Magazine article Government Finance Review

INTERNAL CONTROLS: That Was Then, This Is Now

Magazine article Government Finance Review

INTERNAL CONTROLS: That Was Then, This Is Now

Article excerpt

COSO Updates its 1992 Classic Internal Control-Integrated Framework

Originally issued in 1992, the COSO Internal ControlIntegrated Framework has been internationally recognized as the conceptual anchor any organization needs to develop a strong system of internal control. A proposed update, which should be finalized in early 2013, is expected to leave many of the frameworks timeless concepts untouched but add detail to address the changing environment. In applying this new framework, state and local governments should keep in mind the unique aspects of their operating environments, including political, legal and operational.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)' issued the original framework to provide guidance and thought leadership about what constituted good internal control within an organization. It has become a global resource, translated into seven languages. But no document can remain relevant without addressing the rapid changes occurring in organizations, including:

* Increasing expectations of strong governance and oversight.

* Globalization of markets and operations.

* Reliance on rapidly changing technology.

* Increasing complexity of rules, regulations, and standards.

* Increasing expectations for preventing and detecting fraud.

An effort began in 2011 to update the integrated framework, beginning with a survey of stakeholders, continuing with an exposure draft of proposed changes, and ultimately culminating in the proposed update, to be issued in early 2013. This article will discuss the original framework, the proposed changes, and areas state and local government should consider when applying the framework.


The beauty of COSO's integrated framework is its simplicity and how broadly it can be applied across organizations. Based on the belief that good internal controls are necessary for the long-term success of all organizations, COSO takes internal controls beyond the finance department and sets them squarely on the shoulders of every employee from the governing board down. If asked to name an internal control, most of us would probably say "segregation of duties." Few, if any, would go with "long-term strategic plan." However, given COSO's emphasis on organizational success and the tone at the top, one could argue that detailed controls within individual areas start with strategic goals from the governing board that define what success means for the organization. In other words, it's easy to develop controls to mitigate poor segregation of duties, but an organization that doesn't have a direction is a much harder problem to solve.

The original 1992 framework is best summarized by "the cube" shown in Exhibit 1.

In its simplest form, the framework consists of five elements designed to accomplish three basic categories of objectives. These elements and the related objectives span the entire organization, both in terms of departments and specific activities. COSO starts with the control environment, which is a function of many factors, but ultimately the responsibility and product of top management and the governing board. These individuals must set the tone, example, and expectations that will trickle down throughout the organization.

The organization needs to constantly assess the risks and challenges it faces. Just as most people wouldn't walk down a steep, rocky slope with their eyes closed, no organization should be blind to the potholes, rocks, and other hazards in its path. However, it doesn't do much good to be aware of hazards if you don't take appropriate actions to avoid, confront, or reduce them. Therefore, COSO creates a strong link between the risks identified and the control activities needed to address them. Controls vary significantly by the risk identified and the activity, area, and organization. There is no one right answer that can be applied to all organizations, and multiple approaches can often accomplish the same goal. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.