The COSO internal control integrated framework principles outline the characteristics of an effective system of internal controls designed to assess information security. It is organized as five components comprised of 17 principles total.
5 Main Principles of the COSO Internal Control Integrated Framework
Any effective internal control system works best with certain components that reflect the overall mission, strategies and related business objectives. The COSO internal control integrated framework features five components that support the achievement of those goals in any company.
|COSO Component||COSO Framework Principles|
|Control Environment |
Built by setting the basic tone of the organization, particularly regarding internal controls, the control environment features policies, procedures and an overarching discipline, structure and integrity. The control environment is so ingrained that variances easily illuminate internal control issues.
|1. Demonstrate commitment to integrity and ethical values |
2. Ensure that board exercises oversight responsibility
3. Establish structures, reporting lines, authorities and responsibilities
4. Demonstrate commitment to a competent workforce
5. Hold people accountable
|Risk Assessment |
Every company around the world faces some degree of risk. This component focuses on identifying specific industry risks, as well as risks specific to the company itself before trying to analyze and outline potential management of risk.
|6. Specify appropriate objectives |
7. Identify and analyze risks
8. Evaluate fraud risks
9. Identify and analyze changes that could significantly affect internal controls
Setting and following solid policies and procedures−based on risk factors, rules, regulations and experience−help ensure that there are appropriate preventive actions and responses in place for any variation from the norm.
|10. Select and develop control activities that mitigate risks |
11. Select and develop technology controls
12. Deploy control activities through policies and procedures
|Information and Communication |
The flow of information, when it comes to internal controls, must flow in every direction, ensuring everyone related to a particular sector, or the entire system, stays up-to-date.
|13. Use relevant, quality information to support the internal control function |
14. Communicate internal control information internally
15. Communicate internal control information externally
In addition to regularly scheduled audits and auditor’s reports, it is important to continually monitor internal controls to root out and correct inconsistencies and issues right away.
|16. Perform ongoing or periodic evaluations of internal controls (or a combination of the two) |
17. Communicate internal control deficiencies
Improve Organizational Performance and Oversight with the COSO Framework
Let’s take a look at how these principles can work on a more practical level and how it benefits your organization.
- Control Environment – Depending on your organization, your control environment includes your management team and Board of Directors, your HR department and how you work with employees and even your in-house policies. When your control environment is healthy, your organization can run more efficiently and with less strife and risk. The right people in the right roles are critical to success for this important COSO Framework component.
- Risk Assessment and Management – What challenges does your brand face? Depending on your business model and industry, you could face risks from outside sources, ranging from cyber attacks and data theft to the loss of proprietary information, formulas and processes. You could also face significant compliance and regulatory risk; brands in healthcare, manufacturing, and development all face industry-specific risks. Discovering risks is just the beginning; this component also includes analysis and solutions and implementing changes that mitigate risk and prevent losses.
- Control Activities – A robust plan to ensure business continuity in the event of an emergency, coupled with a proactive approach to security and upgrades ensures your control activities align with your mission and goals. The better your policies are at outlining your rules and expectations, the more successful your organization will be when it comes to control activities.
- Information & Communication – What factors, responsibilities and roles do you outsource, and how well are these external resources managed. The information you share and the way you convey it have a huge impact on your ability to properly and effectively outsource important initiatives and tasks. Evaluating how well you are communicating and how well your needs are being met ensures your money is being spent wisely and that you are getting the best possible ROI for your outsourcing investments.
- Monitoring – Establishing the conditions you want to work in and the policies your team needs to use is an ideal start, but unless you monitor and evaluate your processes you won’t be able to keep up with the changes. Ongoing monitoring can help discover inefficiencies and deficiencies and allow you to take action and keep your organization on track.
Improve Internal Controls with the COSO Framework
The COSO framework gives businesses better, more prescriptive internal controls to reduce risks and have the information they need to make smarter decisions. Implementing these principles helps your organization to build and maintain controls that are present, effective, and well-implemented cfor greater reliability, relevance, and timeliness. This is especially true when it comes to the emerging demands related to ESG (Environmental, Social, and Governance) performance and its impact on long-term value.
When taken as a whole, internal controls based on the COSO framework principles offer a reasonable level of assurance that the company is conducting its business morally, openly, and in conformity with accepted industry norms.
- Internal control serves more as a process than an end result in itself.
- Internal control is not only a theory, idea, form, point in a manual, or policy. It is also a reflection of the people−and certainly affected by the people−using a particular system regularly.
- Internal control is not an absolute and only offers reasonable assurance to an entity’s governing body.
- Internal control may cover one or more categories, whether distinctly separate or overlapping.
Related article: the Evolution of COSO Compliance Objectives.
COSO Internal Control Integrated Framework & COSO Compliance
Whether your organization consistently maintains strong internal controls, or you have faced some uncertainties recently, the COSO Internal Control Integrated Framework can help you and your IT team continue to improve. At I.S. Partners, LLC., the CPA and support staff can help you understand all the benefits of tightening your internal controls.