The COSO, or Committee of Sponsoring Organizations, Framework was the internal control framework created in 1992.  This original framework described internal control, outlined the components involved in effective internal control, provided guidance as to how to evaluate internal control, and addressed the internal control reporting required for public companies.

After this framework was issued, it really got people (business owners and CPAs) thinking and talking about how internal controls affect businesses, the management of such businesses, and laid the groundwork for future internal control standards for auditors.  However, a review of the Framework was performed, revealing some downfalls, such as different definitions of internal control, differing opinions on how the effectiveness of internal control should be determined, etc.

After such review, improvements were needed to the Framework.  Additionally, there have been dramatic changes to business environments since 1992, including the drastic increase in electronic transactions and a call for greater transparency in light of the increased number of business scandals.

In May 2013, COSO issued an updated framework, Internal Control – Integrated Framework (2013 Framework) to further assist businesses in designing, implementing, and evaluating internal controls in today’s business environment.  This new Framework is effective now and should be referenced by all businesses.

Some of the considerations taken into account with the new Framework are as follows:

  • Expectations relating to governance oversight
  • Changes and greater complexities in business
  • The ways in which markets and operations have become more globalized
  • Demands and complexities in laws, rules, regulations, and standards
  • Changes in and increased use of technology
  • Expectations relating to competencies and accountabilities
  • Expectations relating to the prevention and detection of fraud

Also within the new Framework, the main concepts are described as principles, in order to make it more user-friendly and easier to apply.  The 2013 Framework describes 17 principles associated with the five basic components of internal control and points out that, in order for internal control to be effective, each of the five components of internal control must be present and functioning.  Listed below are the five basic components of internal control, as well as the corresponding 17 principles:

Control Environment

  1. The entity demonstrates a commitment to integrity and ethical values.
  2. The board of directors or audit committee demonstrates independence from management in exercising oversight of the development and performance of internal control over financial reporting.
  3. With board oversight, management establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of financial reporting objectives.
  4. The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting objectives.
  5. The entity holds individuals accountable for their internal control responsibilities.

Risk Assessment

  1. The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives.
  2. The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed.
  3. The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives.
  4. The entity identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

  1. The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  2. The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives.
  3. The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

  1. The entity obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting.
  2. The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control over financial reporting.
  3. The entity communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

  1. The entity selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning.
  2. The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors or audit committee, as appropriate.

To add some clarification in how to interpret and apply the principles described above, controls consist of policies andprocedures within the Organization’s internal control process.  Policies are management’s statements of what should be done to effect controls, and procedures are actions to implement such policies.

An assumption could be made that this Framework would not apply to small businesses or organizations.  However, it is important to note this Framework is applicable for all types of entities (public, nonpublic, governmental, nonprofit, etc.) of all different sizes.  This also includes entities receiving federal grant funding needing to adhere to the new Uniform Grant Guidance guidelines.  See previous KT newsletter articles regarding the Uniform Grant Guidance guidelines.

Future KT newsletters will review the 17 principles in more detail. Please contact Traci Hanson, Shelley Goodrich, or Sandra Weaver with specific questions.  The Framework can be purchased from COSO’s website at