COSO - An Internal Control
Framework
CONTROLLING
RISKS REACHING
GOALS
Prepared by Michael Paul, CGFM
COSO - An Internal Control
Framework
• landmark report commissioned by the
Committee on Sponsoring Organizations of
the Treadway Commission (COSO).
• Basis of State Comptroller’s guidance for
chapter 647.
Why Internal Control?
Managers need to meet objectives of their
unit
Risks exist to meeting those objectives
Controls minimize those risks
Managers, not accountants, are ultimately
responsible for this.
OBJECTIVES, RISKS, CONTROLS:
• Compliance with laws, regulations,
policy and procedures
• Accomplishment of mission
• Reliability of information
• Efficient and effective use of resources
• Safeguarding of assets
OBJECTIVES, RISKS, CONTROLS
• Compliance
• Reliability
COSO combines
into
• Accomplishment of mission
•Effectiveness
and efficiency of
operations
• Efficiency and effectiveness
• Safeguarding of assets
OBJECTIVES, RISKS, CONTROLS
• Define the risks
• Evaluate each risk
– likelihood
– cost of loss
– duration and its side effects
• Prioritize
OBJECTIVES, RISKS, CONTROLS
• We have risk
• We have identified it
• Measured it
• Prioritized it
• How to diminish it? ACTION
Control worksheet
(example)
Objectives
Risks
Controls
Collect all your A/R Lazy staff might
write off testy
clients' accounts
Separate
adjustment entry
access from
collection duty
Assure that
Receipts staff
receipts all go into might steal and
state treasury
cash checks
A/R staff follow up
on open
receivables
COSO: 5 Control Elements
• 1. C ontrol Activities*
• 2. R isk Assessment
• 3. I nformation & communication
• 4. M onitoring
• 5. Control E nvironment
* what most people think IC means
•INTERNAL
CONTROLS
To create IC’s…
• PPR Objectives: “CARES”- Compliance with
rules, Accomplishment of mission, Reliability of
information, Efficiency, Safeguarding assets
• Risk: Define, Evaluate, Prioritize, Diminish
• Controls: “CRIMES”- Control activities, Risk
Assessment, Information & Communication,
Monitoring, Control Environment
• Across each function and units
The COSO NET
Control
Activities
Risk
Assessment
Economy &
Efficiency
Reliability of
reports
Compliance
with laws &
regs.
apply to each function in each unit
Information &
Communication
Monitoring
Environment
of Control
ENVIRONMENT
• Integrity & Ethical
values
•
• Commitment to
Competence
Organizational
structure
•
Assignment of
authority and
responsibility
•
Human resources
practices
• Board participation
• Management style
RISK
• Changes in operating
environment
• New personnel
• New Information
systems
• Rapid growth
• New technology,
• New services, activities
• Restructurings
• New accounting
procedures or rules
RISK
INHERENT
+ CONTROL + DETECTION =
RISK OF PROBLEM GOING UNDETECTED
The item
itself
Controls
malfunction
Detection
missed by
auditors
Control Risk “Events”
• Management and auditors thoroughly
brainstorm scenarios of what could go
wrong in each process. (fraud, waste,
abuse, errors, etc.)
• Do these before you create controls
… or try to assess if they are effective
ACTIVITIES*
“Hard controls”
•
Transactions only as
authorized by
management
• Periodic counts and
reconciliation of records to
assets; action on variances
•
All transactions are
recorded for reporting
& accountability
• Physical controls over access
to assets and records
•
Segregation of
– Authorization
– Asset Custody
– Record keeping
* what most people think IC means
• Reports of budget or prior
period vs. actual
• EDP requires checks of
accuracy, completeness and
authorization of transaction
• Activities not the whole
picture…
MONITORING
3 ways:
• Normal routine actions
• Internal auditors
• External audits and reviews
INFORMATION &
COMMUNICATION
• Enable us to capture & exchange info to
conduct, manage and control operations
• Accounting system: GL and sub-ledgers
• Training & supervision
• Procedure manuals
• Feedback… Fraud Hot lines
Benefits of COSO
• Big Picture -
organization wide, efficiency, etc.
• Soft Controls as well -
trust, management style,
understanding of procedures, etc.
• Better Quality
• Controls integrated with the rest of the
business
• Balance of cost vs. benefit
CAVEATS...
• Don’t go wild. COSO is one way to approach IC.
• Use it as new controls are added or as questions arise
• COSO is a mind-set. Keep these ideas in mind as
controls are addressed
• COSO is used wholesale mostly in large corporate
settings with internal audit departments, able to do a
business-wide Control Self-Assessment.
So…
• Don’t worry, be happy?....
Or
• an ounce of prevention is worth a pound of cure
COSO
AICPA: “This landmark report was commissioned by the Committee on Sponsoring Organizations of the
Treadway Commission (COSO). It establishes a common definition of internal control that services the
needs of different parties for assessing and improving their control systems.
COSO's groundbreaking report includes:
Executive Summary
Framework
Reporting to External Parties
Evaluation Tools
The Addendum to Reporting to External Parties is also included. It:
"encourages management that reports to external parties on controls over financial reporting to also cover
controls over safeguarding of assets against unauthorized acquisition, use, or disposition."
It defines such controls and provides a suggested form of report.
Five Evaluation Tools are now available on disk, one for each of the internal control components
identified in Integrated Framework for Internal Control. Columnar MS Word templates contain internal
control risks, objectives, components and elements with spaces and columns for management or other
evaluators to record their assessments, observations and conclusions.
“Everyone in your firm or company who works with internal controls should have his or her own copy.”
https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/Sub+1/Internal+Control+-+Integrated+Framework.htm