Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Corporate Governance Checklists > Internal Control Frameworks: COSO, CoCo, and the UK Corporate Governance Code

Corporate Governance Checklists

Internal Control Frameworks: COSO, CoCo, and the UK Corporate Governance Code


You have recommended this article

Definition

In auditing and accounting, internal control is defined as a process that is designed to help an organization to accomplish specific goals or objectives.

Organizations can choose from a number of internal control frameworks. The “Internal control—Integrated framework” published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a widely used framework in the United States and around the world. It was initially published in 1992 “to address key challenges presented by an increasingly complex business environment and help organizations worldwide better assess, design, and manage internal control.” The COSO framework defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, that is designed to provide “reasonable assurance” regarding the achievement of objectives in the following categories:

  • effectiveness and efficiency of operations;

  • reliability of financial reporting;

  • compliance with applicable laws and regulations.

COSO describes internal control as consisting of five essential components. These components, which are subdivided into 17 factors, include:

The CoCo (criteria of control) framework was first published by the Canadian Institute of Chartered Accountants in 1995. This model builds on COSO and is thought by some to be more concrete and user-friendly. CoCo describes internal control as actions that foster the best result for an organization. These actions, which contribute to the achievement of the organization’s objectives, focus on:

  • effectiveness and efficiency of operations;

  • reliability of internal and external reporting;

  • compliance with applicable laws and regulations and internal policies.

CoCo indicates that control comprises: “Those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.”

The UK Corporate Governance Code (formerly the Combined Code) was developed by the UK authorities in the early 1990s and last updated in 2010. The Code is principles-based and includes guidelines for best practice. All companies with a Premium Listing on the London Stock Exchange are required to report on how they have complied with the Code and to provide an explanation where they have not.

Back to top

Advantages

  • Effective internal controls provide a reasonable assurance, but not a guarantee, that an organization’s objectives will be met.

  • In a large organization, a focus on internal controls should encourage greater standardization of processes.

  • Implementing effective internal controls does not necessarily involve extra costs.

Back to top

Disadvantages

Back to top

Action Checklist

  • Check local legislation. In some countries effective internal control is mandatory, and failure to meet these requirements may result in penalties.

  • Establish a process for reporting internal control deficiencies, with serious matters reported immediately to top administration and governing boards.

Back to top

Dos and Don’ts

Do

  • Ensure that all personnel receive a clear message from top management that control responsibilities must be taken seriously.

  • Ensure that internal control systems are monitored through a process that assesses the quality of the system’s performance over time.

  • Be aware that internal control systems change over time, and the way in which controls are applied may evolve. Ensure that new personnel are fully trained in processes and that management knows whether the internal control system continues to be relevant and able to address new risks.

Don’t

  • Don’t forget that there is no such thing as a perfect control system.

Back to top

Further reading

Books:

  • Hall, James A. Accounting Information Systems. 6th ed. Mason, OH: South-Western Cengage Learning, 2008.
  • Leitch, Matthew. Intelligent Internal Control and Risk Management: Designing High-Performance Risk Control Systems. Aldershot, UK: Gower Publishing, 2008.
  • Moeller, Robert R. Sarbanes–Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL. Hoboken, NJ: Wiley, 2008.

Reports:

Websites:

  • Canadian Institute of Chartered Accountants (CICA): www.cica.ca
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO): www.coso.org
  • Financial Reporting Council (FRC; UK): www.frc.org.uk
  • Institute of Internal Auditors (IIA): www.theiia.org

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share