What is the COSO Internal Control Framework?
The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) established a model for evaluating internal controls for organizations. This model was adopted as the generally accepted framework for internal control, and it is widely recognized as the definitive standard against which organizations measure the effectiveness of their internal control systems. An overview of the COSO internal control framework is available here.
The COSO model defines internal control as a process effected by an organization’s board of directors, management, and other personnel designed to provide reasonable assurance of the achievement of objectives in the following three categories:
In an effective internal control system, the following five components work to support the achievement of an organization’s mission, strategies, and related organizational objectives:
1. Control Environment
2. Risk Assessment
- The organization speciﬁes objectives with sufﬁcient clarity to enable the identiﬁcation and assessment of risks relating to objectives.
- The organization identiﬁes risks to the achievement of its objectives across the organization and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identiﬁes and assesses changes that could signiﬁcantly affect the system of internal control.
3. Control Activities
4. Information and Communication
These five components work to establish the foundation for a sound internal control system within an organization through directed leadership, shared values, and a culture that emphasizes accountability for control. The various risks facing an organization should be identified and assessed routinely at all levels and within all functions of the organization. Control activities and other mechanisms should be proactively designed to address and mitigate identified risks, and information critical to identifying risks and meeting organizational objectives should be communicated through established channels across the organization. Lastly, the entire internal control system should be continuously monitored and problems addressed in a timely manner. An overview of the COSO internal control framework is available here.