Guidance
Internal Control - Integrated Framework
Effective internal controls are good for business. This is perhaps an interesting way to introduce the purpose of this thought paper, but, as its authors, our collective knowledge is very straightforward in this regard. Internal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.
​
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, originally issued in 1992 and refreshed in 2013 (ICIF-2013 or Framework), was developed as guidance to help improve confidence in all types of data and information.
​
In 2023 COSO issued supplemental guidance for organizations to achieve effective internal control over sustainability reporting (ICSR), using the globally recognized COSO Internal Control-Integrated Framework (ICIF).
Internal Controls Documents
Achieving Effective Internal Control Over Sustainability Reporting (ICSR)
Building Trust and Confidence through the COSO Internal Control—Integrated Framework addresses the topic of how to support the implementation of sustainability throughout an organization. It is designed for organizations to achieve effective internal control over sustainability
reporting (ICSR), using the globally recognized COSO Internal Control-Integrated Framework (ICIF). Its use is intended to build trust and confidence in ESG/sustainability reporting, public disclosures, and enterprise decision-making.
Appointment of Sub-Committees/Task Forces
​The 2013 Framework is expected to help​​ organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control.
COSO has also issued Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples. The Illustrative Tools are expected to assist users when assessing whether a system of internal control meets the requirements set forth in the updated Framework. The ICEFR Compendium is particularly relevant to those who prepare financial statements for external purposes based upon requirements set forth in the updated Framework.
Purchase Options
Internal Control — I​​ntegrat​ed Framework (1992)
Produced after the release of the Treadway Commission’s recommendations, this document provides principles-based guidance for designing and implementing effective internal controls. COSO developed the framework in response to senior executives’ need for effective ways to better control their enterprises and to help ensure that organizational objectives related to operations, reporting, and compliance are achieved. This framework has become the most widely used internal control framework in the U.S. and has been adapted or adopted by numerous countries and businesses around the world. On December 15, 2014 this framework was superseded by the 2013 Internal Control — Integrated Framework.
​Guidance on Monitoring Internal Contro​​l Systems (2009)
Effective monitoring of internal control is one of the five components of effective internal control delineated in COSO's Internal Control — Integrated Framework. COSO has developed detailed interpretative guidance that will help organizations monitor the quality of their internal control systems. Learn more about guidance on monitoring​.
Internal Control over Financial Reporting — Guidance for Smaller Public Companies (20​​06)
This document contains guidance targeted towards smaller public companies, to help them apply concepts in the 1992 Internal Control — Integrated Framework. The guidance demonstrates the applicability of those concepts to help smaller public companies design and implement internal controls to support the achievement of financial reporting objectives. It highlights 20 key principles of the 1992 framework, providing a principles-based approach to internal control. While targeted toward smaller public companies, the 2006 guidance applies to entities of all sizes and types. On December 15, 2014, this guidance was superseded by the 2013 Internal Control — Integrated Framework, Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples.
Internal Control Issues in Derivativ​​es Usage (1996)
This guidance was issued in response to derivatives-related problems in recent years, many of which resulted from misunderstanding their risks and their use for risk management purposes. The document provided best-practice guidance for the development of internal controls related to derivative activities. This document was discontinued on December 15, 2014.
Internal Control Implementation Guidance
Blockchain and Internal Control: The COSO Perspective (2020)
As blockchain becomes mainstream, it is appropriate to focus on how this technology intersects with an entity’s internal control. With careful implementation and integration, the distinctive capabilities of blockchain can be leveraged to create more robust controls for organizations. Blockchain-enhanced tools also have the potential to promote operational efficiency and effectiveness, improve reliability and responsiveness of financial and other reporting, and elevate compliance with laws and regulations. But blockchain also creates new risks and the need for new controls. This guidance provides perspectives for using Internal Control — Integrated Framework (2013) to evaluate risks related to the use of blockchain in the context of financial reporting and to design and implement controls to address such risks. It is intended to help inform decisions regarding oversight, risks, and internal control over financial reporting (ICFR). The paper also should be of value to the various stakeholders involved in financial reporting, within the context of their own environments.
Implementation Guide for the Healthcare Provider Industry (2019)
Amid heightened scrutiny and ever-increasing complexities in operations and regulation, healthcare organizations face unique challenges related to the design and operation of internal controls. In response, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in collaboration with Crowe LLP and CommonSpirit Health, has published new guidance: “2013 COSO Integrated Framework: An Implementation Guide for the Healthcare Provider Industry.” Healthcare organizations experience issues with system access and integrity, clinical documentation, coding, and billing, all of which may result in potential noncompliance with federal and state regulations – and costly mistakes. The guide introduces healthcare organizations to COSO’s widely used “Internal Control – Integrated Framework,” and provides a roadmap to implementation to help strengthen their overall governance and internal control structures.
Internal Control Th​​ou​​​​​gh​​​​​t Papers
Leveraging COSO Acro​​ss the Three Lines of Defense
In this paper, authors Douglas J. Anderson and Gina Eubanks make a strong case for using the Three Lines of Defense Model, which addresses how specific duties related to risk and control should be assigned and coordinated.
The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition (2013)​
COSO has issued an article aimed at assisting public companies comply with Section 404 of the U.S. Sarbanes-Oxley Act of 2002. The article outlines an example of one approach to transitioning to COSO’s 2013 Internal Control — Integrate​d Framework from the original framework published in 1992.​