COSO Components of Internal Controls

There are five components of internal control that are key to helping an organization achieve its mission, strategies and objectives. Each component is based on a number of principles, which in turn, have a number of important characteristics, called attributes, which explain the principles in greater detail.

The five components of an internal control system were developed by the Committee of Sponsoring Organizations’ (COSO). Founded in 1985, COSO is a private-sector organzation that was created to study the causal factors that can lead to fraudulent financial reporting. In 1992, COSO issued the COSO Internal Control–Integrated Framework, which provides guidance for designing, implementing and conducting internal control and assessing its effectiveness. The guidance was updated in 2013. While the newer framework is more extensive, COSO's initial five-element framework is particularly applicable to fraud. This section of the Internal Controls Tool provides an overview of COSO's five components for internal control.

Once familiarized with the framework, organizations should analyze the controls they have in place to support accurate financial reporting, adherence to applicable laws, and mitigation of the risk of fraud. Sometimes, such as is the case with publicly traded corporations subject to the provisions of the Sarbanes-Oxley Act or with federal agencies governed by the provisions of the Office of Management and Budget’s Circular A-123, management’s periodic evaluation of internal controls is a matter of law.

A common method used by an organization to perform an internal evaluation of its control framework is called Control Self-Assessment (csa). One of the tools used to conduct csa's has been borrowed from the auditing discipline — the Internal Control Questionnaire (ICQ).


The control environment is the foundation for an internal control system. It provides the discipline and structure that affect the overall quality of internal control. It influences how objectives are defined and how control activities are structured. The oversight body and management establish and maintain an environment throughout the entity that sets a positive attitude toward internal control.

1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
2. The oversight body should oversee the entity’s internal control system.
3. Management should establish an organizational structure, assign responsibility and delegate authority to achieve the entity’s objectives.
4. Management should demonstrate a commitment to recruit, develop and retain competent individuals.
5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
 

Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

6. Management should define objectives clearly to enable the identification of risks and define risk tolerances.
7. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
8. Management should consider the potential for fraud when identifying, analyzing and responding to risks.
9. Management should identify, analyze and respond to significant changes that could impact the internal control system. 
 

Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.

10. Management should design control activities to achieve objectives and respond to risks.
11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
12. Management should implement control activities through policies.
 
 

Management uses quality information to support the internal control system. Effective information and communication are vital for an entity to achieve its objectives. Entity management needs access to relevant and reliable communication related to internal as well as external events.

13. Management should use quality information to achieve the entity’s objectives.
14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
 

Finally, since internal control is a dynamic process that has to be adapted continually to the risks and changes an entity faces, monitoring of the internal control system is essential in helping internal control remain aligned with changing objectives, environment, laws, resources and risks. Internal control monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.

16. Management should establish and operate a monitoring mechanism that monitors both internal and external activities that impact the control system and evaluate the results.
17. Management should remediate identified internal control deficiencies on a timely basis.