Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Internal Controls

What are internal controls?

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a report called The Internal Control Integrated Framework, also known simply as the COSO Report, or as the COSO Framework. It has become a widely accepted definition of internal control as: “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

What is the COSO Framework for internal controls?

The COSO framework for internal controls was originally published in the 1992 COSO Report, but has since been updated. According to the 2013 version of the COSO report, internal controls are defined by 17 guiding principles broken down into five categories: 

  • Control environment
    • Commitment to integrity and ethics
    • Oversight responsibility
    • Establishing structure, authority and responsibility
    • Commitment to competence
    • Enforcement of accountability
  • Risk assessment
    • Specification of objectives
    • Risk identification and analysis
    • Fraud risk assessment
    • Identification and analysis of significant change
  • Control activities
    • Selection and development of risk mitigation activities
    • Selection and development of general technology controls
    • Deployment of controls-based policies and procedures
  • Information and communication
    • Use of relevant, important information
    • Internal communications
    • External communicaitons
  • Monitoring
    • Ongoing or separate evaluations of processes
    • Evaluation and communication of known deficiencies in program

What is an internal control framework? 

A control framework is an organization’s individual implementation of its own sense of internal control, most often guided by the general principles and procedures laid out by the COSO Framework.

How do internal controls pay a part in accounting? 

In accounting, internal controls often focus on seven operational principles identified as being conducive to best practices in accounting:

  • Separation of duties of bookkeeping, deposits, reporting, and auditing
  • Access controls to different parts of the accounting system to prevent any unauthorized access to it and its data
  • Physical audits of cash and assets
  • Documentation used for financial transactions, inventory receipts and expenses
  • Trial balances to test the accuracy and balancing of financial books
  • Reconciliations to ensure that accounting balances match up with balances held by external entities, such as banks and suppliers
  • Approval authority to prove that transactions have been adequately reviewed and approved at all levels
Accounting & Auditing Update Blog

House panel ponders rollbacks, including internal control audits

Tammy Whitehouse | July 19, 2017

A House sub-committee is asking whether federal regulation has hindered the growth of public companies, including Sarbanes-Oxley auditing of internal controls.

Short Cuts Blog

Walter Shaub, Bitcoin, and IPOs

Katherine O'Hara | July 7, 2017

In case you missed it, Ethics Office Director Walter Shaub resigned after differences in opinion with the administration, bitcoin offers evaders new tax havens after the Panama Papers leak, and IPO regulations are taking the spotlight in this week's rundown of compliance news from around the web.

Accounting & Auditing Update Blog

Auditors get notice to scrutinize SAB 74 disclosures

Tammy Whitehouse | June 29, 2017

Auditors have been notified to be alert to whether corporate SAB 74 disclosures about pending new accounting standards are adequate.

Accounting & Auditing Update Blog

SOX exemption saves plenty, costs more, study says

Tammy Whitehouse | June 21, 2017

A new study calculates the cost and benefit of exempting smaller companies from SOX internal control audits — and it suggests investors aren't better off.

News Article

Evolving toward a modernized compliance program

Jaclyn Jaeger | June 20, 2017

The key to building a truly forward-facing compliance function is to make it proactive and predictive, visionary, and strategic. And none of that is particularly easy.

News Article

In the final push to new revenue rules, some turn to manual solutions

Tammy Whitehouse | June 20, 2017

Delays in preparing for new revenue recognition requirements are starting to pinch the IT timeline, forcing many companies to develop manual workarounds.

The Man From FCPA Blog

British Airways learns a lesson on controls

Tom Fox | June 12, 2017

The recent power failure at British Airways that stranded more than 75,000 holiday passengers is a reminder to companies of the importance of internal controls.

News Article

How two companies successfully merged their compliance functions

Jaclyn Jaeger | May 31, 2017

When Johnson Controls and Tyco merged in 2016 to form Johnson Controls International, the merged entity created a single compliance function that was greater than the sum of its parts.

News Article

Have you vetted fraud risk under new revenue standard?

Tammy Whitehouse | May 23, 2017

The risk of fraud in revenue recognition is growing as companies’ sluggish adoption of new rules creates fresh opportunities for would-be perpetrators.

Accounting & Auditing Update Blog

Senators press PCAOB for answers on KPMG audit of Wells Fargo

Tammy Whitehouse | May 1, 2017

U.S. Senators are asking how KPMG could know Wells Fargo had fake accounts on the books, but not flag it as relevant to the financial statement audit.