Chapter 5 The COSO Framework is typically represented in

the form of a cube showing the components of

Control Frameworks
internal control, three categories of objectives, and
Controls are processes that restraints; processes the entity’s structure, which is represented by the
and procedures that regulate, guide, and protect an third dimension.
organization.
The COSO IC-IF helps companies across industries
Internal controls are practices put in place to create and sizes to measure effectiveness of their controls.
value for stakeholders and minimize risks, so
frameworks make it easier to manage these
diverging dynamics and evaluate the results more
systematically.
COSO’s Internal Control Integrated Framework (IC-
IF) is arguably the most widely known internal
controls framework in the world.
The National Commission on Fraudulent Financial
Reporting, was chaired by James C. Treadway,
recommended to create a framework of internal
control.
The Committee of Sponsoring Organizations
(COSO) of the Treadway Commission is a private
sector initiative founded in 1985 to sponsor the The COSO cube have 17 principles:
National Commission on Fraudulent Financial
Control Environment
Reporting. The sponsors are:
1. Commitment to integrity and ethical values
- Institute of Internal Auditors (IIA)
2. BOD exercises oversight responsibility
- American Institute of Certified Public
3. Establish structure, authority, and
Accountants (AICPA)
responsibility
- American Accounting Association (AAA)
4. Commitment to competence
- Institute of Management Accountants (IMA)
5. Enforce accountability
- Financial Executives Institute (FEI)
- Representatives from industry public Risk Assessment
accounting and investment firms
- New York Stock Exchange (NYSE) 6. Set suitable objectives
7. Identify and analyzes risks
COSO’s goal was to improve the quality of financial 8. Assess risk of fraud
reporting through a focus on corporate governance, 9. Identify and analyze significant change
ethical practices, and internal control. Emphasis is
also given to ERM and fraud deterrence. Control Activities

COSO issued the IC-IF in 1992, which was revised 10. Select and develop control activities
and reissued in May 2013 and was effective from 11. Select and develop IT GCCs
December 15, 2014. 12. Mobilize through policies and procedures

The 2013 COSO IC-IF contains 17 principles Information and Communication

representing the fundamental concepts associated 13. Use relevant information
with each component. 14. Communicate internally
COSO states that an entity can achieve effective 15. Communicate externally
internal control by applying all principles, which Monitoring Activities
apply to all operations, reporting, and compliance
objectives. 16. Conduct ongoing/separate evaluations
17. Evaluate and communicate deficiencies

The 1992 COSO Framework
The 1992 COSO framework was the first to
implement the use of “The COSO Pyramid” which
laid out the five tenets of COSO control components,
Control Environment, Risk Assessment, Control
Activities, Information & Communication and
Monitoring Activities.
Starting from the bottom up, where the completion of
one level naturally leads to the completion of the
next, these components work together to support the
risk management mission, strategy and all related
business objectives for the company.
Monitoring activities - Once the COSO framework is
implemented, it needs to be regularly monitored to
verify the controls are functioning as they should.
Control activities - Control activities come in
response to the risk items identified. These are steps
taken to mitigate risk across an organization.
Risk Assessment - Risk assessments ensure
businesses are acknowledging relevant risk items.
Assessments also provide reasonable assurance
that a business is managing risk to an acceptable
level.
Control environment - The entire organization must
be adhering to standard practices. This means
controls are implemented in every business unit.
Information and communication – must be
happening at every level.
Control Environment
This is the company itself; the working environment.
This refers to the workplace environment,
characterized by the way the organization is
structured, the manner of leadership, the degree of
openness, management’s operating style, having
and practicing the tenets of its code of ethics, and
statement of values.
This also includes the tone at the top and the degree
to which there is congruence between
management’s talk and its walk.
The tone at the top is set and promoted by the
board of directors and senior management, and it
refers to the general attitude, integrity, and ethical
practices of these individuals. It drives ethical
conduct within the organization.
Organizational culture is the collection of learned
beliefs, traditions, and guides for behavior shared
among members of the organization. It defines and
expresses shared assumptions, values, and beliefs
and it is manifested in many ways, including formal
rules and policies, norms of daily behavior, physical
settings, and modes of dress, special language,
myth, rituals, heroes, and stories.
A healthy culture and ethical environment advances
employee morale, and it also helps to improve
productivity and efficiency.
The control environment also includes the activities
related to the competence and development of
personnel, the assignment of authority and
responsibility, and the organizational structure.
According to Trompenaars, organizational culture
includes three key elements:
1. The general relationship between employees
and their organizations
2. The vertical or hierarchical system of
authority defining superiors and
subordinates (clear reporting line; POV of top
management – a clear reporting line
promotes accountability)
3. The general views of employees about the
organization’s destiny, purpose, and goals,
and their place in it.
While acting with integrity and fairness generally
characterizes ethical behavior, the following are
some examples of unethical behavior that auditor
should be on the lookout for:
1. Undue emphasis on bottom-line
performance – placing an unreasonable
 emphasis on this in ways that it becomes the
main consideration, it is likely that ethical
behaviors will be produced.
2. High-pressure sales tactics – when sales
practices are more focused on extracting
funds from customers, the
mischaracterization of the company’s
products and services increases.
3. Kickbacks or bribes – illicit payments made
to someone who has facilitated a transaction
or appointment.
Communication, Consistency, and Belief in the
Message
It is important for management to communicate
clearly, consistently, and often what is allowed and
what is not. By setting clear expectations there is a
better chance that they will be followed. But being
followed depends to a large extent on management
“walking the talk” and demonstrating through their
actions that they believe in the messages.
When there are inconsistencies between what
management says is the expected behavior, and
their own behavior, employees will see management
as hypocritical.
Having a code of ethics, codes of conduct, and
conflict of interest statement is very important to
formally establish the expectations for proper
conducts.
Code of ethics should act as a guideline or
reference point for acceptable behavior and ethical
decision-making. They should be values based,
motivate employees to conduct themselves in
ethical ways, support the questioning of authority
when ethics are challenged, and hold employees
accountable when rules are broken.
Companies may or may not have ethical values but
as professionals, we should adhere to our own
professional code of ethics.
There are two ways to ensure code of ethics are
observed and followed:
1. New employees should receive these
documents upon hire and sign-off indicating
they agree to abide by them. Training should
also be required. These should be followed
by annual refresher training.
2. Short articles, vignettes, scenarios, and
surveys that are distributed periodically to all
staff. This can be done through company’s
newsletter, e-mail, and intranet posts.
3. Running lunch and learn or brown bag lunch
Form over Substance
This consists of management practices whereby on
the surface it appears as though an essential activity
has been performed, when in fact that is not so. -
Example: Signatures are in papers but did not
undergo thorough review.
Principles underlying the Control Environment
are:
1. Commitment to integrity and ethical
values
- the organization should demonstrate a
commitment to integrity and ethical values.
- The organization should show through their
actions, and by rewarding ethical behavior
and castigating unethical behavior, that they
are committed to integrity and ethical values.
- Management must care not only about what
is achieved but by also how those results are
achieved.
- Organization must care about how
employees, communities, customers,
vendors, and other stakeholders are treated
and it imposes prompt and appropriate
sanctions on those that deviate from these
expectations.
2. BOD exercises oversight responsibility
- BOD demonstrates independence from
management and exercises oversight of the
development and performance of internal
control
- Passive BOD are terrible for internal control
as they display limited oversight over
management actions
- Key responsibilities of BOD: provide a
mission and vision for the organization, set
expectations for management, authorize
investments that show its priorities, look out
for the interests of the company’s owners
- BOD is not unduly influenced by the
management. If not, the audit committee of
the board must at least be independent
3. Establish structure, authority, and
responsibility
- Management establishes, with board
oversight, structures, reporting lines, and
appropriate authorities and responsibilities in
the pursuit of objectives
 - The organizational structure must facilitate
the assignment of responsibilities that will
ensure smooth flow of information down in
the chain of command and back in the form
of feedback (performance results, concerns,
requests for needed resources)
4. Commitment to competence
- Organization demonstrates a commitment to
attract, develop, and retain competent
individuals in alignment with objectives.
- As the primary means of production for many
organizations, employee recruitment,
selection, training, and development,
compensation, and promotion should be
based on competence, proven potential,
commitment, and performance.
- People that do not meet the technical and
ethical expectations of the organization
should undergo appropriate training and
receive appropriate sanctions.
- Failing to deal with performance and ethical
breakdowns jeopardizes the organization’s
chances of achieving its objectives.
5. Enforce accountability
- The organization holds individuals
accountable for their internal control
responsibilities in the pursuit of objectives
- When control activities are assigned, it is
imperative that management sets clear
expectations that these activities must be
performed.
- By setting accountabilities clearly, and
enforcing compliance with them, the control
environment will benefit from the discipline,
follow through, and stability that internal
controls provide.
- Objectives define the direction of the
organization and measure of its success
while controls provide protection that
necessary activities will be carried out to
mitigate risks and increase the likelihood that
those objectives will be achieved.
Entity Level Controls
These are controls on surface levels and are
applicable to the whole company.
These are used to determine if an organization’s
value, systems, policies, and processes would
enable or dissuade fraud and encourage proper
conduct.
They refer to the entity’s management style, as
reflected in the corporate culture, values,
philosophy, and operating style, the organizational
structure, and policies and procedures in place.
Typical areas of interest include (familiarize lang
daw, not memorize):
- Controls over management override
- The company’s risk assessment
methodology and techniques that identify
both risks and owners of risk
- Extent and quality of controls over
centralized processing, including shared
service environments and outsource service
providers
- Controls to monitor results of operations
- Controls over the preparation, review, and
communication of period-end financial and
operational reporting, both internally and
externally
- Policies that address significant business
control and risk management practices
- The extent, accuracy, and suitability of
policies and procedures related to
governance, operations, risk management,
control, and compliance expectations
- Hiring and retention practices
- Fraud prevention and detection controls,
including analytical procedures
- The competence, scope, and depth of the
work of the internal audit function
- Effectiveness of the whistle-blower hotline
- Adherence to the word and spirit of the code
of conduct
- IT environment and organizations
- Results of organizational self-assessment
reviews
- The depth of oversight of the company’s
disclosure committee
- The extent, competence, consistency, and
extent of tone setting and oversight
displayed by the BOD, senior and middle
management in their role as governance
providers
- Assignment of authority and responsibility
across all layers of the organizational
structure
- Account reconciliations, variance analysis
reporting, and related corrective measures
- Effectiveness of the mechanism to remediate
control weaknesses
- Management triggers embedded within IT
systems
- The establishment and reliability of physical
and logical segregation of duties
- Effectiveness of change-management
practices affecting the organization
Internal auditors are encouraged to remember
that a person’s behavior is determined by the
person and his or her environment. There a
number of different and competing forces that
combine to result in the situation the individual
encounters.
A person’s behavior may be different in unique
situations, as the person acts in part in response
to the environment.
Lewin’s equation, developed by Kurt Lewin,
states that behavior is a function of the person
and the environment, and can be expressed in
the formula:
B = f(P, E)
Where B is the person’s behavior, P is the
person, and E is the environment.
Tone in the Middle
This refers to the middle management who sets
and implement ethical behavior, or the tone in
the middle.
The manager determines and reinforces the
values, ethics, honesty, and workplace
dynamics, also influences the process of getting
customers and making sure they are happy.
This means that the tone in the middle dictates
workplace conditions leading to customer and
employee satisfaction, turnover, profits, and the
achievement of goals and objectives.
Risk Assessment
The second component of the COSO framework
relates to the identification, quantification,
analysis, and management of organizational
risks.
Risks are those events that can jeopardize the
organization’s ability to achieve its objectives.
The COSO indicates in its 2013 IC-IF that the
organization is subject to a variety of events;
some positive while others are negative. Positive
events are opportunities while negative events
are risks.
We cannot measure risk based on only one
dimension. The risks may likely happen, but the
impact is immaterial. Or the risk may not likely
happen, but the effects could be material.
Risks are typically assessed along two
dimensions:
1. Likelihood, or the probability that these
events occur
2. Impact, or the consequence if these events
occurred
Establishing objectives is a precondition to risk
assessment.
A risk assessment is the process of identifying,
assessing, and measuring risks to the organization,
program, or process under review.
It is imperative, however, before embarking on the
risks assessment journey, that relevant objectives
be identified.
Risk assessment involves a dynamic and iterative
process of identifying, analyzing, and deciding how
best to respond to these risks in relation to the
achievement of objectives.
Management specifies objectives within three
separate but related categories:
1. Reporting
- reporting considerations are arranged in four
broad categories: internal/external and
financial/nonfinancial.
- Auditors must remember that organizations
must meet reporting expectations beyond
external financial reporting.
- It includes reliability, timeliness,
transparency, or other terms set by
regulators, the organization’s policies or
other recognized standard setters.
2. Compliance
- Related to adherence to laws and
regulations to which the organization is
subject.
- Compliance requirements may also include
compliance with contractual terms and
conditions, service level agreements,
voluntary agreements, like corporate
sustainability reports.
3. Operation
 - Effectiveness and efficiency of the
organization’s operations.
- This includes operational and financial
performance goals, safeguarding assets
against loss, damage or obsolescence, and
making sure resources are obtained
economically.
Additional:
IT Controls
- Subset of internal controls related to IT
- COBIT
- ISO 17799
- ITIL

Capability Maturity Model Integration (CMMI)

- Used in project management, process
assessment, and performance improvement
environments.