COSO Overview

To fulfill the PCAOB auditing standard, SOX requires that organizations to select and implement a suitable internal control framework. The COSO framework (Internal Control—Integrated Framework) has become the most commonly adopted framework. Although other suitable frameworks have been published in other countries and can contain the same elements, PCAOB recommends that they carry all of COSO’s general themes. Companies must be able to demonstrate how their IT controls support the COSO framework.

Based on the COSO framework, there are five essential components for effective internal control:

  • Control environment: Control environment establishes the basis for effective internal control and creates the ‘tone at the top’ required for successful corporate governance.
  • Risk assessment: Risk assessment includes the identification, analysis, and evaluation of risks that can impact the achievement of corporate objectives. The risk assessment component helps provide the basis for control design and related activities.
  • Control activities: The policies and procedures that are implemented for the achievement of business objectives comprise the organization’s control activities. These activities also include the various risk mitigation strategies that are put in to place based on the results of risk assessment.
  • Information and communication: Information relevant to the business must be identified appropriately, and an organization’s information systems must process and report on the data effectively to support normal operations and control of the business. In addition, the organization must be appropriately structured to facilitate both internal and external communications.
  • Monitoring: Monitoring must be in place to allow the organization to detect, measure, and assess the quality and performance of internal controls over time.