Skip to main content

COSO Provides Framework for Internal Controls

Nonprofit Insights: COSO Provides Framework for Internal Controls
Karyn A. Nunn

September 23, 2019

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a flexible framework for designing, implementing, and evaluating internal controls. Internal controls help reduce fraud, improve accuracy and financial reporting, and maintain consistent practices across an organization. Updated in 2013, the COSO framework isn’t a legal requirement but is considered a best practice and is widely adopted in the U.S. The framework is built around five core concepts, further broken down into 17 principles that provide guidelines on how to achieve the goals of the corresponding concept.

COSO’s core concepts include the following:

Control environment—the set of standards, processes, and structures that provide the basis for carrying out internal controls

Risk assessment—the process for identifying and assessing organizational risks

Control activities—actions that help ensure that management’s risk management directives are carried out

Information and communication— the flow of information necessary to support the internal control function, including communication between internal and external stakeholders

Monitoring—ongoing performance evaluation and reporting of any deficiencies found

COSO emphasizes that all five components must be in place and functioning in order to be effective. This doesn’t mean your executive team can’t determine which controls are most appropriate. As a principle-based framework, COSO is designed to provide flexibility. Remember, the ability to achieve your mission is sometimes based on your most valuable asset—your reputation. Adopting COSO conveys to regulators, volunteers, and donors that your organization is committed to good governance and accountability. As with any framework, it can be difficult to turn abstract concepts into operational outcomes. Understanding the cost-benefit relationship for certain controls and quantifying the organization’s risk tolerance may require outside expertise.


Image of a woman at a computer with the words "Put our expertise to work. We combine deep industry knowledge, experience and innovation to solve your company's most complex problems." Click to talk to an advisor.

Unlock industry secrets.

Mueller Prost insights, delivered right to your inbox.

Sign Up.

Related Insights