Accounting Internal Controls

You are here: Home / Internal Controls / The COSO Internal Control Framework

The COSO Internal Control Framework

by

The COSO framework was developed to help organizations design and implement a system of internal control, enterprise risk management, and fraud deterrence. COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission.

History of the COSO Framework

In June 1985, the National Commission on Fraudulent Financial Reporting was established. The Commission was commonly referred to as the “Treadway Commission” after its chairman the SEC Commissioner James C. Treadway, Jr.

Five organizations participated in the Commission:

  • American Accounting Association
  • American Institute of Certified Public Accountants
  • Financial Executives International
  • The Association of Accountants and Financial Professionals in Business
  • The Institute of Internal Auditors

In October 1987, the Treadway Commission released the “Report of the National Commission on Fraudulent Financial Information.” The report covered the Commission’s findings, conclusions, and recommendations concerning factors that can lead to fraudulent financial reporting. It also addressed how to reduce the occurrence of fraudulent financial reporting.

As a result, COSO formed and created the COSO framework which was released in 1992. In 2013 COSO updated the Internal Control-Integrated Framework to incorporate new business practices and needs. In 2017 COSO updated the Enterprise Risk Management-Integrated Framework.

COSO Internal Control Framework

When people think of the COSO framework, the COSO cube is typically the first thing that comes to mind. The cube is a visual reminder of how the concepts work together in a unified way. Depicted in the cube are the:

  • Three categories: Operations, Reporting, and Compliance
  • Four organizational structures: Entity level, Division, Operating Unit, and Function
  • Five Components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities

The internal control components are necessary to achieve the objectives. The organizational structure determines which components and objectives belong where in the company.

COSO Framework Cube
Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Objectives of Internal Control

Displayed on the top portion of the cube are three categories of objectives.

  • Operations objectives refer to the entity’s business processes, goals, and protection of assets.
  • Reporting objectives refer to the reliability of both external and internal financial and non-financial reporting.
  • Compliance objectives refer to the laws and regulations that the entity is subject to.

Organizational Structures of Internal Control

The four organizational structures tie objectives and components of internal controls to the specific location where the control is taking place in the business.

  • Entity level refers to the whole company
  • Division refers to business segments separated by product or service lines
  • Operating Unit refers to a specific group within that division
  • Function refers to a specific job in the operating unit

Components of Internal Control

There are five essential components to the COSO internal control framework:

  • Control Environment sets the tone at the top and company policies.
  • Risk Assessment identifies areas that expose the company to higher risks both internally and externally.
  • Control Activities are the policies and procedures that a company implements.
  • Information and Communication are utilized from internal and external sources to stay up on internal and external changes.
  • Monitoring is the evaluation that processes, policies, and procedures are occurring as expected.

The 2013 revision of the framework also introduced 17 Principles which further expanded and clarified the five components of the framework.

CRIME Accounting Acronym

An acronym known as CRIME helps auditors remember the five components. Crime stands for Control Activity, Risk Assessment, Information and Communications, Monitoring Activities, and Control Environment.

               C – Control Activity

               R – Risk Assessment

               I – Information and Communications

               M – Monitoring Activities

               E – Control Environment

CRIME Accounting Acronym

Effective Internal Controls

The COSO Framework provides an organization with the tools necessary to design and implement internal controls. As well as conduct assessments on the effectiveness of those controls.

It is the responsibility of Management to determine the appropriate controls, put them in place, and ensure that they are effective. External auditors can help to monitor the effectiveness of those controls. However, the designing and implementation of controls reside with the Management of the company.

COSO Limitations

Even with strong internal controls in place, there is no guarantee that fraud, misreporting, or other errors won’t occur. There is always a risk of mistakes with businesses, overriding of internal controls, collusion, poor decision-making, and other events outside of the entity’s control.

Resources

Additional information about COSO can be found on their website.