Posts Tagged ‘COSO


COSO’s Internal Control – Integrated Framework: Updated 2013 Edition

After its initial release of the framework 20 years ago, COSO has now come out with an updated edition in May 2013.  The updated Framework has considered changes in business and operating environment and accordingly expanded the operations and reporting objectives. What is more interesting (and the most prominent / significant one!!!) is that the updated Framework has articulated 17 principles of effective internal control.


I. Control Environment:

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.


II. Risk Assessment:

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control.


III. Control Activities:

  1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  2. The organization selects and develops general control activities over technology to support the achievement of objectives.
  3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.


IV. Information and Communication:

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. The organization communicates with external parties regarding matters affecting the functioning of internal control.


V. Monitoring Activities:

  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.


Apart from listing these 17 principles, the updated Framework has also described important characteristics of these principles though ‘points of focus’ aimed at clarifying requirements for effective internal control. ‘Points of focus’ are anticipated to provide helpful guidance to assist organization in designing, implementing and conducting internal control and in assessing whether relevant principles are present and functioning.

The updated Framework is expected to increase the ease of use and broaden application by expanding operations and reporting objectives. It seems that the updated Framework is intending to create a more formal structure for designing and evaluating the effectiveness of internal control. In my view, it is also reflecting the increased relevance of technology.(Principle 11) Considering the Enron, WorldCom saga, 2008 global financial crisis, etc, the updated Framework has given specific consideration to anti-fraud subject in relation to internal control.

Organizations currently using the original 1992 Framework should be able to establish their transition plan to move to updated 2013 Framework. The onus is on these organizations to apply the updated Framework by December 2014 for external reporting.


auditing informal controls

Happy New Year everyone!

To commemorate the new year, I decided to do some light reading on control self-assessments 🙂

In my research of control self- assessments (CSAs), I came across a paper titled ‘Control Self-Assessment: A tool for organizational improvement’ The authors of the paper imply that audits can only audit formal controls.

“Audits confirm the degree of compliance with formal controls and mandates. They (informal controls) are not tangible and, therefore, are not subject to the verification standards demanded by traditional audit.”

Another resource implied the same thing –

“CSA is an audit technique within the broad framework of internal audit that measures areas that traditional audit techniques are not designed to measure, such as trust, morale and corporate culture”

However, the paper notes (as is also true in my experience) that it is really informal controls that are more influential in an organization.

“One of COSO’s core conclusions was that “official policies” (formal controls) specify what management wishes to happen. However, the “culture of the organization” (informal controls) determines what actually happens – which rules are obeyed, ignored or bent. Without a clear assessment of informal internal controls, any organization runs the risk of the loss of opportunities and of potentially serious problems going undetected.”

Is it true that audits can only validate and measure formal controls? If informal controls are more effective than formal controls and audits are limited to validation of formal controls, does this call into question the effectiveness of auditing and imply that the value of auditing is limited to a validation of formal controls?

Widely accepted international standards have defined internal controls in the following ways:

  • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories, (i) Effectiveness and efficiency of operations, (ii) Reliability of financial reporting, (iii) Compliance with applicable laws and regulations – COSO
  • Actions that foster the best result for an organization – COCO (Canada)
  • A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives – Turnbull Committee (UK)
  • All major factors that, taken together, support people in the achievement of their own work objectives and those of the organization – USAID paper

See this related post for deciding on which internal control framework to implement.

Although the various internal control frameworks use very broad definitions, when most people think about internal controls in the traditional sense, they think primarily about financial reporting controls (e.g. Sarbanes Oxley requirements) and secondarily about other formal non-financial controls such as policies and procedures, authorizations and review processes.

The COSO model has the following components:


For an auditor, the control activities area is typically a primary area of focus to audit. The characteristics of control activities such as policies, authorizations and reconciliations are formal controls and are tangible and repeatable. These controls are typically part of transactions and processes. Monitoring activities are also another component that is typically audited. However, the other COSO components of control environment, information and communication, and risk assessment, are also controls but are typically known as informal controls and are either one-time or non-repetitive controls.

What is the role of an audit as it relates to informal controls – i.e. most of the COSO cube except for control activities? How does audit validate these ‘controls’?

A known method for audit validation is through sample testing of transactions. How do you validate an informal control when it is not directly related to a transaction and non-repetitive? Do you merely validate the existence, use of and importance of the informal control in the organization? Would an audit recommendation be within the realms of if the controls exists, is consistently used and known throughout the organization? The idea that informal controls are an audit issue if it is absent or if there is a very clear exception is supported by the following source:

“Soft   (informal) controls include ethics, commitment to competence, and management   operating style. Such controls have traditionally been overlooked in audits   because documented evidence of the audit condition is difficult to obtain and   test…..on the other hand, proper behavior is assumed for soft controls. An   unfavorable audit conclusion is reached only if improper behavior is   observed. A satisfactory rating wouldn’t be ruled out if the auditor finds no   direct evidence that the “soft controls” are in place. Only if instances of   unethical, incompetent, or improper management behavior are discovered should   the auditor consider an unsatisfactory rating. The level of assurance   provided by the auditor for soft controls is , therefore much less than normally   rendered. As techniques for testing soft controls improve, rating criteria   may be revised to render more positive assurance.”

Informal controls are also typically very people oriented and therefore potentially highly subjective. It is possible to use CSA-type tools such as surveys and questionnaires to provide data and observations of informal controls.

It does make sense that formal controls and the auditing of formal controls is important in industries and processes that have high compliance requirements such as financial reporting (adherence to GAAP or similar accounting standards), banking, oil and gas, investments, etc. However, for areas that are not highly regulated and that are more relational, formal controls are not always as evident or important. In the nonprofit industry, there are many activities that are relational and qualitative where informal controls hold much more sway than formal controls.

In my reading so far on CSAs, it appears that CSAs are the preferred tool to provide a more in-depth evaluation of informal controls. In a future post, I will explore the differences between traditional auditing and CSAs.

By nature of IIA’s adoption of the COSO internal control framework as a standard, it is our responsibility as auditors to not just validate formal controls, but also informal controls. It might not be very straightforward or intuitive to audit informal controls, but it is imperative. From my personal experience, the recommendations that have been most valuable to management and that have been part of much needed change in the organization most often relate to informal controls.

I welcome your comments and observations.


You Get What You Monitor . . . What Are You Not Getting?

As a recovering auditor, who still carries scars from the first years of Sarbanes-Oxley implementation, I’m well trained on the importance of monitoring. I can preach the elements of the COSO framework and evaluate processes for broken or missing controls. However, it was not until I put my auditing ways behind me and moved into management that I began to see monitoring in a whole new light.

Monitoring provides accountability. We are accustomed to thinking about this accountability for internal controls, but it applies to other management responsibilities as well, such as: performance, quality and efficiency.

About 18 months ago our department decided we would start tracking time so that we could better plan projects. The team member who built and monitored our time tracking system diligently emailed weekly reminders to everyone, and followed up with anyone who forgot to submit their timesheet. However when the time monitoring job moved to a new person, they only sent reminders to staff. As a result at least one manager *guilty look* quickly stopped filing his time reports.

What changed? I knew the importance of time tracking. I was no busier than before. But there was no monitoring. As a result, time tracking quickly dropped from my priority list.

Our global finance function routinely has to gather information and enforce policies across scores of country offices. When one of these information gathering process is not functioning properly the temptation is to mandate better performance (send out an email and tell everyone how important the process is). However in the situations where we have implemented regular monthly monitoring of the process, and tied the results to office leadership’s scorecards, the improvements were dramatic. I had one office leader tell me that he had no idea that some of these areas were so important.

Sometimes processes are not broken, they are just not prioritized. When people are faced with more tasks than can reasonably complete, they shift effort and attention away from the lower priorities. Monitoring communicates, emphasizes and enforces priorities. Management can use monitoring as a tool to help the organization prioritize those tasks which will yield the desired results.

Yes, Monitoring is important for a sound internal control environment. But I’ve learned that it is much bigger. Monitoring can be a key to driving operational and organizational success as well.


Deciding on a Model for Evaluating Internal Controls

Worldwide there are many models to choose from to evaluate the adequacy of the internal control framework. In the US we use COSO, Canada developed COCO, with the United Kingdom establishing Cadbury and then there are the globally accepted ISO Standards. This variety can be confusing to say the least. Each model presents a slightly different view-point on internal controls. Ultimately the models all have the same goal to promote guidelines for making judgments about the effectiveness of the controls. However, they exhibit some underlying differences because they are branded with the flavor of the country that created them. There is nothing extraordinary about these models in fact they are rooted in common sense. Using them can result in astounding outcomes. 

The US COSO and the UK Cadbury are broken into five domains with only minimal differences in interpretation. The Canadian COCO focuses on the achievement of objectives and defines internal control as the elements of an organization that taken together support the achievement of these objectives. COCO focuses on the reliability of internal and external reporting. On the other hand COSO defines internal control as the process affected by an entity’s Board of Directors, management and personal designed to provide reasonable assurance regarding the achievement of objective. COSO focuses on the reliability of financial reporting. In the past auditors have examined the hard controls. COSO, COCO and Cadbury highlight the need to examine soft controls as well. 


The Sarbanes-Oxley Act in the US incorporated in to the law the COSO framework as the model of choice. However, the ISO 31000 is quickly gaining ground as the preferred model because it provides a generic framework for establishing the context for, identifying, analyzing, evaluating, treating, monitoring and communicating risk. 

The International Organization for Standardization widely known as ISO is an international-standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has its headquarters in Geneva, Switzerland. While ISO defines itself as a non-governmental organization, its ability to set standards that often become law, either through treaties or national standards, makes it more powerful than most non-governmental organizations. The aim of the organization is to equalize and standardize across cultures. With the exception of a small number of isolated standards, ISO standards are normally not available free of charge, but for a purchase fee, which has been seen by some as too expensive. 

ISO 31000 is compatible with the COSO framework and is considered an updated version that reflects the current state of risk management thinking internationally. ISO is considered more practical and less theoretical. It provides explicit terms in more detail. ISO is clearly written and easier for management to understand without audit trying to interpret for them. 

The most significant difference is in the definition of risk for ISO 31000 when compared to COSO. The ISO risk definition is the “effect of uncertainty on objectives.” The ISO standard has more focus on the consequences of uncertainty and allows for different views of risk than COSO. The focus on consequences provides a framework to help consider the impact if an event occurring.was to occur. 

COSO ERM defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” This definition is more focused on events rather the consequences of events. 

Many see the new ISO 31000 series as a very positive development in the risk management standards landscape. While the message is not new, the simplicity of the presentation is a big plus. Maybe we all should take a closer look at the ISO standards and see if it can streamline the risk management process for us. 



June 2018
« May    



Online Accounting Degree blog feature