KnowledgeLeader provides best practice articles, tools, guides, and links to resources on the COSO Internal Control Framework. This page contains some examples of the many resources and tools on the COSO Internal Control Framework that are available.
Contents:
Assessing Risks and Internal Controls: A Training Presentation
As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity. The appendix of the presentation defines the components of COSO.
Compliance Frameworks
Compliance frameworks connect regulatory mandates and software practices. This article outlines compliance frameworks and best practices in order to help companies assess their own competencies. Specifically, this article defines internal control frameworks which allow for better tracking and governance of identity-related information.
COSO Element – Risk Assessment: A Presentation
Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on COSO. It defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation.
COSO ERM Diagnostic Questionnaire
The tool can be used in assessing the effectiveness of a company’s ERM process. This tool is organized by the eight components of the COSO ERM Framework and users are prompted to assess senior management’s effectiveness in performing the key elements the eight components and whether or not the activities are integrated into a continuous process.
COSO Framework Description
This guide provides a brief description of the COSO framework.
COSO Implementation: A Risk-Based Approach
This presentation links the Protiviti Risk Model to the Framework, and can be used by companies who are implementing COSO concepts.
COSO Internal Control Framework Overview Presentation
This presentation explains the key parts of the Framework, in particular the objectives and components of COSO. It also defines and explains 'internal control,' 'internal control deficiency,' and 'material weakness' based on COSO.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. The control environment questionnaire has been updated to address topics such as management monitoring departures from established policies and procedures and the compensation committee approving all management incentive plans tied to performance.
Entity-Level Controls – Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity Level Controls - Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks (both internal and external) relevant to achieving business objectives and objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity level controls address the “tone at the top” and include items such as ethics programs, investigation protocols, and IT infrastructure controls. Adequate evidence of the entity level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity level controls are in place. This checklist provides a template in which to track the availability and status of such entity level control documentation.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with topics focused on IT strategic planning; acquire or develop application software; manage changes; and define and manage service levels.
ITIL/COBIT Incident Management Checklist
This is the first of two checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The first checklist deals with incident management.
ITIL/COBIT Problem Management Checklist
This is the second of two checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The second checklist deals with problem management.
Using Risk Management Frameworks
This presentation defines and describes various types of internal controls. Then it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution.
An Overview of the COSO Internal Control – Integrated Framework
This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control.
Aquila’s auditing triad: SOX, ERM and entity-level internal controls
In this profile, Lynn Fountain, vice president of risk assessment and audit services at Aquila, describes their facilitated ERM approach based on the COSO model.
Can Internal Audit be too Compliance-Focused?
Contrary to popular belief (or perhaps practice), SOX is not the Holy Grail for internal audit (IA). Is it possible IA has become too focused on SOX? More specifically, is too much attention being paid to internal control over financial reporting, or reliability of financial reporting under the COSO model? In this publication, Protiviti’s Bob Hirth explores a number of questions to gain a perspective on what IA’s role should be when it comes to compliance.
Corporate Governance: A Primer, The Present & Some Predictions
Given the events and headlines of recent years it would be easy to assume that corporate governance is a relatively modern concept. Or is it? In this article, Protiviti’s Bob Hirth examines trends in corporate governance and the opportunities it presents for internal audit, especially related to enterprise risk management (ERM). Hirth also addresses the looming ERM questions of how to get started and where to begin.
The COSO Internal Control – Integrated Framework
This section of Protiviti's "Guide to The Sarbanes-Oxley Act" addresses common questions concerning the COSO Internal Control – Integrated Framework. Some topics covered are: What is COSO? How is the framework applied at the entity level/process level during the Section 404 assessment process? And, will the COSO framework on ERM affect the Section 404 assessment?
COSO Publishes Guidance on Monitoring Internal Control Systems
After two years of work, debate and research, COSO has completed its three-volume Guidance on Monitoring Internal Control Systems. This Flash Report provides an overview of the new guidance, a summary of the fundamentals of effective monitoring, a discussion of the benefits and breadth of monitoring, and insights on how to use the guidance going forward. Continued advancements in technology and management techniques ensure that internal control and related monitoring processes will change over time.
Enterprise Risk Management: Practical Implementation Ideas
It has become clear that traditional risk management approaches do not adequately identify, evaluate, and manage risk. Protiviti’s Jim DeLoach discusses how ERM transforms risk management to a proactive, continuous, and process-driven activity. Additionally, he offers practical ideas on how to implement ERM within an organization. These include articulating a risk management vision, using the capability maturity model, evaluating the existing risk management structure, and selecting the enterprise’s priority risks.
Global Technology Audit Guide (GTAG) 1: Understanding IT Controls
This document explains IT controls and audit practice in a format that allows Chief Audit Executives to understand and communicate the need for strong IT controls. Use this guide as a foundation to assess or build your organization’s framework and audit practices for IT business control, compliance, and assurance.
Global Technology Audit Guide (GTAG) 2: Change and Patch Management Controls: Critical for Organizational Success
This guide published by The IIA helps internal auditors ask the right questions of the IT organization to assess its change management capability. It is designed to help you quickly assess the overall level of process risk and determine whether a more detailed process review may be necessary. The guide provides risk indicators of poor change management, and field-tested metrics to assess the health of the change management process. It includes top five steps to reduce IT change risks and an IT change management audit program.
How can internal audit do more with COSO?
Using a recognized internal control framework, such as COSO, is now required for SOX compliance. This article explains why some companies do not believe they are getting an adequate return on their investment from using a control framework. Protiviti's Jill Benson addresses these concerns by outlining the role internal audit can take to successfully embed COSO into an organization’s culture and operations.
Information Security Governance
Because the primary purpose of any governance within a corporation is to hold management accountable to the corporate stakeholders, information security governance must have as its primary purpose the process of holding management accountable for the protection and ethical use of information assets. This article discusses information security governance structures, metrics and pitfalls.
The Process of Internal Auditing
This third section of Protiviti's "Guide to Internal Audit" addresses commonly asked questions concerning the process of internal auditing. Some of the topics covered are: How is internal audit work actually performed? What types of IT audit skills should be included in an internal audit department? What is control self-assessment? And, are internal auditors required to follow COSO?
Summarizing Risks and Developing Control Objectives
This section of Protiviti's "Guide to The Sarbanes-Oxley Act" addresses common questions concerning summarizing risks and developing control objectives. Some topics covered are: Why identify risks? How are risks identified? What are control objectives and how do they relate to risks? And, how are control objectives defined?
Beyond Traditional Audit Techniques
This article originally published on the
AICPA website discusses how, at California Federal Bank (Cal Fed), the internal audit team transformed itself into a catalyst for change as a key risk adviser. Their experience in taking an enterprise-wide view and adopting a more progressive approach to audits may serve as a model for other internal auditors to use to become a cornerstone of risk management in their own companies.
Committee of Sponsoring Organizations
This website provides background on COSO, its member organizations, conferences, and its articles and publications.
CPA2Biz
To purchase a copy of the report commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO) visit the CPA2Biz website. Other COSO resources and training materials are also available.
Internal Control Checklist
An effective internal control system enables you to manage significant risks and monitor the reliability and integrity of financial and operating information. It also ensures that the audit committee acts as a powerful and proactive agent for corporate self-regulation. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the following questions to help senior executives and directors gain a better understanding of their organizations control systems. Source:
AICPA.org
Struggling to incorporate the COSO recommendations into your audit process? Here's one audit shop's winning strategy.
This article from the COSO website describes how The Boeing Company adopted the COSO principles partly as the basis for its internal control policies and procedures. As a result, our internal audit department began to rate the quality of internal controls covered in each audit. We soon discovered that incorporating these standards into actual practice proved challenging.
Published by the Institute of Internal Auditors.
>> Sign up now for a
30-day free trial or an
annual subscription.
Find out more about our
subscription prices and group discounts.
If you have any questions please
contact us.