KnowledgeLeader provides best practice articles, tools, guides and other resources on the COSO Internal Control Framework. This page contains some examples of the many resources and tools on the COSO Internal Control Framework that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2013 Sarbanes-Oxley Survey Review Sheds Light on Compliance Process
In this article, three Protiviti experts discuss recent challenges observed from Protiviti’s 2013 Sarbanes-Oxley Survey: Building Value in Your SOX Compliance Program.
2014 Sarbanes-Oxley Compliance Survey
Interestingly, many companies appear to be moving rather slowly to adopt the new COSO framework, even though it is recommended for fiscal year-end dates beginning on or after December 15, 2014. Of note, the Securities and Exchange Commission (SEC) has specifically pointed out that it is monitoring the transition by issuers to the new framework as part of their documenting internal control over financial reporting. In this report, we offer detailed breakdowns of this and numerous other findings by filer status and company size. Our key findings this year include: Companies are getting started, albeit slowly, with implementing the new COSO framework; There is measurable fallout from the PCAOB’s inspection reports; Compliance costs are going up but are still manageable for many; Organizations continue to automate more processes and controls.
A Risk-Based Approach to Implementing COSO
This presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies implementing COSO concepts.
Adopting the 2013 COSO Framework: Fiscal 2015 Update
This article outlines findings regarding adopting COSO 2013 and suggests that it’s just a matter of time before all companies use the revised framework in conjunction with their annual evaluations.
Are You Protecting Your Digital Assets?
Safeguarding assets has been an important objective of all organizations for centuries. In today’s digital age, however, what does safeguarding your assets really mean? Who is responsible for it? And how is “protection” actually achieved?
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Capital Projects Audit Work Program
This work program focuses on the capital projects process. It focuses on identifying and prioritizing risks, evaluating internal controls and assessing the maturity of this business process.
Control Self-Assessment Questionnaire: COSO
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This questionnaire can be used to assess an organization’s use of the COSO framework.
Controls Monitoring Quarterly Assessment Report
This is an example report of internal audit’s quarterly assessment of the ongoing controls monitoring processes. This report provides an overview of the work performed and corresponding audit findings.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
COSO 2013 and the Implications to IT Controls
As organizations transition to COSO 2013 from the earlier 1992 version, adopters will find themselves taking a hard look at the updated framework’s 17 principles as well as their impact on IT controls.
COSO 2013 Implementation Webinar: Your Questions Answered
In this article, Keith Kawashima addresses some SOX-specific questions regarding the application of COSO 2013.
COSO 2013 Internal Control–Integrated Framework Executive Summary
COSO's 2013 Internal Control–Integrated Framework (Framework) is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control. This executive summary provides an overview of the updated Framework.
COSO 2013: Keeping Up With the Times
A lot has changed in business and operating environments during the intervening decades since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the initial 1992 framework. This article provides a breakdown of what an organization needs to know in order to transition to COSO 2013, including key changes to the framework, its limitations on internal control, and suggested next steps for implementation.
COSO 2013: What Have We Learned?
United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability. No doubt Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other important lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.
COSO 2013: Why Should You Care?
The updated COSO Internal Control – Integrated Framework has been out for over a year. Many companies are now using the updated Framework to evaluate their internal control over financial reporting to comply with Section 404 of the Sarbanes-Oxley Act of 2002. The COSO Framework emphasizes the importance of the tone at the top and the board of director’s responsibility for overseeing the development and performance of internal control. This issue of Board Perspectives: Risk Oversight explores six reasons why the board, or one or more of its committees, should care about the updated Framework and offer pertinent questions for boards to consider.
COSO Element: Risk Assessment
This 42-page presentation thoroughly examines risk assessment as it relates to the COSO Internal Control Framework, from objective setting to risk identification, risk analysis, and risk assessment evaluation.
COSO ERM Diagnostic Questionnaire
This tool can be used to assess the effectiveness of a company’s ERM process, specifically senior management’s effectiveness in performing the key elements of the eight components of the COSO ERM Framework.
COSO ERM: What It Means to the Board
This issue of Board Perspectives summarizes five significant takeaways from the new COSO ERM framework.
COSO/COBIT Application Change Control and QA Control Objective Risk Matrix
This Risk and Control Matrix focuses on high-level control objectives AI2, AI5, and AI6 of the COBIT Acquire and Implement domain, PO10 and PO11 of the Plan and Organize domain, and DS11 of the Deliver and Support domain.
Effective Use of Executive Sessions When Overseeing Risk
Executive sessions may be held by independent directors for a number of reasons; depending on the organization’s culture and circumstances, certain issues require more candid, confidential conversations and consequently, a more limited audience. Used appropriately, executive sessions can be an important part of a board’s risk oversight process. Our focus in this issue of Board Perspectives: Risk Oversight, is on how to use executive sessions as part of the board of director’s risk oversight process. These meetings present an opportunity for directors to obtain unfiltered input from selected executives, who otherwise might be influenced to couch or hold back on their responses to questions in the presence of senior executives.
Enterprise Risk Management: Practical Implementation Advice
Many executives do not know the value proposition of Enterprise Risk Management (ERM). Some may even consider ERM a fad or “flavor of the month,” and are just humoring the dialogue, wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This issue of The Bulletin addresses this and other relevant questions.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their job responsibilities. This excel-based template provides a number of COSO elements and their related control objectives for entity level controls.
Entity Level Controls - Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity-Level Assessment Report
The purpose of this report is to document management’s assessment of the COSO internal control components – control environment, risk assessment, control activities, information and communication, and monitoring – at the entity level.
Entity-Level Controls – Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Memo
This memo outlines a process for reviewing entity-level controls.
Entity-Level Questionnaire Results Report
This report provides an analysis of a company’s entity-level controls under the COSO framework. Key sections include control environment, risk assessment, control activities, information and communication, and monitoring.
Entity-Level Risk Assessment Audit Report
This sample audit report presents findings from an entity-level risk assessment review.
ERM Concepts, Process and Objectives – Guide
This presentation defines risk management (what it is, and what it is not). It also outlines a five-part risk management framework: Establish the Context, Identify Risks, Analyze Risks, Evaluate Risks, Treat Risks.
ERM Summary Approach – Guide
Identifying, understanding and evaluating the organization’s most significant risk areas will set the foundation for a robust ERM program. This guide outlines an approach to building ERM capabilities that includes the following components: planning, facilitated risk discussion, risk analysis, external verification, management review and gap assessment.
Happy Cow vs. Hedgehog: Getting Straight on Principle 8
Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 and for other purposes, but are still struggling with Principle 8—a critical part of the Risk Assessment component of COSO 2013.
How COSO Frameworks Improve Organizational Performance and Governance
Since their inception, COSO’s Enterprise Risk Management — Integrated Framework and Internal Control — Integrated Framework (the COSO frameworks) were intended to provide guidance for management on how to implement and evaluate effective enterprise risk management (ERM) and internal control processes, leading to the improvement of management and governance processes. When applied effectively, the frameworks’ concepts contribute to the end result of improving organizational performance and governance in significant ways. The COSO frameworks use a common language for risk-focused communications, enabling directors, executive management, and internal and external stakeholders to communicate more effectively regarding risk, risk management and internal control. This booklet illustrates how the enterprise risk management (ERM) framework and the new internal control framework can enhance organizational performance, governance, strategy setting and management processes.
Information and Communication Audit Work Program
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the information and communication component of the COSO Framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Internal Controls Sustainability Training Guide
This training presentation focuses on building a sustainable internal control process. This type of process focuses on developing and executing a communication plan, monitoring the business and rule changes, and analyzing for continuous improvement opportunities.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
Monitoring Audit Work Program: Sample 2
The objective of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO. It specifically focuses on the attributes of ongoing monitoring, separate evaluations and reporting deficiencies.
Monitoring Controls (Entity-Level) Audit Work Program
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO, as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies. Each section of this work program focuses on a specific attribute and the documentation that evidences the operating effectiveness of entity-level controls. After each attribute, the work program details the steps for evaluating each entity-level control.
Protiviti Flash Reports
This page provides links to and summaries of the Protiviti analysis - flash reports - that have been released in conjunction with changes and announcements from COSO, the PCAOB, or the SEC.
Quality Assurance Function Charter
The quality assurance function helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and corporate governance processes in the organization. Example responsibilities include: risks are appropriately identified and managed; interaction with the various governance groups occurs as needed; and significant financial, managerial and operating information is accurate, reliable and timely. This charter describes the purpose, responsibilities and authority of a distinct quality assurance function that reports directly to the audit committee.
Raising the Bar: Auditing Your Enterprise Risk Management Program
Risk management is not an end in itself; it has value only if it assists a company to achieve its business long-term objectives. Internal auditors, in both their assurance and consulting roles, contribute to ERM in various ways. In this article, we offer insight into how auditors can provide an objective assessment of a company’s ERM efforts, including where the company can improve.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Sarbanes-Oxley Section 404 Management Testing Plan Policy
This sample policy helps to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of a company and its subsidiaries’ internal control over financial reporting.
Sarbanes-Oxley Section 404 Project Conclusion Memo
This memo documents an organization’s approach to Sarbanes-Oxley Section 404 compliance and concluding results from the annual assessment.
Sarbanes-Oxley Testing Strategy Memo
This memo documents a company's high-level testing strategy for Sarbanes-Oxley compliance.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Setting the 2014 Audit Committee Agenda
The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. The risks companies face in today’s global business environment create uncertainty for executive management and the board of directors. Given the uncertainties of the environment, this issue of The Bulletin offers observations and ideas for consideration by boards of directors and their audit committees when setting the 2014 agenda. We present 10 major challenges many companies will face over the next 12 months and summarize an agenda that is broken down into enterprise process and technology risk issues and financial reporting issues.
Taking the Best Route to Managing Fraud and Corruption Risks
Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and the fraud risk management frameworks used to combat them. In this report, we detail notable findings that emerged from our survey.
The Current State of Board Risk Oversight
To develop deeper knowledge of the risk oversight process, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey regarding the risk oversight responsibilities of the board of directors and how those responsibilities are being performed. This issue of The Bulletin highlights the findings and recommendations of that survey.
The Global Privacy and Information Security Landscape FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Global Privacy and Information Security Landscape FAQ
, which discusses over 350 key laws and regulations, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the European Union General DP Directive, and the Electronic Communications Privacy Act.
The Updated COSO Internal Control Framework
In May of 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its long-awaited updated Internal Control – Integrated Framework (New Framework). The New Framework is an important development; it facilitates efforts by organizations to develop cost-effective systems of internal control and supports organizations as they adapt to the increasing complexity of a changing business environment. Companies using the 1992 framework should familiarize themselves with the New Framework and companion materials, determine their transition plan, and communicate to the appropriate stakeholders the release of the New Framework and its implications to the organization. In this booklet, we address various questions regarding the New Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
The Updated COSO Internal Control Framework FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Updated COSO Internal Control Framework FAQ, which addresses various questions regarding the 2013 new Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Top 10 Lessons Learned From Implementing COSO 2013
In this issue of The Bulletin, we share 10 lessons learned from COSO 2013 successful implementations from a variety of sources—working with our clients, information gathered from thousands of attendees at our webinar series, and our annual SOX Compliance Survey.
Updated COSO ERM Framework: What's New?
This issue of The Bulletin discusses why the COSO ERM Framework needed to be updated and how the focus is now on what is really important in making enterprise risk management work within an organization.
Updated COSO Internal Control Framework: Frequently Asked Questions
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence, has released its long-awaited updated Internal Control – Integrated Framework (New Framework). The original version, released by COSO in 1992, has gained broad acceptance and continues to be recognized as a leading resource to provide guidance on the design and evaluation of internal control. The New Framework issued by COSO is an important development, as it enables organizations to develop systems of internal control effectively and efficiently. It In this issue of The Bulletin, we address various questions regarding the New Framework, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Using the COSO Internal Control - Integrated Framework for Sarbanes-Oxley Compliance (KLplus CPE Course)
The SEC has ruled that the criteria on which management’s evaluation of internal controls is based must be derived from a suitable, recognized control framework. The SEC points out in the final rule that the COSO Internal Control – Integrated Framework satisfies this requirement.
Why Controls Have Become Wasteful, a False Sense of Security and Dangerously Distracting (and How to Fix Them)
This article explores how, after a decade of rushing to create more internal controls over financial reporting and applying these concepts to other business areas, organizations are struck by high cost and how often controls do not catch problems as intended.