The 17 COSO Internal Control Principles

CONTROL ENVIRONMENT PRINCIPLE 1: INTEGRITY AND ETHICAL VALUES

The first principle of the COSO control environment calls for an enterprise to demonstrate a
commitment to integrity and ethical values. Enterprise history and culture often play a major role
in forming this internal control environment. When an enterprise historically has had a strong
management emphasis on producing error-free products, when senior management continues to
emphasize the importance of high-quality products, and when this message is communicated to
all levels, this becomes a major enterprise control environment factor. The messages from the
CEO or other very senior managers are known as the tone at the top —management’s messages
to all stakeholders. The message from the top should be more than just “we will comply with the
law” types of statements. The messages should be far broader and emphasize that an enterprise is
committed to the highest ethical standards in every aspect of its business, including not just
compliance but in its business, sales, legal counseling, and human resources practices as well as
its treatment of employees and customers.

CONTROL ENVIRONMENT PRINCIPLE 2: ROLE OF THE BOARD OF DIRECTORS

An independent board must have a close relationship with senior management to ensure
effective and successful enterprise operations and a strong internal control environment. The
board of directors and its audit committee should identify and understand the expectations of
stakeholders, including customers, employees, investors, and the general public, as well as
enterprise legal and regulatory requirements. These expectations should help shape the objectives
of the enterprise and the oversight responsibilities of the board. The following board of directors’
activities may assist management in determining whether this COSO control environment
principle is present and functioning
 Establish oversight responsibilities.
 Apply relevant expertise.
 Operate independently.
 Provide oversight for the system of internal controls.

CONTROL ENVIRONMENT PRINCIPLE 3: AUTHORITY AND RESPONSIBILITY

NEEDS

Management should establish, with appropriate board oversight, structures, reporting lines,
and appropriate authorities and responsibilities in the pursuit of its internal control objectives.
There should be an organizational structure in place to plan, execute, control, and periodically
assess the activities of the overall enterprise. This control environment goal is to provide for
clear accountability and information flows within and across the overall enterprise and all of its
subunits. In order to determine that this enterprise internal control principle is functioning,
management and the board of directors should consider the multiple operating units, legal
entities, geographical locations, and outsourced service providers in the enterprise to support the
achievement of these internal control objectives.

CONTROL ENVIRONMENT PRINCIPLE 4: COMMITMENT TO A COMPETENT

WORKFORCE

This COSO principle goes a bit stronger on individual competence issues than does the typical
enterprise human resources function today, which is often more wrapped up in such matters as
diversity issues than in concerns with employee skills. This control environment principle calls
for enterprises to define their competence requirements as needed to support the achievement of
their internal control objectives, with consideration given to:
 Knowledge, skills, and experience needs
 The nature and degree of judgment and limitations of authority to be applied to specific
positions
 Cost-benefit analyses of different levels of skills and experience
 Trade-offs between the extent of supervision and the requisite competence levels of
individual employees

CONTROL ENVIRONMENT PRINCIPLE 5: HOLDING PEOPLE ACCOUNTABLE

Management and the board of directors should establish the mechanisms to communicate
and hold individuals accountable for the performance of internal control responsibilities across
the organization and implement corrective action as necessary. As part of this they should
establish performance measures, incentives, and other rewards appropriate for responsibilities at
all levels of the entity, reflecting appropriate dimensions of performance and expected standards
of conduct and performance. Accountability for internal control is interconnected with
leadership, and tone-at-the-top leadership messages as well as related management messages
throughout the enterprise should be strong where internal control responsibilities are understood,
carried out, and reinforced.

RISK ASSESSMENT PRINCIPLE 6: SPECIFYING APPROPRIATE OBJECTIVES

Risk assessment, a key element in the COSO internal control framework, is defined here as
the possibility that an event may occur that will adversely affect the achievement of some
enterprise objective. The management of internal control risks affects an enterprise’s ability to
succeed, compete effectively in its industry, maintain its financial strength and positive
reputation, and maintain the overall quality of its products, services, and people. There are
always some risks in any business activity and there is no practical way to reduce all of them.
Management, however, must determine how much risk is to be prudently accepted and strive to
maintain risk within these limits, understanding how much tolerance it has for exceeding its
target risk levels.

RISK ASSESSMENT PRINCIPLE 7: IDENTIFYING AND ANALYZING RISKS

Enterprise management with the support of internal audit should endeavor to identify all
possible internal control risks that may impact an enterprise, ranging from the larger or more
significant risks down to the less major risks associated with individual projects or smaller
business units. While COSO’s focus is on external financial reporting, the risk identification
process should occur at multiple levels in an enterprise. A risk that impacts an individual
business unit or project may not have that great of an impact on the entire enterprise or beyond.
COSO’s risk identification and analysis principle call for the consideration of all risks within an
enterprise, including its subunits and operational functions, such as finance, human resources,
marketing, production, purchasing, and IT management. In addition, this process should consider
internal and external risks originating from outsourced service providers, key suppliers, and
channel partners that directly or indirectly impact an enterprise’s achievement of objectives.

RISK ASSESSMENT PRINCIPLE 8: EVALUATING FRAUD RISKS

A fraud risk assessment is a process that an

enterprise should utilize to determine its
exposure to internal and external fraud. The
assessment should review operations and
controls, including policies and procedures,
to determine where gaps exist that could
allow a person or group of persons to carry
out a fraud against the enterprise. A fraud
risk assessment should then look at key
areas of the enterprise to determine if
actions have been taken that would alert
management to a fraud or to effectively
deter the execution of a fraud.

RISK ASSESSMENT PRINCIPLE 9:

IDENTIFYING CHANGES AFFECTING INTERNAL CONTROLS
 Risk assessment principles are of little value if an enterprise goes through an extensive
analysis to identify risks but then does essentially nothing to take action to mitigate the identified
risks. This really calls for a risk response plan with the final principle for COSO internal controls
risk assessment:

Identify and analyze changes that could significantly affect internal controls.

Enterprises should develop risk management strategies as part of their risk management
processes. Risk management strategies address how an enterprise intends to assess identified
risks, plan responses, and monitor those risks—making explicit and transparent the risk
perceptions that an enterprise routinely uses in making both investment and operational
decisions. Risk identification and analysis strategies are a key part of enterprise risk
management. Response strategies are a key component of COSO internal controls. Once the
potential significance of risks has been assessed, management should consider how those risks
should be managed. This often involves judgments based on assumptions about the risk and a
reasonable analysis of the costs associated with reducing the levels of risk.

CONTROL ACTIVITIES PRINCIPLE 10: SELECTING CONTROL ACTIVITIES

THAT MITIGATE RISKS

This important COSO control activity principle states that, as part of its overall internal
controls environment, an enterprise should select and develop control activities that contribute to
the mitigation of internal control risks to the achievement of their objectives to acceptable levels.
Control activities include actions that ensure that responses to assessed risks, as well as other
management directives—such as establishing an enterprise code of ethics—are carried out
properly and in a timely manner.

CONTROL ACTIVITIES PRINCIPLE 11: SELECTING AND DEVELOPING

TECHNOLOGY CONTROLS

COSO uses the term technology in this

principle, and it could include such areas as
manufacturing robotics, pharmaceutical
testing instruments, and the development of
consumer-oriented electronic video products.
All of these technology products and more go
beyond what we normally call IT systems, and
many of their internal control concerns and
issues are really outside of the range of many
internal auditors. Given space limitations here,
when COSO referenced technology
controls,we will be referencing IT systems
applications and general controls. There are
many different types of technical-, management-, and governance- related IT controls covering
everything from high-level management IT policies to control processes for specific applications
and even running on handheld devices.

CONTROL ACTIVITIES PRINCIPLE 12: POLICIES AND PROCEDURES

A policy should be more than just the CEO saying he or she generally wants to do something
or take some action without any more specific details. In going through a formal review and
approval process, an enterprise should publish statements outlining management’s intention to
implement some policy or take some action. Often published on a customer service database,
enterprise-published policies should have the following elements:

 Policy purpose. There should be a high-level statement outlining the intent or high-level
objectives of the policy.
 Location and applicability. There should be a definition of whether the policy applies
only to some units or is global.
 Roles and responsibilities. Descriptions should include everyone involved in the policy.

INFORMATION AND COMMUNICATION PRINCIPLE 13: USING RELEVANT,

QUALITY INFORMATION

An enterprise should obtain and use relevant, quality information to support the functioning
of its internal control components. Information is necessary for an enterprise to carry out its
internal control responsibilities in support of the achievement of objectives. Obtaining relevant
information, as defined in the COSO guidance materials, requires management to identify and
define information requirements at a strong level of detail and specificity. Identifying
information requirements is an iterative and ongoing process that occurs throughout the
performance of an effective internal control system. Information requirements are established
through activities performed in support of the other internal control elements or components.
These requirements facilitate and direct management and other personnel to identify relevant and
reliable sources of information and underlying data.

INFORMATION AND COMMUNICATION PRINCIPLE 14: INTERNAL

COMMUNICATION

An enterprise should internally communicate internal control information, including its

objectives and responsibilities, to support the functioning of other components of internal
control. Endorsed by senior management, this communication of information should be
conveyed to all elements across an enterprise and include:

 The importance, relevance, and benefits of effective internal controls

 The roles and responsibilities of management and other personnel in performing those
internal control processes
  The expectations of the enterprise to communicate up, down, and across any maters of
significance relating to internal control, including instances of weakness, deterioration, or
non adherence
 An enterprise should establish and implement policies and procedures that facilitate
effective internal communication. This includes specific and directed communication that
addresses individual authorities, responsibilities, and standards of conduct across the
enterprise.

INFORMATION AND COMMUNICATION PRINCIPLE 15: EXTERNAL

COMMUNICATIONS

An important COSO principle an enterprise should establish and implement are policies and
procedures that facilitate effective external communication. This includes mechanisms to obtain
or receive information from external parties and to share that information internally, allowing
management and other personnel to identify trends, events, or circumstances that may impact
their achievement of internal control objectives. Communication with external parties allows
others to readily understand events, activities, and other circumstances that may affect how they
should interact with an enterprise. Management’s communication to external parties should send
a message about the importance of internal controls in the enterprise by demonstrating open lines
of communication. Communication to external suppliers and customers is critical for establishing
an appropriate control environment and to help these external parties understand an enterprise’s
values and culture.

MONITORING PRINCIPLE 16: INTERNAL CONTROL EVALUATIONS

Monitoring activities assess whether COSO’s internal control objectives are present and
functioning. An enterprise should use ongoing and separate evaluation processes to ascertain
whether established internal control principles, both across the enterprise and its subunits, are in
effect, present, and functioning. Monitoring is a key factor in an assessment of the effectiveness
of internal controls. An enterprise, often with the support of internal audit, should conduct
ongoing control monitoring activities and identify and communicate any known internal control
deficiencies in a full circle of internal control processes. The idea here is that an enterprise
should go through each of the COSO control components, and as this cycle moves to monitoring
activities, they act as a review factor over all other internal control components. As a key control
principle, an enterprise should select, develop, and perform ongoing and/or separate evaluations
to monitor or ascertain whether its internal control components are present and functioning.

MONITORING PRINCIPLE 17: COMMUNICATING INTERNAL CONTROL

DEFICIENCIES

An enterprise should communicate its internal control deficiencies in a timely manner to all
parties responsible for taking corrective actions, including senior management and the board of
directors. The enterprise should identify monitoring-related matters worthy of attention that
represent both potential or real shortcomings in some aspect of the enterprise’s system of internal
controls and that have the potential to adversely affect the ability of the enterprise to achieve its
objectives. In addition, an enterprise should strive to identify opportunities to improve the
efficiency of its internal controls. The results of ongoing and separate monitoring evaluations
should be assessed against management’s criteria to determine to whom to report and what is to
be discussed, and all identified internal control deficiencies should be communicated to those
members of the enterprise management in positions to take timely corrective actions. After any
identified deficiencies are evaluated, management should determine that remediation efforts are
conducted on a timely basis.