Author Archive for


Deciding on a Model for Evaluating Internal Controls

Worldwide there are many models to choose from to evaluate the adequacy of the internal control framework. In the US we use COSO, Canada developed COCO, with the United Kingdom establishing Cadbury and then there are the globally accepted ISO Standards. This variety can be confusing to say the least. Each model presents a slightly different view-point on internal controls. Ultimately the models all have the same goal to promote guidelines for making judgments about the effectiveness of the controls. However, they exhibit some underlying differences because they are branded with the flavor of the country that created them. There is nothing extraordinary about these models in fact they are rooted in common sense. Using them can result in astounding outcomes. 

The US COSO and the UK Cadbury are broken into five domains with only minimal differences in interpretation. The Canadian COCO focuses on the achievement of objectives and defines internal control as the elements of an organization that taken together support the achievement of these objectives. COCO focuses on the reliability of internal and external reporting. On the other hand COSO defines internal control as the process affected by an entity’s Board of Directors, management and personal designed to provide reasonable assurance regarding the achievement of objective. COSO focuses on the reliability of financial reporting. In the past auditors have examined the hard controls. COSO, COCO and Cadbury highlight the need to examine soft controls as well. 


The Sarbanes-Oxley Act in the US incorporated in to the law the COSO framework as the model of choice. However, the ISO 31000 is quickly gaining ground as the preferred model because it provides a generic framework for establishing the context for, identifying, analyzing, evaluating, treating, monitoring and communicating risk. 

The International Organization for Standardization widely known as ISO is an international-standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has its headquarters in Geneva, Switzerland. While ISO defines itself as a non-governmental organization, its ability to set standards that often become law, either through treaties or national standards, makes it more powerful than most non-governmental organizations. The aim of the organization is to equalize and standardize across cultures. With the exception of a small number of isolated standards, ISO standards are normally not available free of charge, but for a purchase fee, which has been seen by some as too expensive. 

ISO 31000 is compatible with the COSO framework and is considered an updated version that reflects the current state of risk management thinking internationally. ISO is considered more practical and less theoretical. It provides explicit terms in more detail. ISO is clearly written and easier for management to understand without audit trying to interpret for them. 

The most significant difference is in the definition of risk for ISO 31000 when compared to COSO. The ISO risk definition is the “effect of uncertainty on objectives.” The ISO standard has more focus on the consequences of uncertainty and allows for different views of risk than COSO. The focus on consequences provides a framework to help consider the impact if an event occurring.was to occur. 

COSO ERM defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” This definition is more focused on events rather the consequences of events. 

Many see the new ISO 31000 series as a very positive development in the risk management standards landscape. While the message is not new, the simplicity of the presentation is a big plus. Maybe we all should take a closer look at the ISO standards and see if it can streamline the risk management process for us. 




July 2018
« May    



Online Accounting Degree blog feature