Internal Control Framework: A Practical Guide to the COSO Framework
Nick Sorenson
June 10, 2021

What is the Internal Control Framework?

The Treadway Commission’s Committee of Sponsoring Organizations (COSO) created a versatile framework for designing and managing internal controls. The framework was originally created in 1992, and most recently updated in May, 2013.  Updates include a clear description of the framework’s core principles.

​Organizations can take advantage of the 2013 framework to design and implement internal controls in accordance with evolving business and operating environments. The new framework also helps widen the application of internal controls to address operational and reporting goals, and to clarify how you can determine if an internal control is effective.

The 2013 COSO Framework is publicly available here.

In this article, you will learn:

  • Benefits of Effective Enterprise Risk Management
  • What are the Five Principles of the COSO Internal Controls Framework?
    • Risk Assessment
    • Control Activities
    • Information and Communications
    • Control Environment
    • Monitoring Activities
  • Implementing the COSO Framework
    • Planning
    • Evaluation and Documentation
    • Remediation
    • Testing and Reporting
    • Internal Controls Optimization
  • Automating Internal Controls with PatchLock

Benefits of Effective Enterprise Risk Management

Every organization must set a risk strategy that can continuously adapt to new challenges and opportunities. Integrating an enterprise risk management framework throughout your organization offers a number of benefits:

  • Increased opportunities—considering all possibilities, whether good or bad, allows you to identify opportunities and challenges.
  • Comprehensive risk management—you can identify and manage risks across your enterprise. Risks emerging in one area could impact other areas and affect overall performance.
  • Risk mitigation—identifying risks and responding to them allows you to maximize positive outcomes and avoid unpleasant surprises and their associated costs.
  • Stable performance—you can anticipate risks to avoid performing behind or ahead of schedule, thus limiting performance variability. This will minimize disruption and maximize profitability.
  • Improved deployment of resources—having actionable information on risk allows you to manage your response and allocate resources according to risk priorities.
  • Business resilience—being able to anticipate and react to complex changes and risks is important to the long-term viability of your enterprise. 

Ultimately, risk should be regarded as an integral part of planning your business strategy, rather than a mere hindrance or potential constraint. Effective risk management allows you to identify positive opportunities as well, which can allow you to enhance performance and grow your business. 

What are the Five Principles of the COSO Internal Controls Framework?

1. Risk Assessment

Every organization faces risks, meaning that various factors, internal or external, could potentially prevent them from reaching their objectives. Organizations perform risk assessments to ensure that they only take necessary and acceptable risks.  

2. Control Activities

Control activities are the steps taken to help mitigate risk across an organization. The COSO framework helps organizations make sure that all activities carried out by employees are beneficial to the company’s goals and don’t involve any unnecessary risk.

3. Information and Communications

Communication, whether internal or external, is a daily occurrence for any organization. COSO provides controls to help organizations ensure that their communications follow best practices and contribute to achieving objectives. 

Controls help prevent information from being shared inappropriately. Depending on the type and purpose of communication, different controls and rules may be used. 

4. Control Environment

To ensure that all parts of the organization are adhering to standard practices, controls should be established across the enterprise environment. Management oversees and enforces a set of rules and procedures adopted from the COSO framework.

5. Monitoring Activities

All internal control systems must be monitored regularly to verify that controls are functioning properly. This can be done in the form of internal audits, which gather information that regulators and management can evaluate. This ongoing evaluation yields reports that reach the board of directors. Combined with external financial reports, this helps reduce the risk of fraud and achieve investor confidence.

Implementing the COSO Framework

Here are a few steps your organization can take to implement the COSO framework and improve management and maintenance of internal controls.

Planning

The implementation of the COSO framework is handled by an implementation team determined by the board, which may include managers and specialists. Typically, the audit and compliance committee, or a similar body, is responsible for implementation, and management oversight is carried out by an enterprise risk management (ERM) or internal controls body.

The team develops an implementation plan that determines the scope and timeframe, resource allocation and staff responsibilities. Team members should have a clear understanding of what their roles are. 

The implementation team should consult with the external auditors charged with overseeing the organization’s compliance. The five components of COSO are evaluated to inform the design and functions of the organization’s internal control system. The implementation plan is then communicated to the board and to management. 

Evaluation and Documentation

Next, the implementation team evaluates the control structure of the organization. This should take into account whether or not the systems are centralized, if there are formal ERM processes with risk management documentation, and the structure of entity-level controls. The more documentation and coordination there is, the easier it will be to analyze compliance with the COSO guidelines. 

This phase also involves evaluating risk related to fraud, documenting the controls and processes already in place, and assessing gaps between the organization’s practices and the principles outlined in the COSO framework. Managers may also interview staff to get a clearer picture of the organization’s operations, allowing them to identify gaps. 

Remediation

The next phase is to remediate any gaps identified in the assessments. This involves creating and implementing a remediation plan that prioritizes vulnerabilities according to the risk they pose to the organization. The plan should include targets and timeframes for implementation.

Related content: learn more in our guide to internal control weaknesses (coming soon)

Testing and Reporting

This phase involves designing testing procedures for controls that are identified as critical, to make sure that they are effective. Tests should take into account the description of the control and the type of risk to be mitigated. 

Testing methods range from inquiring about how controls work, monitoring controls, and performing data analysis, to gain an understanding of the design and function of the controls. Test results must be reported to management.

Internal Controls Optimization

Controls can be developed or altered to better meet the organization’s needs, taking into consideration the required functions of the controls—reconciliation, supervision, verification, etc. 

Controls can be preventive, detective or corrective, depending on when they occur in relation to a process. They might be automated, manual or hybrid, and may sometimes have physical functions. 

COSO’s internal control framework helps organizations match their controls to their identified risks and goals. Continuous monitoring of controls is essential to ensuring their continued effectiveness—when a control failure is identified, it should be carefully studied to ensure proper remediation.

Automating Internal Controls Auditing with PatchLock

Internal controls testing is a time consuming and expensive process. Organizations typically have 200+ key internal controls to prove each type of compliance, and each control takes 40 or more hours to test. Furthermore, internal controls testing is a once a year, error prone process that only looks at 3-5% of the activity in a given enterprise. 

Pathlock shifts organizations towards a continuous controls monitoring approach, which proactively monitors controls and reports on violations of those controls in real-time.  Organizations can have complete visibility to their compliance status at all times, so they are always prepared for the next audit.