Internal controls are an essential part of risk assessment and management. But it isn’t always easy to incorporate internal controls into business processes. The COSO Internal Control Framework gives organizations a strategic path forward.
This framework helps businesses embed internal controls and internal controls management software in their day-to-day activities. When used effectively, it assures shareholders and the board that the organization meets ethical and security standards.
Organizations that do adopt the COSO Internal Control Framework can also be more efficient, more secure, and, ultimately, more resilient as the risk landscape evolves.
What Is the COSO Internal Control Framework?
The COSO Framework helps organizations connect their internal controls to their business process. It reaches back to 1992 when the Committee of Sponsoring Organizations (COSO) met to create a more significant relationship between the risk and business landscapes. Several private sector organizations also contributed to the framework, including:
- American Accounting Association
- American Institute of Certified Public Accountants
- The Institute of Management Accountants
- Financial Executives International
- The Institute of Internal Auditors
In 2013, they updated the COSO Framework to include a diagram of the relationship between all elements of internal controls. They edited it again in 2017 with the enterprise risk management framework, demonstrating how to prioritize risk and establish a connection between risk and business performance.
COSO’s Definition of Internal Control
According to the COSO definition, internal control is a process designed to provide reasonable assurance with regard to achieving operations, reporting and compliance objectives. Boards of directors, management and other relevant personnel, should oversee this process on an ongoing basis.
5 Components of the COSO Internal Control Framework
The five components of the COSO Framework establish the key areas where organizations need to work towards compliance.
The five components are:
1. Control Environment
In the control environment, organizations should verify that their business processes meet industry risk standards by testing all controls. This ensures that all activities are done responsibly, reducing an organization’s legal liability. Organizations should also work to meet all regulatory compliance requirements.
2. Risk Assessment and Management
Risks are inevitable. That doesn’t mean organizations should ignore them. Businesses can minimize the possible harm by assessing the risks that currently face their organization and putting a plan in place to manage and mitigate those risks. This process should be ongoing or even automated so that organizations can identify new risks as they emerge.
3. Control Activities
Control activities are integral to risk management, ensuring that all business activities tie back to internal controls. Those controls should both support business performance and reduce the organization’s risk exposure.
4. Information and Communications
An organization’s communications also need to follow strict requirements. Various legal, ethical and industry standards apply to internal and external communications. Privacy policies and other application controls are examples of how organizations can apply controls to communication processes.
5. Monitoring
Risks can evolve, as do organizations’ systems, software and processes. Monitoring ensures that these changes don’t expose the organization to risk. An internal auditor is usually responsible for this, but external auditors often monitor organizations in relation to regulatory compliance. Both auditors will ultimately report to the board of directors.
How Do Organizations Use the COSO Framework?
The COSO Framework establishes how the organization will complete all business processes. This embeds risk management into all parts of the organization, facilitating legal and regulatory compliance. Once all controls are in place, the framework also prioritizes monitoring, which helps organizations verify that all internal controls are followed and that they can stay ahead of emerging risks.
Benefits and Limitations of the COSO Framework
While the COSO Framework does create a strategic path forward for risk management, it also has its limitations that organizations should be aware of.
These are three key benefits organizations can expect by following the COSO Internal Control Framework:
- Standardizes Business Processes: When organizations implement the COSO Framework, they also standardize how their teams do business. This improves the organization’s efficiency and centralizes data while also reducing risk.
- Stay Ahead of Risks: 42% of businesses with revenue between $1 billion and $10 billion experienced cybercrime in the last year — the COSO Framework positions organizations to stay ahead of these risks using best practices.
- Reduce Costs: When all teams follow the same set of internal controls, business becomes more efficient. Many organizations that follow the COSO Framework act more strategically, which allows them to reduce costs over time.
As effective as the COSO Framework can be, it can also be restricting in the following ways:
- Challenging to Implement: The COSO Framework is broad by design. While this allows many different types of organizations to follow the framework, it lacks specific guidance in implementing and maintaining the framework over a longer period. Organizations may struggle to adopt the framework, especially if they don’t already have an effective risk management strategy.
- Rigid Structure: The COSO Framework has a particular structure. Many organizations could fall into multiple categories within the framework, making it difficult for businesses to identify the best path forward for their teams.
Use an Audit Checklist to Master Your Internal Controls
The COSO Internal Control Framework provides valuable insight into how risk management should look. But it doesn’t prescribe what an organization should do day-to-day to maintain that framework. The internal audit committee needs to operate on an always-on basis, but it can be challenging to prioritize risks, track remediations and develop reports into risk and revenue opportunities.
Diligent’s Internal Audit Checklist helps teams take a step beyond the COSO Internal Control Framework and develop a more robust audit infrastructure. It breaks internal audit into four key steps, each with a checklist to guide internal audit teams on their way to a more secure program. Download the checklist to learn more.