Laserfiche WebLink
COSO INTERNAL CONTROL FRAMEWORK <br />The clarified auditing standards applicable to governmental audits incorporate a definition of internal <br />control that is based on the internal control integrated framework developed and issued in 1992 by the <br />Committee of Sponsoring Organizations of the Treadway Commission (COSO). In May 2013, COSO <br />issued an updated framework which supersedes the original after December 15, 2014. The new COSO <br />framework retains the basic definition of internal control and its five components established in its <br />original framework, along with the fundamental requirements to consider these five components and to <br />use judgment when assessing and evaluating the effectiveness of a system of internal controls. The new <br />COSO framework enhances and clarifies a number of concepts from the original framework to make it <br />easier to use and apply. One of the more significant enhancements was the establishment of 17 principles, <br />associated with the 5 components of internal control, intended to assist users in understanding the <br />requirements of effective internal control and designing effective systems of internal control. <br />The 5 components of internal control and 17 underlying principles are as follows: <br />Control Environment — <br />1. Organization demonstrates a commitment to integrity and ethical values. <br />2. Governing body is independent from management and exercises oversight control. <br />3. Management establishes structure, reporting lines, authority, and responsibilities. <br />4. Organization demonstrates a commitment to the competence of individuals involved with <br />internal control. <br />5. Organization holds individuals accountable for internal control responsibilities. <br />Risk Assessment — <br />6. Organization specifies clear objectives for the identification and assessment of risks. <br />7. Organization identifies and analyzes risk. <br />8. Organization assesses the potential for fraud risks. <br />9. Organization identifies and assesses significant changes that could impact internal control. <br />Control Activities — <br />10. Organization selects and develops control activities to mitigate risks. <br />11. Organization selects and develops general IT controls. <br />12. Organization establishes and implements control policies and procedures. <br />Information and Communication — <br />13. Organization uses relevant, quality information to support internal control. <br />14. Organization communicates internal control information internally. <br />15. Organization communicates internal control information externally. <br />Monitoring — <br />16. Organization conducts ongoing and/or separate internal control evaluations. <br />17. Organization evaluates and communicates deficiencies to responsible parties for corrective <br />action. <br />COSO defines an effective system of internal control as one that reduces to an acceptable level the risk of <br />failing to achieve an organizational objective in the areas of operations, compliance, or reporting. <br />According to the new framework, an organization can achieve effective internal control by applying all of <br />the principles listed above. To achieve this, each of these five components and the relevant principles <br />must be present and functioning, and the five components must operate in an integrated manner. Local <br />governments should be reviewing their internal control systems to assure these principles have been <br />incorporated and implemented. <br />-21- <br />