Five Components of Internal Control under the COSO Framework

For companies to be profitable, they need their processes to run as efficiently and effectively as possible. For obvious reasons, planning how companies perform these processes play a fundamental role in ensuring profitability. However, just planning out their processes does not suffice. Companies must also have systems to ensure their processes run according to the set plans. Therefore, these companies must have a system for internal controls.

What is Internal Control?

Internal controls are the processes and procedures implemented by a company to ensure the effective and efficient running of its operations. The primary purpose of internal controls is to detect and prevent fraud and error in a company. However, it may also have many other purposes. In the modern world, almost all companies around the world have a system of internal controls for its operations.

For some companies, such as those with public-listed status, internal controls are statutory. Similarly, some other jurisdictions may set laws and regulations based on which companies must establish a system of internal controls. However, that does not mean other companies cannot have internal control systems. Companies that are exempt from statutory requirements can still adopt internal controls voluntarily.

Objectives of Internal Control

The objectives of internal control are to detect and prevent any frauds or errors in its processes. However, more importantly, the objectives of internal control consist of the following.

  • Safeguard the assets of a company.
  • Prevent and detect fraud and error.
  • Ensure orderly and efficient conduct of business, including following its internal policies.
  • Ensure the accuracy and completeness of internal accounting records.
  • Ensure timely preparation of financial information.
  • Ensure the high quality of both internal and external reporting.
  • Ensure compliance with any applicable laws and regulations/

An effective internal control system will meet all the requirements above. While the above objectives should cover almost all aspects of internal controls, they do not represent an exclusive list. Therefore, depending on a company’s requirements, the objectives of internal controls may differ.

What are the Five Components of Internal Control under the COSO Framework?

The five components of internal control refer to the elements set by the COSO framework. The Committee of Sponsoring Organizations (COSO) was established in 1985 to sponsor the national commission on fraudulent reporting. Today, the committee provides and produces guidance for companies around the world regarding the implementation of internal control systems.

The COSO framework identifies five components of internal controls that ensure proper controls in any business. These five components of the framework are helpful in the review of the internal control systems of an organization. These components include the following.

READ:  How Do You Evaluate Control Deficiencies of a Company

Control environment

First and foremost, the COSO framework identifies the control environment of a company as the most crucial part of its internal control systems. The control environment of a company describes its culture and ethics that provide the framework inside it to work effectively. While the control environment relates to the overall company, it mainly refers to the behavior of the top management of the company in implementing the controls in place.

The control environment relates to the management’s style and the way it delegates authority, organization of its staff, and their commitment to the internal control policies. The more important the management places on the internal controls and systems of a company, the more likely it is that the lower-level staff will also implement them. In the absence of a proper control environment, even the best thought-out processes and procedures cannot succeed.

For example, a company has internal control systems in place for bank transactions. These may come in the form of bank reconciliations or other procedures to control any deficiencies in the banking process. However, the top management of the company disregards bank reconciliations and does not perform these regularly. It sets the tone for other employees of the company to avoid the process as well.

Risk assessment

The next step, after the establishment of the control environment, is to assess the risks of a company. By evaluating the risks of a company, it understands how these risks relate to its objectives. Therefore, it can identify and implement controls against these risks. However, the risks for every company differs based on several factors, such as its nature, objectives, industry, etc. Therefore, to assess the risks of a particular company, it is critical to understand these factors as well.

The goal of the risk assessment process is to identify risks, whether internal or external to the company, which it faces due to its business. Both internal and external factors require attention when it comes to risk assessment. However, external factors may require more analysis as these are outside the control of the company. Similarly, based on whether risks are controllable or not, companies can decide on how to tackle them.

For example, a company can look at its business and assess the risks associated with it. For companies that deal with inventories, the risk may be physical damage, obsolesce, theft, decrease in value, etc.

Control activities

The next component of the COSO framework is control activities. Control activities define all the processes or procedures that companies implement against the identified risks. Based on the type of risk, there are various control activities that companies can implement. Some commonly used control activities include authorizations, approvals, reviews, physical and digital security measures, verifications, reconciliations, segregation of duties, management, organization, etc.

READ:  Limitations of Internal Control

For example, separation of duties is vital for internal control of accounts receivable and payable balances. Similarly, for inventories, physical controls may be more critical as compared to the separation of duties. With sales and purchases, authorizations, approvals, and verifications may also be relevant. Therefore, the control activities for each item depends on the risk for each item.

Information and communication

The next component of the COSO internal control framework is information and communication. It refers to the flow of information of the control activities to the relevant authorities or personnel so that they can implement those activities. Similar to the control environment, the implementation of control activities depends on communication with personnel. In the absence of communication, control activities are futile. The quality of the information systems of a company also plays a role in this component.

For example, a company should have proper and well-defined channels for communications through which managers can send messages. Similarly, the system should provide regular updates to managers so they can implement them promptly. This information should consist of both external and internal factors. For each level of management, the level of information is going to vary. Therefore, there should be proper channels for it.


While the above four components almost fulfill the objectives of the internal controls process of a system, they are not complete. Once companies implement control activities and communicate them with the management, they should have procedures in place to monitor the activities. Therefore, every company should have a reviewing and monitoring process that it carries out regularly. Monitoring can also help companies identify deficiencies in the control activities and find a solution for them.

For example, once there are physical measures against inventories, high-level management must revisit those control regularly and check their effectiveness. In the case of inefficiencies in the process, they must rectify them. Similarly, managers need to carry out the overall internal control systems to see if they are in line with the company’s objectives.

Why Internal Control is Important?

Internal controls are critical for all organizations. Among other reasons, some of the reasons why they are vital to include the following.

  • Internal controls can help reduce the risk of a company to a minimum.
  • They can help address the assertions related to financial statements.
  • They can help in the detection and prevention of fraud.
  • Internal controls play a crucial role in the prevention of material misstatements in financial statements.
  • They can play a critical role in setting the culture of a company.
  • They ensure the preparation of timely and accurate financial statements.
READ:  Material Misstatements

Limitation of Internal Control

Despite its importance and the work put into developing various frameworks to strengthen the internal controls of companies, there are still many limitations of internal controls. Some of the main limitations of internal controls include the following.

Unforeseen circumstances

No matter how robust the internal controls of a company are, they still cannot compensate for unforeseen circumstances. Usually, companies design their internal controls to cover a variety of possible occurrences. These take into account different variables that can go wrong and account for them in the internal control systems. However, when unforeseen circumstances occur which the internal controls failed to account for, the systems fail to compensate for them.


Internal controls exist to detect and prevent fraud in a company. However, those in charge of carrying out the internal controls can still manipulate the systems to their advantage. It makes internal control susceptible to deliberate circumventions. In these cases, internal controls fail to operate or detect the fraud properly.

Human error

Sometimes, internal controls may fail due to human error as well. While internal controls help companies prevent chances of fraud or error, they still cannot detect a human error. No matter how well-designed internal controls are, as long as they require human input, they are susceptible to failure.

Management intervention

As mentioned above, the control environment of internal controls also plays a critical role in the acceptance of internal controls in an organization. However, if the management believes internal controls are extra formalities that they must go through or don’t apply to them, then internal control systems are of no use. In the absence of an internal control environment, the limitations of internal controls significantly increase.


Internal controls are crucial in the effective and efficient running of the processes of a company.  There are several objectives of internal controls, including prevention of fraud and error, safeguarding assets, accuracy and completeness of financial information, etc. The framework that deals with internal controls are the COSO framework which consists of five components; control environment, risk assessment, control activities, information and communication, and monitoring.

Scroll to Top