2. What is COSO?
The COSO (Committee of Sponsoring Organizations of the
Treadway Commission) is a private sector initiative, jointly
sponsored and funded by:
• American Accounting Association (AAA)
• American Institute of Certified Public
Accountants (AICPA)
• Financial Executives International (FEI)
• Institute of Management Accountants (IMA)
• The Institute of Internal Auditors (IIA)
2
3. Internal Control-Integrated Framework
• First published in 1992
• Gained wide acceptance
following financial control
failures of early 2000’s
• Most widely used framework in
the US
• Also widely used around the
world
3
Original COSO Cube
4. Methodology
• Background
‒ Project announced in November 2010
‒ To make the existing Framework and
related evaluation tools more relevant
in the increasingly complex business
environment
‒ PricewaterhouseCoopers as the
original author conducted this project.
‒ not intended to change how internal
control is defined, assessed, or
managed, but rather provide greater
clarity and a more comprehensive and
relevant conceptual guidance
• Project Structure
‒ Advisory Council comprising
representatives from industries,
academia, government agencies, and
non-profit organizations updated
Framework is being exposed to the
public to capture additional input
• Approach
‒ Assess and Envision
‒ Build and Design
‒ Preparation for Public Exposure
‒ Finalization
5. • Applies a principles-based approach
• Clarifies the role of objective-setting in internal control
• Reflects the increased relevance of technology
• Enhances governance concepts
• Expands the reporting category of objectives
• Enhances consideration of anti-fraud expectations
• Considers different business models and organizational
structures
Summary of Changes to the 1992 Version
5
6. Internal Control is a _______ effected by an entity’s _______
____________________________________ designed to provide
_________ assurance regarding the achievements of ________
in the following categories:
• Effectiveness & efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
board of
directors, management and other personnel,
process
reasonable
What is internal control?
6
objectives
8. Components of Internal Control
8
Monitoring
Control Environment
Risk Assessment
Control Activities
9. A Principal Based Approach
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
Five Components
5 principles
4 principles
3 principles
3 principles
2 principles
17 principles
21 Attributes
19 Attributes
16 Attributes
14 Attributes
11 Attributes
81 Attributes
10. A Principal Based Approach
10
Operations
Objectives
Reporting
ObjectivesCompliance
Objectives
Apply to
17 Principals
12. Principles Relating to Control Environment
1. The organization demonstrates a commitment to integrity and ethical
values.
2. The board of directors demonstrates independence of management and
exercises oversight for the development and performance of internal
control.
3. Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
4. The organization demonstrates a commitment to attract, develop, and
retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
12
13. Attributes Relating to Control Environment
1. Sets the Tone at the Top
2. Establishes Standards of Conduct
3. Evaluates Adherence to Standards of Conduct
4. Addresses Deviations in a Timely Manner
13
1. Demonstrates Commitment to Integrity and Ethical
Values
14. Attributes Relating to Control Environment
1. Establishes Board of Directors Oversight Responsibilities
2. Retains or Delegates Oversight Responsibilities
3. Applies Relevant Expertise
4. Operates Independently
5. Provides Oversight
14
2. Exercises Oversight Responsibility
15. Attributes Relating to Control Environment
1. Considers All Structures of the Entity
2. Establishes Reporting Lines
3. Defines, Assigns, and Limits Authorities and Responsibilities
15
3. Establishes Structure, Authority, and Responsibility
16. Attributes Relating to Control Environment
1. Establishes Policies and Practices
2. Attracts, Develops, and Retains Individuals
3. Evaluates Competence and Addresses Shortcomings
4. Plans and Prepares for Succession
16
4. Demonstrates Commitment to Competence
17. Attributes Relating to Control Environment
1. Enforces Accountability through Structures, Authorities, and
Responsibilities
2. Establishes Performance Measures, Incentives, and Rewards
3. Evaluates Performance Measures, Incentives, and Rewards
for Ongoing Relevance
4. Considers Excessive Pressures
5. Evaluates Performance and Rewards or Disciplines
Individuals
17
5. Enforces Accountability
18. Principles Relating to Risk Assessment
1. The organization specifies objectives with sufficient clarity to enable
the identification and assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives
across the entity and analyzes risks as a basis for determining how the
risks should be managed.
3. The organization considers the potential for fraud in assessing risks to
the achievement of objectives.
4. The organization identifies and assesses changes that could
significantly impact the system of internal control.
18
19. Attributes Relating to Risk Assessment
1. Considers Tolerance for Risk / Required Level of Precision /
Materiality
2. Complies with Externally Established Standards, and
Frameworks / Complies with Applicable Accounting Standards
/ Reflects External Laws and Regulations
3. Reflects Management’s Choices
4. Reflects Entity Activities
5. Includes Operations and Financial Performance Goals
6. Forms Basis for Committing of Resources
19
6. Specifies Relevant Objectives
20. Attributes Relating to Risk Assessment
Attributes Relating to Operations Objectives
• Considers Tolerances for Risk
• Reflects Management’s Choices
• Includes Operations and Financial Performance Goals
• Forms Basis for Committing of Resources
20
6. Specifies Relevant Objectives
22. Attributes Relating to Risk Assessment
Attributes Relating to Reporting Objectives
External Non-financial Reporting Objectives
• Complies with Externally Established Standards and Frameworks
• Reflects Entity Activities
• Considers the Required Level of Precision
22
6. Specifies Relevant Objectives
23. Attributes Relating to Risk Assessment
Attributes Relating to Reporting Objectives
Internal Reporting Objectives (financial and/or non-financial)
• Considers the Required Level of Precision
• Reflects Management’s Choices
• Reflects Entity Activities
23
6. Specifies Relevant Objectives
24. Attributes Relating to Risk Assessment
Attributes Relating to Compliance Objectives
• Considers Tolerances for Risk
• Reflects External Laws and Regulations
24
6. Specifies Relevant Objectives
25. Attributes Relating to Risk Assessment
1. Involves Appropriate Levels of Management
2. Includes Entity, Subsidiary, Division, Operating Unit, and
Functional Levels
3. Analyzes Internal and External Factors
4. Estimates Significance of Risks Identified
5. Determines How to Respond to Risks
25
7. Identifies and Analyzes Risks
26. Attributes Relating to Risk Assessment
1. Considers Various Ways That Fraud Can Occur
2. Considers Risk Factors
3. Assesses Incentive and Pressures
4. Assesses Opportunities
5. Assesses Attitudes and Rationalizations
26
8. Assesses Fraud Risk
27. Attributes Relating to Risk Assessment
1. Assesses Changes in the External Environment
2. Assesses Changes in the Business Model
3. Assesses Changes in Leadership
27
9. Identifies and Analyzes Significant Change
28. Principles Relating to Control Activities
10. The organization selects and develops control activities that contribute
to the mitigation of risks to the achievement of objectives to
acceptable levels.
11.The organization selects and develops general control activities over
technology to support the achievement of objectives.
12.The organization deploys control activities as manifested in policies
that establish what is expected and in relevant procedures to effect the
policies.
28
29. Attributes Relating to Control Activities
1. Integrates with Risk Assessment
2. Determines Relevant Business Processes
3. Considers Entity-Specific Factors
4. Evaluates a Mix of Control Activity Types
5. Considers at What Level Activities Are Applied
6. Addresses Segregation of Duties
29
10. Selects and Develops Control Activities
30. Attributes Relating to Control Activities
1. Determines Dependency between the Use of Technology in
Business Processes and Technology General Controls
2. Establishes Relevant Technology Infrastructure Control
Activities
3. Establishes Relevant Security Management Process Control
Activities
4. Establishes Relevant Technology Acquisition, Development,
and Maintenance Process Control Activities
30
11. Selects and Develops General Controls over
Technology
31. Attributes Relating to Control Activities
1. Establishes Policies and Procedures to Support Deployment
of Management’s Directives
2. Establishes Responsibility and Accountability for Executing
Policies and Procedures
3. Performs Using Competent Personnel
4. Performs in a Timely Manner
5. Takes Corrective Action
6. Reassesses Policies and Procedures
31
12. Deploys through Policies and Procedures
32. Principles Relating to Information and
Communication
13. The organization obtains or generates and uses relevant, quality
information to support the functioning of other components of internal
control.
14.The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to support
the functioning of other components of internal control.
15.The organization communicates with external parties regarding matters
affecting the functioning of other components of internal control.
32
33. Attributes Relating to Information and
Communication
1. Identifies Information Requirements
2. Captures Internal and External Sources of Data
3. Processes Relevant Data into Information
4. Maintains Quality Throughout Processing
5. Considers Costs and Benefits
33
13. Uses Relevant Information
34. Attributes Relating to Information and
Communication
1. Communicates Internal Control Information with Personnel
2. Communicates with the Board of Directors
3. Provides Separate Communication Lines
4. Selects Relevant Method of Communication
34
14. Communicates Internally
35. Attributes Relating to Information and
Communication
1. Communicates to External Parties
2. Enables Inbound Communications
3. Provides Separate Communication Lines
4. Selects Relevant Method of Communication
5. Communicates with the Board of Directors
35
15. Communicates Externally
36. Principles Relating to Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal
control are present and functioning.
17.The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of
directors, as appropriate.
36
37. Attributes Relating to Monitoring Activities
1. Considers a Mix of Ongoing and Separate Evaluations
2. Establishes Baseline Understanding
3. Uses Knowledgeable Personnel
4. Integrates with Business Processes
5. Objectively Evaluates
6. Adjusts Scope and Frequency
7. Considers Rate of Change
37
16. Conducts Ongoing and/or Separate Evaluations
38. Attributes Relating to Monitoring Activities
1. Assesses Results
2. Communicates Deficiencies to Management
3. Reports Deficiencies to Senior Management and the Board of
Directors
4. Monitors Corrective Actions
38
17. Evaluates and Communicates Deficiencies
40. Roles - Three Lines of Defense
• Management and other personnel on the front line provide the
first line of defense as they are responsible for maintaining
effective internal control day to day; they are compensated based
on performance in relation to all applicable objectives
• Business-enabling functions such as risk, control, legal, and
compliance provide the second line of defense as they clarify
internal control requirements and evaluate adherence to defined
standards. While they are functionally aligned to the business,
their compensation is not directly tied to performance of the area
to which they render expert advice.
40
41. Roles - Three Lines of Defense
• Internal auditors provide the third line of defense as they assess
and report on internal control and recommend corrective actions
or enhancements for management consideration and
implementation; their position and compensation are separate
and distinct from the business areas they review.
41
42. Responsible Parties - The Board of Directors and
its Committees
The Board:
• has a key role in defining expectations on integrity and ethical
values and internal control responsibilities.
• have a working knowledge of the entity’s activities and
environment, and they commit the time necessary to fulfill their
governance responsibilities.
• utilize resources as needed to investigate any issues, and have
an open and unrestricted communications channel with all entity
personnel, the internal auditors, independent auditors, external
reviewers, and legal counsel.
42
43. Responsible Parties - The Board of Directors and
its Committees
Board-level committees include :
• Audit Committee
• Compensation Committee
• Nomination/Governance Committee
• Other Committees
43
44. Responsible Parties - Chief Executive Officer
Chief Executive Officer (CEO) :
• is ultimately responsible for the effectiveness of the entity’s
internal control system
• sets the tone at the top that affects control environment factors
and all other components of internal control.
44
45. Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Providing leadership and direction to senior management. With
the support of management, the CEO shapes the values,
principles, and major operating policies that form the foundation
of the entity’s internal control system.
• Meeting periodically with senior management from each of the
operating units (e.g., research and development, production,
marketing, sales) and major business enabling functions (e.g.,
finance, human resources, legal, compliance, risk management).
45
46. Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Defining metrics, targets, or other measurable expectations with
which to gauge the ongoing and long-term effectiveness of the
system of internal control. The methods of designing,
implementing, and assessing internal control are delegated to
management at different levels.
46
47. Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Directing all management and other personnel to proactively
identify threats to the system of internal control. Given the ever-
increasing pace of change and networked interactions of
business partners, customers, and employees, the sources of
threat to an ongoing effective internal control system are
constantly changing. The CEO expects senior management in
particular to beware of making assumptions based on the
traditional sources of threats to an effective internal control
system.
47
48. Responsible Parties - Chief Financial Officer
The Chief Financial Officer (CFO):
• supports the CEO in front-line responsibilities, including internal
control over financial reporting.
• is integrally involved when the entity’s strategies are decided,
objectives are established, risks are analyzed, and decisions are
made on how changes will be managed.
• provides valuable input and direction and is positioned to focus
on evaluating and following up on the actions decided by
management.
• is an equal partner with the other functional heads.
48
49. Responsible Parties - Other Members of Senior
Management
Senior management comprises:
• Chief operating officer
• Chief administrative officer
• Chief risk officer
• Chief compliance officer
• Chief information officer
• Other senior leadership roles, depending on the nature of the
business
49
50. Responsible Parties - Other Members of Senior
Management
Senior management:
• guides the development and implementation of internal control
policies and procedures that address the objectives of their
functional or operating unit and verify that they are consistent
with the entity-wide objectives.
• assigns responsibility for establishing even more specific internal
control procedures to those personnel responsible for the unit’s
functions or departments
50
51. Responsible Parties - Business-Enabling Functions
• support the business through their specialized skills.
• provide guidance and assessment of internal control related to
their areas of expertise.
• keep the organization informed of relevant requirements as they
evolve over time.
• Their efforts are coordinated and integrated as appropriate.
51
52. Responsible Parties - Risk and Control Personnel
• provide specialized skills and guidance to front-line management
and other personnel and evaluating internal control.
• identify known and emerging risks.
• help management develop processes to manage relevant risks.
• communicate and provide education on these processes across
the organization.
• evaluate and report on the effectiveness of such processes.
• not responsible for executing controls but support
52
53. Responsible Parties - Internal Auditors
The Internal Auditor:
• provide assurance and advisory services over internal control
• evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s oversight,
operations, and information systems regarding:
‒ Reliability and integrity of financial and operational information.
‒ Effectiveness and efficiency of operations and programs.
‒ Safeguarding of assets.
‒ Compliance with laws, regulations, policies, procedures, and
contracts.
53
54. Responsible Parties - External Parties
External Parties includes:
• Outsourced Service Providers
• Business Partners and Other Parties Interacting with the Entity
• Independent Auditors
• External Reviewers
• Legislators and Regulators
• Financial Analysts, Bond Rating Agencies, and the News Media
54
56. Assessing Effectiveness
When controls are effective; the organization:
• Understands the extent to which operations are managed
effectively and efficiently.
• Prepares reliable reports.
• Complies with applicable laws and regulations
56
57. Assessing Effectiveness
• Each of the five components must be present and operate
together.
• Effectiveness of internal control is assessed relative to the five
components of internal Control.
• Effectiveness of internal control can also be assessed relative to
a specific part of the organizational structure.
57
58. Assessing Effectiveness
Determining whether a principle is present and functioning implies
that the organization:
• Understands the intent of the principle and how it is being
applied.
• Applies the principle consistently across the entity.
• Works to help personnel understand and apply the principle
across the entity.
• Views omission of or non-conformity with a principle as an
exception (i.e., not applying the wording, intent, and spirit of
the principle is the exception rather than the norm).
58
59. Limitations of Internal Control
• Quality and suitability of objectives
• Judgment
• Breakdowns
• Management Override
• Collusion
59
60. What is not of internal control?
• Many decisions reached by the board are not part of internal
control
• Appropriateness of particular objectives selected
• Setting the overall level of acceptable risk and associated risk
appetite
• setting risk tolerance levels in relation to specific objectives
• Choosing which risk response is preferred to address specific
risks
60