COSO Framework of Internal Controls

Introduction

The COSO Framework of internal control was initially developed in response to fraudulent corporate financial reporting but later evolved into a comprehensive set of controls that covers topics such as environmental, social, and governance (ESG) in addition to finance (Littan et al., n.d.). This expanded framework was codified in 2013 when the Committee of Sponsoring Organizations (COSO) released ICIF-2013. ICIF-2013 defined internal control as being “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance” (Littan et al., n.d., ICIF-2013: The Basics section).

There are five components and three objectives that make up ICIF-2013. The five components are control environment, risk assessment, control activities, information and communication, and monitoring activities (Littan et al., n.d.). Studies have hypothesized that all five components must be functioning together for internal controls to be effective (Klamm & Watson, 2009). The three objective areas are “operations objectives, reporting objectives, and compliance objectives” (Littan et al., n.d., ICIF-2013: The Basics section).

This paper will discuss each of these components and objective areas and how they relate to each other. It will then discuss which portions might be most relevant to an IT audit. Finally, practical suggestions will be made for implementing the COSO framework into a real-world organization.

The Five Components

Control Environment

The control environment is the first component and sets the foundation for the rest of the components (Klamm & Watson, 2009). There are five principles nested within this component: “commitment to integrity and ethical values,” “independent board of directors oversight,” “structures, reporting lines, authorities, responsibilities,” “attract, develop, and retain competent people,” and “people held accountable for internal control” (Littan et al., n.d., Figure B-4). Academic surveys of various firms have concluded that there is a positive correlation between weak control environments and each of the other components demonstrating weakness (Klamm & Watson, 2009).

Risk Assessment

The risk assessment component includes the following four principles: “clear objectives specified,” “risks identified to achievement of objectives,” “potential for fraud considered,” and “significant changes identified and assessed” (Littan et al., n.d., Figure B-4). The previously mentioned study also found a positive correlation between weak risk assessment and weak monitoring (Klamm & Watson, 2009). While this correlation does not establish a causal relationship, it is reasonable to deduce that a firm may need effective monitors in place to identify risks.

Control Activities

Once a risk assessment is complete, a firm must implement control activities to mitigate the risks that are identified (Klamm & Watson, 2009). The control activities component includes the following three principles: “control activities selected and developed,” “general IT controls selected and developed,” and controls deployed through policies and procedures (Littan et al., n.d., Figure B-4).

Information and Communication

The information and communication component includes the following three principles: “quality information obtained, generated, and used,” “internal control information internally communicated,” and “internal control information externally communicated” (Littan et al., n.d., Figure B-4). It’s important to not only deliver data about the business but also to deliver information about the controls and systems themselves and how they are performing (Littan et al., n.d.).

Monitoring Activities

The monitoring activities component includes the following two principles: “ongoing and/or separate evaluations conducted”, and “internal control deficiencies evaluated and communicated” (Littan et al., n.d., Figure B-4). The relationship between monitoring and risk assessments was previously established; however, monitoring activities are closely related to each of these components. A firm will not be able to effectively implement monitoring activities without an information and communication environment set up. Control activities may serve little value if they are not closely monitored (Klamm & Watson, 2009). All of these things contribute to and reinforce the control environment.

The Three Objectives

Operations Objectives

The five components of the control framework are “designed to provide reasonable assurance that (among other things) the organization is meeting its effectiveness and efficiency or operations objectives” (Willits, 2007, Using controls to foster trust section).

Reporting Objectives

According to COSO “an important modification in the 2013 edition was to eliminate the word “financial” from the reporting objective to expand the scope and application of the framework to all forms of reporting, which the revised version defines as internal, external, financial, and nonfinancial” (Littan et al., n.d., The Call to Action section).

Compliance Objectives

It’s necessary “to determine whether controls provide reasonable assurance of compliance with laws and regulations” (Rae et al., 2017, Monitoring Activities section). This objective can specifically be linked to monitoring activities to ensure that controls are continuously meeting the compliance objectives of the organization (Rae et al., 2017).

Conclusion

The monitoring activities component would likely be most relevant to an IT audit because it has been observed that “IT-Weak firms most frequently and explicitly identify weak IT monitoring as a weak COSO” (Klamm & Watson, 2009, Results section). However, IT is becoming essential to each of these components to the point that IT related weaknesses correlate positively with non-IT weaknesses in a firm's internal controls (Klamm & Watson, 2009).

These concepts can be applied to my current organization, where there are severe consequences for IT mistakes. The most commonly observed material weakness from the Klamm & Watson (2009) study was logical access issues. A logical access issue would be a critical incident in my current environment. The organization has effective controls in place to enforce and monitor logical access; however, these data are often logged and store rather than disseminated to stakeholders around the organization. The information and communication component could be improved to ensure that the factors that could lead to an incident are observed before an incident occurs.

References

Littan, S. H., Herz, R. H., Hirth, R. B., Jr., Hileman, D., Monterio, B. J., & Thomson, J. C. (n.d.). ACHIEVING EFFECTIVE INTERNAL CONTROL OVER SUSTAINABILITY REPORTING (ICSR): Building Trust and Confidence through the COSO Internal Control—Integrated Framework. In coso.org. Committee of Sponsoring Organizations. Retrieved February 17, 2024, from https://www.coso.org/_files/ugd/3059fc_a3a66be7a48c47e1a285cef0b1f64c92.pdf

Klamm, B. K., & Watson, M. W. (2009). SOX 404 reported internal control weaknesses: a test of COSO framework components and information technology. Journal of Information Systems, 23(2), 1–23. https://doi.org/10.2308/jis.2009.23.2.1

Willits, S. D. (2007). PERFORMANCE-BASED MAINTENANCE SERVICES, TRUST, AND INTERNAL CONTROLS. Internal Auditing, 22(6), 13-14,16-19. https://www.proquest.com/trade-journals/performance-based-maintenance-services-trust/docview/214389850/se-2

Rae, K., Sands, J., & Subramaniam, N. (2017). Associations among the Five Components within COSO Internal Control-Integrated Framework as the Underpinning of Quality Corporate Governance. The Australasian Accounting Business and Finance Journal, 11(1), 28–54. https://doi.org/10.14453/aabfj.v11i1.4