United States

Internal Control Framework Updated


After nearly 20 years, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework is receiving an update. COSO recently issued an exposure draft for public comment aimed at adapting the framework to an increasingly complex and fast-changing business environment. The update should allow organizations to utilize the framework more effectively to envelop and maintain systems of internal control in support of long-term success.

The update retains the core definition of internal control as well as the five components of a system of internal control from the original framework. One of the most important enhancements is the codification of the framework's internal control concepts in 17 principles and supporting attributes.

Frequently depicted in the COSO cube, clubs need to consider all the aspects of internal control discussed in the framework. Part of the expectations associated with running clubs in a businesslike fashion involve understanding that internal control does not begin and end with issues like segregation of duties in the accounting department. Establishing the appropriate governance culture through the club control environment and robust risk assessment to determine what obstacles might prevent the club from achieving its performance goals are arguably more important attributes of internal control in the club environment.

Clubs should consider how they engrain the 17 COSO principles into their own control system.

These principles are:

  1. Demonstrates commitment to integrity and ethical values
  2. Exercises oversight responsibility
  3. Establishes structure, authority and responsibility
  4. Demonstrates commitment to competence
  5. Enforces accountability
  6. Specifies relevant objectives
  7. Identifies and analyzes risk
  8. Assesses fraud risk
  9. Identifies and analyzes significant change
  10. Selects and develops control activities
  11. Selects and develops general controls over technology
  12. Deploys control activities through policies and procedures
  13. Uses relevant information
  14. Communicates internally
  15. Communicates externally
  16. Conducts ongoing and/or separate evaluations
  17. Evaluates and communicates deficiencies

More detailed information can be found on the Coso website. Consider also a related article, Using COSO in a not-for-profit enterprise, which appeared in Muse, a McGladrey publication for not-for-profit entities.