KnowledgeLeader provides best practice articles, tools, guides, and links to resources on the COSO Internal Control Framework. This page contains some examples of the many resources and tools on the COSO Internal Control Framework that are available.
SOX 404 Program Executive Scorecard Template - Sample
This SOX 404 checklist serves as a template to use when developing an executive report communicating the progress of the SOX 404 program. The SOX 404 template provides an outline of information to use in this reporting process.
Staying Focused on Core Business Issues Amid Corporate Governance Compliance – Questionnaire
Companies address a myriad of new corporate governance requirements established by U.S. Congress, the exchanges and regulators. While meeting these requirements, it is equally imperative to address the core business and profitability issues facing the organization, particularly in today’s increasingly demanding global marketplace. This corporate governance questionnaire addresses questions focused on balancing corporate governance and business operational demands.
Risk Assessment Audit Work Program
This risk assessment audit work program focuses on the risk assessment component of the COSO framework. Sample scenarios covered in this work program include: management does not have a business planning process in place that examines existing objectives and establishes new objectives when necessary; senior management does not develop plans to mitigate significant identified risks; and changes in risks are not identified in a timely manner.
Financial Institution Security Audit Work Program
This Financial Institution Security work program is an aid to assess the quantity of risk and the effectiveness of a financial institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information, instilling accountability for actions taken on the institution’s systems.
ERM Concepts, Process and Objectives – Guide
This enterprise risk management presentation defines risk management (what it is, and what it is not). Furthermore, it outlines a five-part risk management framework: Establish the Context, Identify Risks, Analyze Risks, Evaluate Risks, and Treat Risks.
Enterprise Assessment and Monitoring Procedures
The purpose of this document is to develop a consistent process for scheduling and managing IT security assessment processes. The general steps outlined provide a process for conducting various types of assessments, as well as guidelines for monitoring of security compliance within the computer system and network environments.
Cash Compliance Audit Work Program
This cash compliance work program covers existence, accuracy, and cut-off of cash balances.
Building a Compliance Program in Higher Education Institutions Without Compliance Officers
Since the governance structure in higher education is often decentralized, with no central person or program overseeing compliance; it can be difficult to know who is responsible for ensuring compliance for all the disparate areas throughout the university. This is an excellent rationale for the IA function to drive the establishment of an institutional compliance program.
Audit Planning – Project Checklist
The purpose of this audit planning checklist is to assist a project team in ensuring that the administrative elements of an audit project are completed in accordance with company requirements. This audit planning checklist covers topics such as scope of project, setting project expectations, and determining which audit tools to use on the project.
Audit Plan Schedule Template
This audit plan schedule template can be used by the audit team when planning and scheduling specific audits. The audit plan schedule template allows users to organize audits by process and location while assigning hours to specific dates throughout the year.
Accounting Reconciliation Audit Work Program
The objective of this accounting reconciliation work program is to assess whether accounting reconciliations are performed accurately and discrepancies are reconciled.
Assessing Risks and Internal Controls: A Training Presentation
As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity. The appendix of the presentation defines the components of COSO.
COSO Element – Risk Assessment: A Presentation
Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on the COSO framework. This risk assessment presentation defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation.
COSO ERM Diagnostic Questionnaire
This COSO questionnaire can be used in assessing the effectiveness of a company’s enterprise risk management process. This COSO questionnaire is organized by the eight components of the COSO ERM Framework, and users are prompted to assess senior management’s effectiveness in performing the key elements of the eight components, and whether or not the activities are integrated into a continuous process.
COSO Framework Description
This COSO framework guide provides a brief description of the COSO framework.
COSO Implementation: A Risk-Based Approach
This COSO implementation presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies who are implementing COSO concepts.
COSO Internal Control Framework Overview Presentation
This COSO internal control framework presentation explains the key parts of the COSO framework, in particular, the objectives and components of COSO. It also defines and explains 'internal control,' 'internal control deficiency,' and 'material weakness' based on the COSO framework.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This control environment questionnaire provides a number of COSO elements and the related control objectives for entity-level controls. The control environment questionnaire has been updated to address topics such as management monitoring departures from established policies and procedures, and the compensation committee approving all management incentive plans tied to performance.
Entity-Level Controls – Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This fraud questionnaire links the COSO components to a number of control objectives for entity-level fraud controls. Within the fraud questionnaire, you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity Level Controls - Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This monitoring questionnaire provides a number of COSO elements and the related control objectives for entity-level controls. Within the monitoring questionnaire, you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. This information and communication questionnaire provides a number of COSO elements and the related control objectives for entity-level controls. Within the information and communication questionnaire, you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks (both internal and external) relevant to achieving business objectives and objectives related to the preparation of reliable financial statements. This risk assessment questionnaire provides a number of COSO elements and the related control objectives for entity level controls. Within the risk assessment questionnaire, you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity-level controls address the “tone at the top” and include items such as ethics programs, investigation protocols, and IT infrastructure controls. Adequate evidence of the entity-level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity level controls are in place. This entity level documentation request checklist provides a template in which to track the availability and status of such entity-level control documentation.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This IT general controls questionnaire provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This IT general controls questionnaire has been updated with topics focused on IT strategic planning; acquire or develop application software; manage changes; and define and manage service levels.
ITIL/COBIT Incident Management Checklist
This is the first of two incident management checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this incident management checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The first incident management checklist deals with incident management.
ITIL/COBIT Problem Management Checklist
This is the second of two ITIL/COBIT problem management checklists that can be used to ensure that all non-standard operational events (incidents, errors and problems) are identified, recorded, analyzed and resolved through the use of a suitable problem management system. COBIT Delivery Standard 10 – Manage Problems and Incidents, identifies objectives for managing problems and incidents. The specific objectives listed in this ITIL/COBIT problem management checklist can be mapped onto relevant IT Infrastructure Library (ITIL) activities. The second ITIL/COBIT problem management checklist deals with problem management.
Using Risk Management Frameworks
This risk management framework presentation defines and describes various types of internal controls. Then, it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution.
Vice President, Chief Compliance Officer Job Description
The Vice President, Chief Compliance Officer Job Description serves as a sample job description for the appointment of a Chief Compliance Officer. It outlines the responsibilities, duties and a basic description about the job.
Regulatory Intelligence: Leveraging Technology to Maintain Compliance Efficiently and Effectively
Regulatory compliance ranks among the top challenges for organizations today. Whether it is Sarbanes-Oxley, corruption or the countless financial regulations that are in the process of being reformed worldwide, companies have seemingly countless laws and requirements they must comply with or face severe penalties. They also face the challenge of doing so without crippling their revenues and profits. In this episode, Protiviti Managing Director Scott Gracyalny talks about the importance of regulatory intelligence and leveraging technology to achieve compliance efficiently and accurately.
Making Your Risk Assessments Count: A Strategic Perspective
A common question we often hear from senior executives and directors when a company completes a risk assessment is, “How do we know we have a full picture of the risks that matter?” And a common observation voiced is, “The risk assessment process doesn’t tell me anything that I don’t already know.” This issue of The Bulletin discusses the risk assessment process, including why traditional approaches aren’t meeting expectations and what can be done differently to increase management’s confidence in the process going forward.
ITIL Glossary Terms & Acronyms
ITIL® is a consistent and comprehensive documentation of best practice for IT Service Management. This guide provides definitions to commonly used ITIL acronyms and terms.
How to Audit Compliance in the Financial Services Industry: A Primer
Anyone who has been involved in compliance management for the financial services industry over the last decade or more has seen expectations regarding the role and responsibilities of the Compliance function continue to evolve with increased responsibility. As the requirements and expectations for compliance management have changed, so too have the expectations for how Compliance should be audited. Any discussion about how to audit Compliance should begin with the premise that Compliance is, or should be, an auditable area.
Exception Management Explained
The growing need for “exception management” capabilities among organizations of all sizes stems from a steady flow of new regulatory compliance and risk management requirements in recent years. These requirements force process owners to incorporate more rigorous compliance and risk-monitoring into their activities. This need, combined with the evolution of business analysis requirements, has given rise to continuous auditing and continuous monitoring, particularly at companies committed to getting the most valuable bang for their internal audit buck.
Enterprise Risk Management and Board Risk Oversight – A Tale of Two Surveys from COSO
This podcast reviews the results of two just-released research studies from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). One, which COSO commissioned Protiviti to conduct, offers a look at where boards of directors currently stand in executing their risk oversight responsibilities. The second, conducted by the Enterprise Risk Management Initiative at North Carolina State University, assesses the current state of enterprise risk oversight and market perceptions of COSO’s ERM Framework.
The Current State of Board Risk Oversight
Risk oversight is a high priority on the agenda of most boards of directors. To develop deeper knowledge of the risk oversight process as it is applied by today’s boards of directors, and to understand both the current state and desired future state of board risk oversight as viewed by directors, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey regarding the right oversight responsibilities of the board of directors and how those responsibilities are being performed. This issue of The Bulletin highlights the findings and recommendations of that survey.
Conducting Risk Assessments
This section of Protiviti's "Guide to Enterprise Risk Management: Frequently Asked Questions" addresses common questions about conducting risk assessments. Topics covered include: What is the relationship between risk assessment and risk management? What is the relationship between risk assessment and performance assessment? And, what is the appropriate level of depth when assessing risk?
The COSO Enterprise Risk Management – Integrated Framework
This section of Protiviti's "Guide to Enterprise Risk Management: Frequently Asked Questions" addresses common questions about the COSO ERM framework. Topics covered include: What is the COSO Enterprise Risk Management – Integrated Framework? Does the new COSO framework broaden the focus of ERM beyond the traditional risk management model’s focus on insurable risk? If so, how? And, what are the deliverables when the COSO ERM framework is implemented?
Close the Books Audit Work Program (Sample 2)
The preface to this sample audit program discusses general audit procedures, other considerations, and management controls to review in auditing the close the books process.
An Overview of the COSO Internal Control – Integrated Framework
This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control.
The COSO Internal Control – Integrated Framework
This section of Protiviti's "Guide to The Sarbanes-Oxley Act" addresses common questions concerning the COSO Internal Control – Integrated Framework. Some topics covered are: What is COSO? How is the framework applied at the entity level/process level during the Section 404 assessment process? And, will the COSO framework on ERM affect the Section 404 assessment?
Enterprise Risk Management: Practical Implementation Ideas
It has become clear that traditional risk management approaches do not adequately identify, evaluate, and manage risk. Protiviti’s Jim DeLoach discusses how ERM transforms risk management to a proactive, continuous, and process-driven activity. Additionally, he offers practical ideas on how to implement ERM within an organization. These include articulating a risk management vision, using the capability maturity model, evaluating the existing risk management structure, and selecting the enterprise’s priority risks.
The Process of Internal Auditing
This third section of Protiviti's "Guide to Internal Audit" addresses commonly asked questions concerning the process of internal auditing. Some of the topics covered are: How is internal audit work actually performed? What types of IT audit skills should be included in an internal audit department? What is control self-assessment? And, are internal auditors required to follow COSO?
IT Governance Institute (ITGI)
To achieve success in this information economy, governance of IT is a critical facet of enterprise governance. The IT Governance Institute (ITGI) exists to assist enterprise leaders in their responsibility to ensure that IT goals align with those of the business, it delivers value, its performance is measured, its resources properly allocated and its risks mitigated. Through original research, symposia and electronic resources, the ITGI helps ensure that boards and executive management have the tools and information they need for IT to deliver against expectations.
Committee of Sponsoring Organizations
This website provides background on COSO, its member organizations, conferences, and its articles and publications.
To purchase a copy of the report commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO) visit the CPA2Biz website. Other COSO resources and training materials are also available.
Internal Control Checklist
An effective internal control system enables you to manage significant risks and monitor the reliability and integrity of financial and operating information. It also ensures that the audit committee acts as a powerful and proactive agent for corporate self-regulation. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the following questions to help senior executives and directors gain a better understanding of their organizations control systems. Source: AICPA.org
Struggling to incorporate the COSO recommendations into your audit process? Here's one audit shop's winning strategy.
This article from the COSO website describes how The Boeing Company adopted the COSO principles partly as the basis for its internal control policies and procedures. As a result, our internal audit department began to rate the quality of internal controls covered in each audit. We soon discovered that incorporating these standards into actual practice proved challenging. Published by the Institute of Internal Auditors.