slider area




Struggling to incorporate the COSO recommendations into your audit process? Here's one audit shop's winning strategy.

Following the report’s publication, The Boeing Company adopted the COSO principles partly as the basis for its internal control policies and procedures. As a result, our internal audit department began to rate the quality of internal controls covered in each audit. We soon discovered that incorporating these standards into actual practice proved challenging.

"Putting COSO Theory into Practice." Tone at the Top, The Institute of Internal Auditors, November 2005 (PDF)

"Bringing ERM into Focus." Christy Chapman, Internal Auditor, June 2003

"Managing Risk from the Mailroom to the Boardroom," Tone at theTop, The Institute of Internal Auditors, June 2003 (PDF)

"What is COSO? Defining the Alliance that Defined Internal Control,"
by Financial Executives Research Foundation, April 2003

"COSO Launches New Study to Provide Guidance on Assessing and Managing Enterprise Risks," American Accounting Association, January 2002

"Beyond Traditional Audit Techniques," Paul E. Lindow and Jill D. Race, Journal of Accountancy, July 2002

"Does Your Control System Pass the COSO Test?" Tone at the Top, The Institute of Internal Auditors, March 1998. (PDF)

"COSO Based Auditing," by Mark R. Simmons, The Internal Auditor, December 1997


What is internal control?

COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

  1. Internal control is a process. It is a means to an end, not an end in itself.
  2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
  3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.