Introduction to Internal Controls

3. Internal control frameworks

Let’s consider for a moment a house that’s under construction - after the foundation is laid, the frame is built. In a modern home, this frame could be a network of 2”x4” or larger wooden boards that make up the house “skeleton.” Eventually, the wooden frame will be covered by walls, exterior siding, and other fixtures like lights, cabinets, and carpeting. Once the house is finished, the frame is virtually invisible, but the entire house would collapse without it.

An internal control framework is very similar to a house frame. It provides direction for a system of internal controls and guides management in the design of specific controls. Once the system is completed, you can’t necessarily see the control framework, but the individual controls you can see are supported by the framework. Although most control frameworks have a similar structure, individual frameworks might have a unique focus or purpose. Some of the more common frameworks you should be aware of are listed below:

  • The Treadway Commission’s Committee of Sponsoring Organizations framework (COSO) is a widely used framework in the corporate world (including the USA). Most of what you see in this tutorial is based on the COSO framework.
  • The Criteria of Control framework (COCO), introduced by the Canadian Institute of Chartered Accountants, is very similar to the COSO framework, although the organization of the framework’s principles is different.
  • As its name implies, the Control Objectives for Information and Related Technology framework (COBIT) focuses on controls over information technology.
  • The Basel Committee framework is used by financial institutions. Regulatory compliance is its main focus, although the five main components are analogous to the components found in the COSO framework.
  • The Standards for Internal Control in the U.S. Federal Government applies the broad concepts found in the COSO framework to government accounting and auditing in the United States.

4. Components of the COSO Framework

The principles of good internal control established by the Treadway Commission are organized into five broad components. As you read about these components, keep in mind that the system of internal control is more than just the actual controls - the framework itself is critical to the efficiency and effectiveness of those controls.

Control environment

The control environment provides context for the entire system. The principles that make up this component of internal control tend to relate to the entity as a whole. Does the entity have a company-wide code of ethics that is given to all new employees? Does the CEO have a “profit-at-all-cost” attitude? Does the CFO act with integrity and honesty? Does the company address individuals who steal assets? The answers to these questions (and others like them) define the “ceiling” for internal control effectiveness.

Here’s an example of a faulty control environment. Let’s say you are a loan underwriter, and it’s your job to approve loans submitted to you by front-line service representatives, the employees who collect information about the people who want to borrow from the company. Let’s also assume that the company’s written policy states that any loan greater than $4,000 must go through a more stringent income verification process. This is a well-designed control - it helps to protect the business from making too many bad loans. However, if your manager consistently tells you to skip the extra verification because it’s a waste of time and money and the CFO is breathing down his neck demanding extreme cost cuts, the written control is worthless because the control environment isn’t supporting the actual control.

Risk assessment

Businesses and the environments in which they operate change over time. What starts out in a basement could eventually become an international corporation worth billions of dollars. Even if a business stays the same throughout its lifetime, the economic and regulatory environment is virtually guaranteed to change at some point. Risk assessment policies and procedures help guide a company through changes in the internal and external business environment. In this context, a risk is any situation that can potentially challenge or threaten management’s business objectives. Some examples of events that can give rise to business risks are:

  • A competitor puts out a new product.
  • The Federal Reserve raises interest rates.
  • The company is switching to a new, more feature-rich brand of accounting software.
  • The company is opening a new branch next month.
  • New tax or other laws become effective in the country.

Notice that these events aren’t necessarily bad for the company. Corporate growth, for instance, is a desirable part of the business life cycle. The risk assessment process serves to identify relevant risks and to guide managers in responding to those risks. Consider the last example in the list above - if your company doesn’t properly identify and respond to the risk of running afoul of the new laws, the business could get slapped with a labor lawsuit in the future.

Control activities

The control activities component is made up of the actual internal controls established by the company. We’ll discuss specific controls later in the tutorial. For now, understand that all employees, from entry-level to the CEO, come in contact with internal controls, usually on a day to day basis.

Information and communication

This component comprises the different ways information is distributed in the organization. The controller or CFO might review detailed operating reports for the month, then send a summary report to the CEO, who in turn reviews the summary and communicates to employees any operating adjustments that need to be made for the next month. A company’s employee intranet can also be a good vehicle for communicating with the entire organization. In today’s business environment, with all the available technology, there is simply no excuse for a lack of communication in a business.


As we saw in the control environment component, a well-designed control does not guarantee control effectiveness, especially over a long period of time. Monitoring activities performed by upper management can assure them that the controls are still relevant and that they are functioning as intended. An internal audit department, for example, could report control issues to the CEO or the audit committee. In addition, external auditors are commonly used to verify that the internal control system is operating as it should.

Not a member?
See why people join our
online accounting course: