Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Institute of Business & Accountancy

Operational Audit

What is a Control Framework?

A control framework is a conceptual basis for formulating a set of controls for an organization.
This set of controls is intended to minimize risk through the use of practices and procedures in
a coordinated manner. The best-known control framework is the Integrated Framework, which
was developed by the Committee of Sponsoring Organizations (COSO) of the Treadway


COSO is a committee composed of

representatives from five organizations:

1. American Accounting Association

2. American Institute of Certified Public
3. Financial Executives International
4. Institute of Management
5. Institute of Internal Auditors

The original COSO framework was developed in 1992, with the most recent version published in
2013. To understand the framework, you must understand what it covers. According to COSO,
internal control:

 Focuses on achieving objectives in operations, reporting and/or compliance

 Is an ongoing process
 Depends on people’s actions, not merely written policies and procedures
 Provides assurance senior management of security to a reasonable degree
 Can be adapted to the needs of the whole organization as well as each department, unit
or process

Ref: Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring

Organizations of the Treadway Commission (COSO).
Institute of Business & Accountancy
Operational Audit


The COSO framework divides internal control objectives into three categories: operations,
reporting and compliance.

Operations objectives, such as performance goals and securing the organization’s assets
against fraud, focus on the effectiveness and efficiency of your business operations.

Reporting objectives, including both internal and external financial reporting as well as non-
financial reporting, relate to transparency, timeliness and reliability of the organization’s
reporting habits.

Compliance objectives are internal control goals based around adhering to laws and
regulations that the organization must comply with.


The COSO framework further teaches that there are five components to an internal control
system. First, control environment is the “set of standards, processes, and structures that
provide the basis for carrying out internal controls across the organization.” This component
includes your:

 Ethical values
 Organizational structure
 Commitment to employing competent employees
 Human resources policies

Next, risk assessment involves your organization’s analysis of the risks posed by internal and
external changes, the ability to establish objectives and determine their suitability for your
business and the process for weighing risks versus risk tolerances.

Control activities are the tasks and activities (laid out by organizational policies and
procedures) that help you achieve your internal control objectives. These include actions such
as “authorizations and approvals, verifications, reconciliations, and business performance

The information and communication component recognizes these two things as essential to
any internal control system. COSO stresses the importance of relevant and high-quality
information to control functions. Internal messages emphasizing the importance of control

Ref: Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring

Organizations of the Treadway Commission (COSO).
Institute of Business & Accountancy
Operational Audit

responsibilities, in addition to clear communication of expectations with external parties, is key

to a strong system.

Finally, monitoring your internal controls is just as important as establishing them. Use
ongoing evaluations built into your business processes as well as regular separate evaluations,
which will vary based on your level of risk, system effectiveness and regulation requirements.


Developing Your Organization’s Internal Control System

The COSO framework explains that “an effective system of internal control reduces, to an
acceptable level, the risk of not achieving” objectives. When developing your system, make sure

 All five components are present and working properly

 The five components work together as an integrated system

Ref: Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring

Organizations of the Treadway Commission (COSO).
Institute of Business & Accountancy
Operational Audit

 It allows the organization to predict external circumstances that could impair the
achievement of your objectives and prepare for them appropriately
 It follows reporting regulations, rules and standards
 It complies with applicable laws, regulations, etc.

Using the COSO Framework

After reading the COSO framework, senior management and other decision-makers in your
organization should use it to assess your current internal control system. Does your system
meet all of the effectiveness standards? If not, make plans on how to improve it according to
COSO’s model.

Lower-level managers and employees should also familiarize themselves with the COSO
framework. Offer suggestions based on the document to senior management. Put together a
committee of employees at all levels to brainstorm ideas for a stronger internal control system.

In addition, every employee should take their role in preventing fraud seriously. Conduct your
work in a way that supports the COSO framework. For example, follow anti-fraud policies
without exception and always file timely, accurate reports.

COSO Framework Limitations

The COSO framework is a great place to start when designing or modifying a system of internal
controls. However, it is not without limitations.

They also mention that “proper execution of the COSO framework is dependent on the ability to
establish a strong, formal control environment; however, the framework provides minimal
implementation guidance.” Small businesses and startups may feel overwhelmed and
unsupported, leading them to use a model with a more detailed framework instead.

In addition, the COSO framework is not designed well to deal with objectives that fall under
multiple categories. Not every task fits neatly into either operations, reporting or compliance.

Ref: Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring

Organizations of the Treadway Commission (COSO).

You might also like