Copyright

What is COSO Internal Control Framework? - Objectives & Components

Instructor: Dr. Douglas Hawks

Douglas has two master's degrees (MPA & MBA) and is currently working on his PhD in Higher Education Administration.

Internal audit and compliance departments benefit from having industry-wide frameworks for conducting their enterprise risk assessment, internal control testing, and fraud deterrence. In this lesson, we'll discuss the most popular framework - COSO.

The Committee of Sponsoring Organizations

The Committee of Sponsoring Organizations (COSO) was established in 1985 by five of the largest accounting, auditing, and finance oversight committees in the United States. The committee aimed to sponsor the National Committee on Fraudulent Financial Reporting. The National Committee was independent of COSO, so there were no conflicts of interest. The National Committee included representatives from regulatory agencies, public companies, and educational institutions.

The National Committee was tasked with establishing a framework to help address enterprise risk management (ERM), fraud deterrence, and internal controls. Of these three topics COSO addressed, this lesson will focus on internal controls.

COSO Internal Control - Integrated Framework Principles

COSO's internal control framework is often presented as a cube, as there are three dimensions of internal controls to consider in their framework. COSO owns the copyright on the actual cube diagram, although they offer a free poster from their website. But with the cube below, we can visualize the three dimensions of internal controls.

COSO Integrated Framework
COSO Framework

Let's start with the side of the cube marked as letter 'A.' The side of the cube marked with an 'A' represents the five objectives of an acceptable system of internal controls, which are: control environment, risk assessment, control activities, information and communication, and monitoring activities.

The control environment represents the culture of internal controls at the organization. For example, this objective seeks to determine if the organization has a culture of discipline and compliance or a culture of lax policies and procedures. This culture often begins with the actions of executive management, so a control related to the Board reviewing CEO performance would add to the control environment.

The risk assessment is an activity whereby all of the activities, and associated risks, in an organization are looked at and each considered on a spectrum of either low risk or high risk. Likelihood of occurrence is also considered, to determine which risks faced by an organization should be addressed first. A risk assessment may identify cash handling, or billing, as risks that need to be audited.

Control activities are those procedures and internal controls put in place to mitigate risks, particularly those that management considered too risky during the risk assessment. These are activities that management, their staff, and internal auditors test to ensure compliance. For example, if the risk identified in the risk assessment is cash handling, a control activity might be having two people involved in cash payments.

Information and communication is how management communicates the culture of compliance and the specific policies individuals need to follow. Information and communication is a central part of a strong culture of discipline. An example of this would be requiring new or amended policies be sent out to everyone in the company so they are aware of the change.

Finally, monitoring activities are activities managers use to monitor processes or internal controls within the organization. For example, if a purchasing manager gets a weekly report of all purchases that were greater than $5,000, they would be performing a monitoring activity.

The Four Coverage Areas

Side 'B' of the cube represents coverage areas for internal controls. By coverage areas, COSO is referring to the level within the organization the control is focused on protecting. Depending on the structure of the organization, some of these areas may not apply, but there are few - if any - situations where at least three of the areas aren't considered when identifying internal controls.

Entity-wide controls are those that influence the entire organization. Often, these controls are focused on establishing and maintaining a good culture and supporting communication throughout the organization. These controls are implemented, or influence actions, throughout the organization. For example, one entity-wide control in an organization would be a corporate code of ethics.

Division level controls may be one level removed, or below, entity-wide controls. We say 'may be' because depending on the organization's structure, there may or may not be divisions. When there are, they are often associated with national or regional boundaries such that the internal controls align with regulatory requirements, such as filing SEC reports on time and accurately.

An operating unit is not always limited to a physical proximity, but instead, is focused on the activities the operating unit is responsible to perform. For example, an accounting department may be responsible for accounts payable, accounts receivable, cash management, and financial reporting. Accounts receivable may have a control that requires a monthly outstanding balance report to be reviewed.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account
Support