Common Internal Control Frameworks

1. COSO Internal Control–Integrated Framework (The Committee of Sponsoring Organizations of the Treadway Commission’s internal control framework)

• COSO’s Internal Control – Integrated Framework was introduced in 1992 as guidance on how to establish better controls so companies can achieve their objectives with minimal surprises.
• COSO categorizes entity-level objectives into operations, financial reporting, and compliance. The revised 2013 framework includes 17 basic principles representing the fundamental concepts associated with its five components: control environment, risk assessment, control activities, information and communication, and monitoring.
• Some of the principles include key elements for compliance, such as integrity and ethical values, authorities and responsibilities, policies and procedures, and reporting deficiencies.

2. CoCo: Criteria of Control Framework (Canadian Institute of Chartered Accountants’ internal control framework)

• CoCo was first published in 1995 with the objective of improving organizational performance and decision-making with better controls, risk management, and corporate governance.
• The framework includes 20 criteria for effective control in four areas of an organization: purpose (direction), commitment (identity and values), capability (competence), and monitoring and learning (evolution).

3. Basel Model (The Basel Committee on Banking Supervision’s Framework for Internal Control Systems)

• The Basel Committee on Banking Supervision, which includes supervisory authorities from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Sweden, Switzerland, the United Kingdom, and the United States, introduced the Framework for Internal Control Systems in 1998. Regulatory compliance is an integral part of the framework.
• The five elements of internal control are: management oversight and control culture, risk recognition and assessment, control activities and segregation of duties, information and communication, and monitoring activities and correcting deficiencies.
• The effective functioning of these five elements is key to an organization achieving its performance, information, and compliance objectives.

4. COBIT: Control Objectives for Information and Related Technology (Information Systems Audit and Control Association’s IT Governance framework)

• COBIT is an internationally accepted controls-based framework for IT governance that was first released by ISACA in 1996.
• COBIT has 34 high-level processes that cover 210 control objectives categorized in four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation.
• The framework guides an organization on how to use IT resources (i.e., applications, information, infrastructure, and people) to manage IT domains, processes, and activities to respond to business requirements, which include compliance, effectiveness, efficiency, confidentiality, integrity, availability, and reliability. Well-governed IT practices can assist businesses in complying with laws, regulations, and contractual arrangements.

5. ISO: International Organization for Standardization

• ISO has developed more than 16,000 international standards for stakeholders such as industry and trade associations, science and academia, consumers and consumer associations, governments and regulators, and societal and other interest groups.
• The ISO 9000 series focuses on quality management systems, including ensuring controls are in place to comply with applicable regulatory requirements.
• The ISO 14000 series focuses on environmental management systems, including complying with applicable environmental regulatory requirements.
• The ISO 27000 series focuses on information security management systems. The 27000 series helps organizations establish information security standards that meet business needs while ensuring compliance with regulatory and contractual requirements.