COSO-Based Internal AuditingPublished May 19, 2020 by Tricia Scherer • 6 min read
Internal audit and compliance departments benefit from having a comprehensive framework to use to perform corporate risk assessment and internal control testing as well as fight fraud. The most popular framework is the COSO Framework.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was originally formed in the United States in 1985 to combat corporate fraud. This commission developed recommendations for public companies, internal audit departments, and educational institutions.
COSO was created and designed to provide thought leadership by developing comprehensive frameworks and guidance on internal controls, fraud prevention, and enterprise risk management.
COSO Internal Control-Integrated Framework
The COSO Internal Control-Integrated Framework provides an applied risk management approach to internal controls that’s relevant to both external financial reporting and internal control activities.
The COSO Framework aims to help companies, particularly publicly traded ones, reduce fraud and better manage risk via internal controls and executive oversight. Organizations that don’t meet COSO’s objectives can open themselves up to potentially disastrous problems, such as corruption and fraud, and also damage their reputations.
Five organizations sponsor COSO: the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI).
The International Standards for the Professional Practice of Internal Auditing require internal audit activities to “evaluate and contribute to the improvement of governance, risk management, and control processes.” As such, internal auditors play a key role when it comes to assessing how effective an organization’s internal control system is. The independent internal auditors offer guidance to senior management and accordingly, they can evaluate the internal control system the organization implemented and contribute to its continued effectiveness.
The internal auditors often play a crucial monitoring role. However, to maintain their independence, your internal auditors shouldn’t have any direct responsibility when it comes to designing, creating, or maintaining the controls that they’re supposed to evaluate. Rather, your internal auditors can only advise on how you can improve the internal controls.
The COSO Framework provides an applied enterprise risk management approach to internal controls. The COSO Framework, which applies to internal control activities and external financial reporting, helps your organization develop a system of internal control that adapts to your ever-changing business and operating environments. The COSO Framework also helps you mitigate corporate risks to acceptable levels and enables you to make better business decisions.
The COSO Framework defines an internal control system as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
According to the IIA, a control environment is the foundation on which an effective system of internal control is built and operated in a company that aims to:
- Achieve its strategic objectives
- Provide reliable financial reporting to internal and external stakeholders
- Operate its business efficiently and effectively
- Comply with all applicable laws and regulations
- Safeguard its assets.
The 2013 update to the COSO Internal Control-Integrated Framework broadens the application of internal control in addressing operations and reporting objectives and clarifies the requirements for determining what constitutes effective internal control. The 2017 update to the COSO Enterprise Risk Management – Integrated Framework integrated risk considerations into the design as well as the implementation of internal controls and strategic objectives.
Five Components of the COSO Internal Control-Integrated Framework
The COSO Internal Control-Integrated Framework includes the following five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
The COSO Framework also offers an additional structure for these components by defining 17 principles of internal control.
The control environment is the set of standards, processes, and structures that provide the foundation for carrying out internal control across a company. The control environment is the most important component in the COSO-based audit framework. During an audit, the control environment is assessed via discussions with management and employees.
At the top, your board of directors and senior management set the tone as to the importance of internal control, including the standards of conduct your organization expects. Then your company managers reinforce these expectations throughout your organization. Adequate training, written policies, and procedures, and the general control structure are components of the control environment evaluation.
The resulting control environment has an all-encompassing impact on your company’s overall system of internal control.
The five principles of the COSO control environment component are:
- Your company’s integrity and ethical values;
- The parameters that allow your board of directors to carry out their governance oversight responsibilities;
- Your company’s organizational structure and the assignment of responsibility and authority;
- The process for attracting, developing, and retaining competent employees;
- The care and thoroughness around performance measures, incentives, and rewards to ensure employees are accountable for their work.
Every organization faces a number of risks from external and internal sources. Risk is defined as the possibility that an event will happen and have a negative effect on the achievement of objectives.
Risk assessment involves a process of identifying and assessing the risks to the achievement of objectives. Risks to the achievement of objectives from across an organization are thought to be related to established risk tolerances. Consequently, risk assessment is the basis for determining how a company will manage its risks.
Risk assessment requires that your company’s management consider the impacts of possible changes in the internal and external environments that may render its internal controls ineffective and then take action to manage those impacts.
The four principles of the COSO risk assessment component are:
- Specify appropriate objectives,
- Identify and analyze risks,
- Evaluate fraud risks, and
- Identify and analyze changes that could significantly affect internal controls.
Control activities are those policies, procedures and internal controls put in place to mitigate risks to the achievement of objectives, particularly those that your company’s leadership deemed to be too risky during the risk assessment.
These are activities that management and their staff members, as well as your company’s internal auditors, test to ensure compliance. For example, if improper cash handling is the risk identified in the risk assessment, your company’s control activity might be to have two employees involved in cash payments.
Control activities are performed throughout a company, at all levels, and in all areas. Control activities encompass a range of manual and automated activities, including verifications, reconciliations, authorizations and approvals, asset safety, and business performance reviews.
The three principles of the COSO control activities component are:
- Select and develop control activities that mitigate risks,
- Select and develop technology controls, and
- Deploy control activities through policies and procedures.
Information and Communication
Information systems play a major role in internal control systems because they produce reports, including operational and financial reports, as well as compliance-related information, which together make the operation and control of the business possible.
Information is necessary for an organization to carry out its internal control responsibilities to support the achievement of its objectives. Management obtains—or generates—and uses the relevant and quality information from internal and external sources to support the functioning of the internal control system.
And effective communication must ensure that the information your workers need to fulfill their responsibilities, such as the procedures for people to report suspected fraud, flows down, across, and up the company. This enables employees to receive the clear message from the organization’s senior management that they must take control responsibilities seriously.
Effective communication with third parties, such as customers, suppliers, regulators, and shareholders, is also necessary. Effective inbound communication lets your employees receive relevant information from third parties and it provides information to third parties about your company’s requirements and expectations.
The three principles of the COSO information and communication component are:
- The organization obtains—or generates—and uses, relevant, quality information to support the functioning of internal control.
- The organization internally communicates the information, including objectives and responsibilities for internal control, that’s necessary to support the functioning of internal control.
- The organization communicates with third-party providers about things that affect the functioning of internal control.
Your organization must monitor your internal control system, a process that evaluates the quality of system performance over time. You can do this via ongoing monitoring evaluations, separate evaluations, or a combination of the two.
Ongoing evaluations, built into business processes at different levels of your company, provide timely information. Separate evaluations, which are conducted periodically, will vary depending on your risk assessment, effectiveness of the ongoing evaluations, and other management considerations.
The deficiencies in your internal control system that are detected through these monitoring activities have to be reported to senior management, who must correct them to ensure the continuous improvement of the system.
The two principles of the COSO monitoring activities component are:
- The organization selects, develops, and performs ongoing and/or separate evaluations to determine if the components of internal control exist and are functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including your board of directors and senior management.
If your organization formally adopts the COSO Framework for internal controls, it will let employees, regulators, and other third parties know that it is committed and focused on accountability and good governance.