Internal controls are policies, procedures, and technical safeguards that protect an organization's assets by preventing errors and inappropriate actions. These controls fall into three broad categories: detective (to detect errors or irregularities), preventative (to prevent undesirable events from occurring), and corrective (to correct issues and prevent future errors or irregularities). When followed consistently, these internal controls help protect organizations from costly mistakes, fraud, and inaccurate reporting of financial results.
This article provides a comprehensive summary of steps involved to implement the COSO Internal Control Integrated Framework, which has become the authoritative standard across the globe. Implementing COSO is required for public companies that must comply with SOX regulations, and following its guidance is recommended for any organization — public or private, large, or small. The article includes a downloadable tool any organization can use to map out the five COSO Framework components and their underlying 17 principles. The article and tool cover details of the COSO components, principles and points of focus, as well as a worksheet to help you map your ELCs and identify any gaps.
Why it Matters
In a highly automated, globally connected world, your organization cannot rely solely on employees — even your most reliable ones — to manage risk. No matter how excellent those employees may be, the sources of fraud, waste, and error are too complex and interconnected to be managed without a reliable system of internal control. Instituting a set of top-down, organization-wide (usually called “entity-level”) controls, or ELCs, is a best practice for any effectively governed organization, whether it’s a public or private company, government agency, or not-for-profit organization. Whether required or not, ELCs can provide a foundation for effective governance over financial statement risk and processes to mitigate those risks. ELCs also set the tone for ethical behavior and business conduct, providing means for holding employees and third parties accountable for their actions.