COSO Provides Framework for Internal Controls
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a flexible framework for designing, implementing, and evaluating internal controls. Internal controls help reduce fraud, improve accuracy and financial reporting, and maintain consistent practices across an organization.
Updated in 2013, the COSO framework isn’t a legal requirement but is considered a best practice and is widely adopted in the US. The framework is built around five core concepts, further broken down into 17 principles that provide guidelines on how to achieve the goals of the corresponding concept.
COSO’s core concepts include the following:
Control environment—the set of standards, processes, and structures that provide the basis for carrying out internal controls
Risk assessment—the process for identifying and assessing organizational risks
Control activities—actions that help ensure that management’s risk management directives are carried out.
Information and communication—the flow of information necessary to support the internal control function, including communication between internal and external stakeholders.
Monitoring—ongoing performance evaluation and reporting of any deficiencies found
COSO emphasizes that all five components must be in place and functioning in order to be effective. However, this doesn’t mean your executive team can’t exercise judgment when determining which controls are most appropriate. As a principle-based framework, COSO is designed to provide flexibility.
Remember, the ability to achieve your mission is sometimes based on your best and most valuable asset—your reputation. Formally adopting COSO conveys to regulators, volunteers, and donors that your organization is committed and focused on good governance and accountability.
As with any model or framework, it can be difficult to turn abstract concepts into operational outcomes and processes. Understanding the cost-benefit relationship for certain controls as well as quantifying the organization’s risk tolerance may require some outside expertise.