A management framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to issue recommendations and guidelines on internal control for reducing risks. COSO is recognized for providing guidance on critical aspects of organisational governance, business ethics, internal control, enterprise risk management (ERM), fraud, and financial reporting.
COSO has established a common definition of internal controls, standards, and criteria against which companies and organisations can assess their control systems.
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization.
The five components are the following:
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and communication
Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Internal control systems need to be monitored, i.e. a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
COSO 2013 updates the Internal Control — Integrated Framework to make it more relevant in the increasing complex business environment. the internal control concepts introduced in the original framework is now be codified into 17 principles according the 5 components:
1. The organisation demonstrates a commitment to integrity and ethical value.
2. The Board of Directors demonstrates independence from management and exercises oversight responsibility of the development and performance of internal control.
3. Management establishes, with board oversight, reporting lines, and appropriate authorities, and responsibilities in the pursuit of objectives.
4. The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organsation holds individuals accountable for their internal control responsibilities in pursuit of objectives.
6. Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
7. Identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.
8. Considers the potential for fraud in assessing risks to the achievement of objectives
9. Identifies and analyses change that could significantly impact the system of internal control
10. Selets and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. Selects and develops general control activities over technology to support the achievement of objectives.
12. Deploys control activities through policies that establish what is expected and procedures that put the policies in action.
Information and communication
13. Obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. Internally communicates information, including objectives and responsabilities for internal control, necessary to support the functioning of internal control.
15. Communicates with external parties regarding matters affecting the functioning of internal control.
16. Selects, develops, and performs on-going and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. Evaluates and communicates
internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board of Directors, as approriate