COSO as Defined by the AICPA

In 1992, the Committee of Sponsoring Organizations (COSO)¹ of the National Commission on Fraudulent Financial Reporting (also known as the Treadway Commission) published a document called Internal Control—Integrated Framework , which defined² internal control as “a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in three categories:

Internal control can be judged as effective in each of these categories if the board of directors and management have reasonable assurance that:

The COSO Framework consists of five interrelated components as follows:

1. Control environment. Sometimes referred to as the “tone at the top” of the organization, meaning the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. It is the foundation for all other components of internal control, providing discipline and structure.
    
2. Risk assessment. The identification and analysis of relevant risks to achieve the objectives that form the basis to determine how risks should be managed. This component should address the risks, both internal and external, that must be assessed. Before conducting a risk assessment, objectives must be set and linked at different levels.
    
3. Control activities. Policies and procedures that help ensure that management directives are carried out. Control activities occur throughout the organization at all levels in all functions. These include activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
    
4. Information and communication. Addresses the need in the organization to identify, capture, and communicate information to the right people to enable them to carry out their responsibilities. Information systems within the organization are key to this element of internal control. Internal information, as well as external events, activities, and conditions must be communicated to enable management to make informed business decisions and for external reporting purposes.
    
5. Monitoring. The internal control system must be monitored by management and others in the organization. This is the framework element that is associated with the internal audit function in the organization, as well as other means of monitoring such as general management activities and supervisory activities. It is important that internal control deficiencies be reported upstream, and that serious deficiencies be reported to top management and the board of directors.

These five components are linked together, thus forming an integrated system that can react dynamically to changing conditions. The internal control system is intertwined with the organization’s operating activities, and is most effective when controls are built into the organization’s infrastructure, becoming part of the very essence of the organization.