COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is the most widely recognized model for designing, implementing, and evaluating internal control in the United States. It provides a structured way to think about how organizations achieve their objectives through effective internal controls. For the CPA exam, understanding the COSO framework is essential—not only for the AUD section but for understanding how auditors evaluate and rely upon internal controls throughout the audit.
This section covers the objectives of internal control, inherent limitations of any control system, the five components of internal control (using the CRIME mnemonic), the details of each component and their associated COSO principles, segregation of duties, the COSO cube, the distinction between logical access and physical controls, and why the auditor obtains an understanding of internal control.
The COSO Internal Control—Integrated Framework (2013) is the standard used by the SEC, PCAOB, and AICPA for evaluating internal control. Auditors are required to obtain an understanding of internal control relevant to the audit under AU-C 315 (AICPA) and AS 2110 (PCAOB).
Objectives of Internal Control
According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in three categories:
| Objective Category | Description |
|---|---|
| Operations | Effectiveness and efficiency of operations, including operational and financial performance goals and safeguarding of assets |
| Reporting | Reliability of financial and nonfinancial reporting, both internal and external |
| Compliance | Compliance with applicable laws and regulations |
Example: Kingfisher Industries implements internal controls to ensure its manufacturing operations run efficiently (operations objective), its quarterly financial statements are accurate and complete (reporting objective), and it complies with environmental regulations governing waste disposal (compliance objective).
On the CPA exam, you may be asked to classify a specific control by which objective it addresses. A control that ensures invoices are recorded in the correct period relates to reporting. A control that ensures hazardous waste is disposed of properly relates to compliance. A control that prevents unauthorized access to the warehouse relates to operations (safeguarding of assets).
Inherent Limitations of Internal Control
No system of internal control—no matter how well designed—can provide absolute assurance. Internal control can only provide reasonable assurance because of certain inherent limitations:
| Limitation | Explanation |
|---|---|
| Management override | Management has the ability and authority to bypass controls. For example, a CEO may override an approval policy to authorize a fraudulent payment. |
| Human error | People make mistakes—data entry errors, misinterpretation of instructions, fatigue, or carelessness can all undermine controls. |
| Collusion | Two or more individuals working together can circumvent even well-designed controls. Segregation of duties, for example, can be defeated if the individuals in different roles conspire. |
| Cost-benefit considerations | Controls are implemented when the cost of the control does not exceed the expected benefit. Some risks may be accepted because the cost of mitigating them is prohibitive. |
| Faulty judgment | Decisions about the design and operation of controls are made by people using judgment, which may be flawed. |
Example: Illini Security has strong segregation of duties in its cash disbursement process—one person prepares payments, another approves them, and a third records them. However, if the preparer and the approver collude to create fictitious vendor payments, this control is defeated. This illustrates the inherent limitation of collusion.
Management override is a particularly important limitation because it cannot be eliminated by any system of controls. This is why auditing standards require the auditor to presume a risk of material misstatement due to management override of controls in every audit.
Five Components of Internal Control: The CRIME Mnemonic
The COSO framework identifies five interrelated components of internal control. A useful mnemonic is CRIME:
| Letter | Component |
|---|---|
| C | Control Environment |
| R | Risk Assessment |
| I | Information and Communication |
| M | Monitoring Activities |
| E | (Control Activiti)Es |
All five components must be present and functioning together for internal control to be effective. Let's examine each component in detail.
Control Environment
The control environment is the foundation of the entire internal control system. It sets the tone of the organization and influences the control consciousness of its people. Often described as the "tone at the top," the control environment encompasses the attitudes, awareness, and actions of management and those charged with governance.
COSO Principles for Control Environment
The COSO framework identifies five principles related to the control environment:
| # | Principle | Description |
|---|---|---|
| 1 | Commitment to integrity and ethical values | The organization demonstrates a commitment to integrity and ethical values through its code of conduct, ethics training, and disciplinary actions |
| 2 | Board independence and oversight | The board of directors demonstrates independence from management and exercises oversight of internal control |
| 3 | Organizational structure and authority | Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities |
| 4 | Commitment to competence | The organization demonstrates a commitment to attract, develop, and retain competent individuals aligned with objectives |
| 5 | Accountability | The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives |
Example: At Gies Co., the CEO regularly communicates the importance of ethical behavior in town hall meetings, the board's audit committee consists entirely of independent directors, clear reporting lines are established, the company invests heavily in employee training, and performance evaluations include accountability for control responsibilities. These practices demonstrate a strong control environment.
The control environment is often considered the most important component because it provides the discipline and structure for all other components. A weak control environment undermines the effectiveness of every other control, regardless of how well designed they may be.
Risk Assessment
The risk assessment component addresses how the organization identifies, analyzes, and manages risks that could prevent it from achieving its objectives.
COSO Principles for Risk Assessment
| # | Principle | Description |
|---|---|---|
| 6 | Specify suitable objectives | The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks |
| 7 | Identify and analyze risks | The organization identifies risks to the achievement of its objectives and analyzes them as a basis for determining how they should be managed |
| 8 | Consider fraud risk | The organization considers the potential for fraud in assessing risks to the achievement of objectives |
| 9 | Identify and assess significant changes | The organization identifies and assesses changes that could significantly impact the system of internal control |
Example: MAS Inc. is a nonprofit that recently expanded its donor management system. As part of its risk assessment, management identifies the risk that the new system could produce inaccurate donor revenue reports (Principle 7), considers whether employees could exploit system access to divert donations (Principle 8), and evaluates how the technology change affects existing controls (Principle 9).
Information and Communication
The information and communication component ensures that the right information reaches the right people at the right time. This includes both internal communication (within the organization) and external communication (with regulators, auditors, and other stakeholders).
COSO Principles for Information and Communication
| # | Principle | Description |
|---|---|---|
| 10 | Obtain and use relevant, quality information | The organization obtains or generates and uses relevant, quality information to support the functioning of internal control |
| 11 | Communicate internally | The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control |
| 12 | Communicate externally | The organization communicates with external parties regarding matters affecting the functioning of internal control |
Example: BIF Partners, while auditing Illini Entertainment, evaluates the company's information system. Illini Entertainment uses an integrated ERP system that captures financial transactions, generates monthly management reports (Principle 10), and distributes internal control policies to all department managers (Principle 11). The company also has established channels for communicating with its external auditors and regulators (Principle 12).
Monitoring Activities
The monitoring activities component involves ongoing evaluations, separate evaluations, or some combination of both, to ascertain whether each of the five components of internal control is present and functioning.
COSO Principles for Monitoring Activities
| # | Principle | Description |
|---|---|---|
| 13 | Conduct ongoing and/or separate evaluations | The organization selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning |
| 14 | Evaluate and communicate deficiencies | The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action |
Example: MSA Records' internal audit department performs quarterly reviews of key financial controls (ongoing evaluation) and an annual comprehensive assessment of the control environment (separate evaluation). When deficiencies are identified—such as an access control that was not properly enforced—findings are reported to the audit committee within 30 days.
Control Activities
Control activities are the actions—established through policies and procedures—that help ensure management's directives are carried out and risks are addressed. These are the specific controls that most people think of when they hear "internal controls."
The PAIDTIPS Mnemonic
A useful mnemonic for remembering types of control activities is PAIDTIPS:
| Letter | Control Activity | Description |
|---|---|---|
| P | Physical controls | Controls over the physical security of assets (locks, safes, restricted access to warehouses) |
| A | Authorization and approval | Requiring proper authorization before transactions are processed |
| I | Independent checks / Reconciliations | Verification of work by someone other than the person who performed it |
| D | Documentation | Maintaining adequate records and audit trails |
| T | Transaction controls | Controls built into transaction processing (e.g., automated three-way matching) |
| I | Information processing controls | Controls over the accuracy and completeness of information processing, including IT application controls |
| P | Performance reviews | Comparing actual results to budgets, forecasts, or prior periods and investigating variances |
| S | Segregation of duties | Dividing responsibilities so that no single individual controls all aspects of a transaction |
COSO Principles for Control Activities
| # | Principle | Description |
|---|---|---|
| 15 | Select and develop control activities | The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels |
| 16 | Select and develop technology controls | The organization selects and develops general control activities over technology to support the achievement of objectives |
| 17 | Deploy through policies and procedures | The organization deploys control activities through policies that establish what is expected and procedures that put policies into action |
Segregation of Duties: ARC
Segregation of duties is one of the most fundamental control activities. It ensures that no single person has the ability to both commit and conceal errors or fraud. The concept is captured by the ARC mnemonic:
| Letter | Function | Description |
|---|---|---|
| A | Authorization | The power to approve transactions and decisions |
| R | Record-keeping | The responsibility to record transactions in the accounting system |
| C | Custody | Physical control over or access to the related assets |
These three functions should be performed by different individuals. When one person controls two or more of these functions, the risk of error or fraud increases significantly.
Example: At Kingfisher Industries, the purchasing manager (authorization) approves purchase orders, the accounts payable clerk (record-keeping) records invoices in the system, and the warehouse supervisor (custody) receives and controls the physical inventory. No single person can order goods, record the purchase, and receive the inventory—reducing the risk that fictitious purchases or theft goes undetected.
If segregation of duties is not feasible—common in smaller organizations—compensating controls should be implemented, such as management oversight, mandatory vacations, or independent reconciliations.
The COSO Cube
The COSO framework is often depicted as a three-dimensional cube (sometimes called the "COSO cube") that illustrates the relationship between:
- Objectives (top face) — Operations, Reporting, Compliance
- Components (front face) — Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities
- Organizational structure (side face) — Entity level, division, operating unit, function
The cube demonstrates that:
- Each component applies to all three objectives
- Internal control is relevant at every level of the organization
- The five components and three objectives are interrelated and must work together as an integrated system
The COSO cube is a conceptual model. On the exam, you may be asked to identify how a specific component relates to a specific objective at a particular organizational level. For example, the control environment at the entity level affects all three objectives across all divisions.
Logical Access vs. Physical Controls
Internal controls include both logical (IT) access controls and physical controls. Understanding the difference is important for the audit.
| Control Type | Description | Examples |
|---|---|---|
| Logical access controls | Controls that restrict access to computer systems, data, and applications | Passwords, user authentication, role-based access permissions, firewalls, encryption, multi-factor authentication |
| Physical controls | Controls that restrict access to tangible assets and physical locations | Locks on doors, security cameras, safes, restricted-access areas, visitor logs, security guards |
Example: Illini Security implements both types of controls for its client monitoring data:
- Physical controls — The server room is locked with a keycard access system, and only authorized IT personnel can enter
- Logical access controls — The monitoring software requires user authentication with multi-factor verification, and role-based permissions ensure that field technicians can view but not modify client records
Logical access controls are particularly important in today's audit environment because most financial data is processed and stored electronically. Weak logical access controls can undermine even the strongest physical controls—if anyone can log into the accounting system remotely, it doesn't matter how secure the office is.
Why the Auditor Obtains an Understanding of Internal Control
Under both AICPA and PCAOB standards, the auditor is required to obtain an understanding of internal control relevant to the audit. This is not optional—it must be done on every engagement.
Purposes of Understanding Internal Control
| Purpose | Explanation |
|---|---|
| Identify and assess risks of material misstatement | Understanding controls helps the auditor determine where misstatements are likely to occur |
| Design further audit procedures | The auditor uses the understanding to design the nature, timing, and extent of tests of controls and substantive procedures |
| Evaluate the design of controls | The auditor assesses whether controls are suitably designed to prevent or detect material misstatements |
| Determine whether controls are implemented | The auditor evaluates whether the controls actually exist and are in use (as opposed to being merely described in policy manuals) |
| Identify control deficiencies | The auditor identifies significant deficiencies and material weaknesses that must be communicated to management and those charged with governance |
Understanding vs. Testing
It is important to distinguish between obtaining an understanding of internal control and testing the operating effectiveness of controls:
| Activity | Purpose | Required? |
|---|---|---|
| Obtaining an understanding | Identify and assess risks; design audit procedures | Always required on every audit |
| Testing operating effectiveness | Determine whether controls operated effectively throughout the period | Required only if the auditor intends to rely on controls to reduce substantive testing, or for integrated audits of issuers |
Example: BIF Partners is auditing Gies Co. The engagement team obtains an understanding of the revenue cycle controls by walking through the process, inspecting policy documents, and making inquiries of accounting personnel. This understanding helps the team identify that Gies Co. lacks a control over credit memo authorization—a potential risk area. The team decides to perform extensive substantive testing of credit memos rather than relying on controls.
For issuer audits under PCAOB standards, the auditor must not only understand internal control but also test the operating effectiveness of controls as part of the integrated audit of financial statements and internal control over financial reporting (ICFR). This goes beyond the AICPA requirement for nonissuers.
Summary
| Topic | Key Takeaway |
|---|---|
| IC objectives | Operations (efficiency/effectiveness), Reporting (reliability), Compliance (laws and regulations) |
| Inherent limitations | Management override, human error, collusion, cost-benefit, faulty judgment |
| CRIME components | Control Environment, Risk Assessment, Information and Communication, Monitoring, (Control Activiti)Es |
| Control environment | Tone at the top; 5 principles covering integrity, board oversight, structure, competence, accountability |
| Segregation of duties (ARC) | Authorization, Record-keeping, Custody — each performed by different people |
| PAIDTIPS | Physical controls, Authorization, Independent checks, Documentation, Transaction controls, Information processing, Performance reviews, Segregation of duties |
| COSO cube | Three dimensions: objectives × components × organizational levels |
| Logical vs. physical | Logical = IT access controls; Physical = tangible asset protections |
| Why understand IC | Required on every audit to identify/assess risks, design procedures, and identify deficiencies |