Nothing is superfluous within a COSO integrated internal control system


In an integrated internal control system nothing is superfluous. A COSO integrated system requires 3 layers: Internal audit, internal control and hierarchical control.

The history of COSO helps to understand that is was setup for external reasons. But, as explained at the heart of this Blog, complying to SOX  can bring much more. Indeed it is a unique opportunity to bring more value to the company.

  • In 1985 the Treadway Commission did a first layer by defining how to build and manage an efficient internal control system. It aimed at limiting the risk of failure and optimizing the efficiency of operations. The commission relied ont a working group of representatives of large companies, audit firms and professional organizations, including the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA).
  • Later in 2002 major financial scandals occurred (Enron, Worldcom, etc.). In response, the US Congress promulgated the Sarbanes-Oxley Act (the Sarbanes-Oxley Act or SOX act). This law obliges publicly traded companies to evaluate their internal control. They must publish their findings in the statements requested by the Securities and Exchange Commission (SEC).
  • Further imposing the use of a conceptual framework, the “SOX act” favored the adoption of the COSO as a reference.
Therefore this post is a good opportunity to recall the main principles of the 3 layers system defined by COSO.
  • The bottom first line of defense: operational staff who identify and control most risks through procedures and hierarchical controls.
  • The second line of defense: the system of internal control decided by the management of the entity. Its objective is to verify the effectiveness of the first line. It also verifies  the compliance of all activities with major entity decisions and with country regulations. The first two lines must provide a comprehensive and autonomous system covering the main risks. This is key to deliver the entity’s performance.
  • The upper third line of defense: internal audit, standing outside of the entity. It provides to the head of the Group an independent insurance of the effective implementation of the system.
To complement a COSO structure definition, let’s have a look to useful words

The control environment is the set of standards, processes and structures that form the basis for the implementation of internal control throughout the organization.

A risk is defined as the possibility that an event will have an adverse impact on the achievement of the objectives. Of course COSO advise to consider those risks against a tolerance thresholds. Small risks do not belong to the structured COSO system. Major risks are at the root of the regulations that introduced audit and internal control functions in large listed companies.

Control activities refer to actions providing a reasonable assurance that management instructions to control risks are implemented.

The organization communicates internally the information necessary for the proper functioning of internal control, in particular information relating to the objectives and responsibilities of internal control.

The organization conducts evaluations to ensure that each of the five components of internal control and the principles associated with them are functioning.

This was the last post dedicated to operational management. Now let’s have a look to the posts dedicated to senior management : Efficient internal audit & control principles.

If you liked this blog, please leave a comment. I plan to consolidate all posts is a white paper: just let me know if you wish to receive it.


Please enter your comment!
Please enter your name here