Components and principles of COSO 2013 framework
| Components | Description of the components | Principles |
|---|---|---|
| Control Environment | Control environment represents the philosophy and vision of the institution, or it is the governance culture of management, which impacts on the effectiveness of the other components of internal control. It denotes a set of standards, processes and structures that the organisation relies on to implement internal control. It includes the integrity and ethical values of the institution and the standards that enable the board of directors to carry out its responsibilities in overseeing the governance and organisational structure and in defining powers and responsibilities |
|
| Risk Management | It is the possibility that an event will occur and adversely affect the achievement of [an organisation's] objectives. It indicates that each organisation may face a variety of risks, external and internal. The assessment of risks, according to the COSO concept, is a continuous dynamic process for identifying and assessing the risks that threaten the achievement of the institution's goals |
|
| Control Activities | Control activities are procedures established through policies and arrangements that help ensure the implementation of management directives to mitigate risks related to the achievement of the entity's goals |
|
| Information and communication | It refers to the continuous and iterative process of providing, sharing and obtaining the necessary information. Communication is the means by which information is disseminated to all departments of the institution |
|
| Monitoring activities | Monitoring activities are carried out by either a continuous or discontinuous evaluation process, or a combination of them, to ensure that each of the five internal control components exists and works appropriately |
|
| Components | Description of the components | Principles |
|---|---|---|
| Control Environment | Control environment represents the philosophy and vision of the institution, or it is the governance culture of management, which impacts on the effectiveness of the other components of internal control. It denotes a set of standards, processes and structures that the organisation relies on to implement internal control. It includes the integrity and ethical values of the institution and the standards that enable the board of directors to carry out its responsibilities in overseeing the governance and organisational structure and in defining powers and responsibilities | The organisation demonstrates a commitment to integrity and ethical values The BOD demonstrates independence from management The BOD establishes structures, reporting lines and appropriate responsibilities in the pursuit of objectives Commitment to attract, develop and retain competent individuals Holding individuals accountable for their internal control responsibility |
| Risk Management | It is the possibility that an event will occur and adversely affect the achievement of [an organisation's] objectives. It indicates that each organisation may face a variety of risks, external and internal. The assessment of risks, according to the COSO concept, is a continuous dynamic process for identifying and assessing the risks that threaten the achievement of the institution's goals | Specifying objectives with sufficient clarity to identify and assess risks Identifying risks across the entity and analyzing them to determine how they should be managed Considering the potential for fraud as a possible risk Identifying, evaluating and analyzing changes that could significantly impact the system of internal controls |
| Control Activities | Control activities are procedures established through policies and arrangements that help ensure the implementation of management directives to mitigate risks related to the achievement of the entity's goals | Selection and development of control activities to mitigate risks Selection and development of technology-dependent general control activities Deployment of policies that define what is expected and procedures that implement them |
| Information and communication | It refers to the continuous and iterative process of providing, sharing and obtaining the necessary information. Communication is the means by which information is disseminated to all departments of the institution | Obtaining and using relevant and credible information Internal communication by disseminating information internally External communication on matters affecting the conduct of internal control |
| Monitoring activities | Monitoring activities are carried out by either a continuous or discontinuous evaluation process, or a combination of them, to ensure that each of the five internal control components exists and works appropriately | Conducting continuous or separate evaluations Evaluating and communicating deficiencies of internal control |
Source(s): COSO (2013)
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.