In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a flexible framework for designing, implementing, and evaluating internal controls. Internal controls help reduce fraud, improve accuracy and financial reporting, and maintain consistent practices across an organization. Updated in 2013, the COSO framework isn’t a legal requirement but is considered a best practice and is widely adopted in the U.S. The framework is built around five core concepts, further broken down into 17 principles that provide guidelines on how to achieve the goals of the corresponding concept.
COSO’s core concepts include the following:
Control environment—the set of standards, processes, and structures that provide the basis for carrying out internal controls
Risk assessment—the process for identifying and assessing organizational risks
Control activities—actions that help ensure that management’s risk management directives are carried out
Information and communication— the flow of information necessary to support the internal control function, including communication between internal and external stakeholders
Monitoring—ongoing performance evaluation and reporting of any deficiencies found
COSO emphasizes that all five components must be in place and functioning in order to be effective. This doesn’t mean your executive team can’t determine which controls are most appropriate. As a principle-based framework, COSO is designed to provide flexibility. Remember, the ability to achieve your mission is sometimes based on your most valuable asset—your reputation. Adopting COSO conveys to regulators, volunteers, and donors that your organization is committed to good governance and accountability. As with any framework, it can be difficult to turn abstract concepts into operational outcomes. Understanding the cost-benefit relationship for certain controls and quantifying the organization’s risk tolerance may require outside expertise.