The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was initially formed in 1985 to help guide companies with enterprise risk management, fraud deterrence, and internal control. In 1992, COSO released the original Internal Control Integrated Framework which has been widely accepted. The traditional framework includes five interrelated components that need to function together in order to meet an organization’s operating, reporting and compliance objectives. The five components include: control environment, risk assessment, control activities, information and communication, and monitoring activities.
In an effort to keep up with technology and the corresponding changes to the market place, COSO has recently released a 2013 update. The update maintains the same five original interrelated components, but now also emphasizes 17 principles necessary to achieve effective internal controls. The 17 principles are not new, they have always been part of the framework, but are now explicitly stated as follows.
- Demonstrate commitment to integrity and ethical values
- Board of Directors demonstrate independence from management and exercise oversight responsibility
- Management establishes structures, authorities and responsibilities to meet objectives
- Demonstrate commitment to competence to meet objectives
- Enforce accountability of individuals for their internal control responsibilities
- Specify clear objectives to identify and assess risks
- Identify and analyze risks in order to manage them
- Assess fraud risks
- Identify and analyze changes that could potentially impact the system of internal control
- Select and develop control activities to mitigate risks
- Select and develop general control activity over technology
- Deploy policies and procedures to establish what is expected
Information and Communication
- Use relevant and quality information
- Communicate internally
- Communicate externally
- Conduct ongoing and/or separate evaluations to determine if components are present and functioning
- Evaluate and communicate deficiencies
The goal of the updated framework is to enable companies and auditors to more easily evaluate the effectiveness of an organization’s system of internal control.
F3’s professionals have experience in evaluating internal controls. We have assisted boards of directors, management, special committees, internal and external counsel, government agencies, and non-profit organizations assess their systems of internal control. We can evaluate existing internal controls, identify areas of risk, and make recommendations for improvement.