transactions (day to day sales and expense transactions, or periodic accruals and consolidations) result in complete and accurate accounting recognition.

a.       Select and develop control activities to mitigate risk

b.       Select and develop information technology general controls

c.       Deploy controls through policy and procedures

4.       Information and communication. Whether manual, or more likely automated systems, these enable an entity to capture and exchange information needed to conduct, manage and control operations. For communications, both internal and external.

a.       Use relevant information

b.       Communicate internally

c.       Communicate externally

5.       Monitoring. Management is responsible for monitoring. Auditors are not part of internal controls. The entire company control process should be monitored on a regular basis by management. A company is expected to be proactive in identifying and correcting control deficiencies.

a.       Conduct ongoing and/or separate evaluations

b.       Evaluate and communicate deficiencies

In 2003, COSO published draft guidelines on Enterprise Risk Management (ERM).  The COSO framework 2013 replaced 1992 and 2006 Framework guidance and documents, but retained the five basic components. It identifies 17 Principles that are deemed essential to the components. The 2013 Framework accommodates two emerging trends,

·         Widespread use of outsourcing, and

·         widespread adoption of computer processing.

There is more attention to areas other than control activities, and greater focus on risk assessment. Risk is measured by its velocity and persistence.