INTERNAL CONTROL FRAMEWORKS COMPARISON
COSO COCO
Title Committee of Sponsoring Organizations of
the Treadway Commission
Organization  American Accounting Association (AAA)
 American Institute of Certified Public
Accountants (AICPA)
 Financial Executives International (FEI)
 Institute of Management Accountants (IMA)
 The Institute of Internal Auditors (IIA).
Date of Publication / 1985
Creation
ELEMENTS Five interrelated components of the framework:-
 Control environment - sets the tone of an
organization by influencing the control
consciousness of its people. It is the foundation for
all other components of internal control, providing
discipline and structure.
 Risk assessment - The identification and
analysis of relevant risks to achievement of
objectives, forming a basis for determining how the
risks should be managed.
 Control activities - The policies and
procedures that help ensure that management
directives are carried out. They help to ensure that
necessary actions are taken to address risks to
achievement of the entity's objectives.
 Information and communications - Pertinent
information must be identified, captured and
communicated in a form and time frame that enable
people to carry out their responsibilities.
 Monitoring - Internal control systems need
to be monitored - a process that assesses the
quality of the system's performance over time.
COBIT CADBURY
Criteria of Control Control Objectives for Information and Related The Cadbury Report 1992
Technology
 Canadian Institute of Chartered Accountants  Information Systems Audit and  Financial Reporting Council
(CICA) Control Association (ISACA)  London Stock Exchange
 Accountancy Profession
1995 1996 1992
4 interrelated components:-  Control environment - The attitude
COBIT components include:
 Purpose - The mission, vision, strategy, and actions of the directors, management and
risks and opportunities, policies, planning and employees that set the tone for control within
performance targets and indicators that provide a  Framework: Organizes IT governance the organization.
clear driver for control criteria that people can objectives and good practices by IT
domains and processes and links them to  Identification and evaluation of risks
understand. and control objectives - The identification and
business requirements.
 Commitment - The ethical values, integrity,  Process descriptions: A reference process analysis of relevant business risks in a timely
human resource policies, authorities, accountability model and common language for everyone manner.
and mutual trust that get people to commit to in an organization. The processes map to  Information and communication - The
control philosophy. responsibility areas of plan, build, run, and performance indicators, information systems,
 Capability - The knowledge, skills, tools, monitor. and other systems that communicate the right
communication processes, information, coordination  Control objectives: Provides a complete set information to the right people and enable
and control activities that provide people with the of high-level requirements to be them to carry out their responsibilities.
resources and competence to participate in considered by management for effective  Control procedures - The policies and
designing and installing good controls and being control of each IT process. procedures or control activities that facilitate
able to assess risks.  Management guidelines: Helps assign the execution of management directives and
 Monitoring and learning - The monitoring of responsibility, agree on objectives, ensure compliance.
internal and external environments and measure performance, and illustrate  Monitoring and corrective action - The
performance as well as challenging assumption interrelationship with other processes. monitoring process that assesses the quality
reassessing information needs and information  Maturity models: Assesses maturity and of the internal control system's performance
systems, conducting follow-up procedures and capability per process and helps to and reports on required changes and
effectiveness of control. address gaps. weaknesses necessitating corrective action.
The CoCo model presents 20 specific control criteria
within these control components. It states that all 20
must be in place for internal control to be effective.
Principles 1. Demonstrate commitment to integrity and 1. Objectives should be established and 1. Meeting Stakeholders Needs 1. Order
ethical values communicated. 2. Covering the Enterprise End-to-end 2. Equity
2. Ensure that board exercises oversight 2. Significant internal and external risks should be 3. Applying a Single Integrated 3. Renumeration
responsibility identified and assessed. Framework 4. Centralization and Decentralization
3. Establish structures, reporting lines, authorities 3. Policies should be established, communicated 4. Enabling a Holistic Approach 5. Scalar chain
and responsibilities and practiced. 5. Separating Governance from 6. Division of work
4. Demonstrate commitment to a competent 4. Plans should be established and communicated. Management 7. Authority and Responsibility
workforce 5. Plans should include measurable performance 8. Discipline
5. Hold people accountable targets and indicators. 9. Subordination of individual interests to
6. Specify appropriate objectives 6. Shared ethical values should be established, general interest
7. Identify and analyze risks communicated and practiced. 10. Esprit de corps
8. Evaluate fraud risks 7. HR policies should be consistent with ethical 11. Unity and Command
9. Identify and analyze changes that could values. 12. Unity and direction
significantly affect internal controls 8. Authority, responsibility and accountability 13. Initiative
10. Select and develop control activities that should be clearly defined. 14. Stability of Personnel
mitigate risks 9. Mutual trust should be fostered to support the
11. Select and develop technology controls flow of information.
12. Deploy control activities through policies and 10. Peoples should have the necessary knowledge,
procedures skills and tools.
13. Use relevant, quality information to support the 11. Communication processes should support the
internal control function values of the organization
14. Communicate internal control information 12. Sufficient and relevant information should be
internally identified and communicated.
15. Communicate internal control information 13. Decisions and actions within the organization
externally should be coordinated.
16. Perform ongoing or periodic evaluations of 14. Control activities should be designed as an
internal controls (or a combination of the two) integral part of the organization
17. Communicate internal control deficiencies 15. Environment should be monitored to re-
evaluate controls.
16. Performance should be monitored against the
targets.
17. Assumptions behind objectives should be
periodically challenged.
18. Information needs and related information
systems should be reassessed.
19. Procedures should be established to ensure
appropriate actions occur.
20. Management should periodically assess the
effectiveness of control.
History The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) is a joint initiative of
five sponsoring organizations formed in 1985. These
five organizations include the American Accounting
Association, American Institutions of CPAs, Financial
Executives International, The Association of
Accountants and Financial Professionals in Business
and the Institute of Internal Auditors. These five
organizations have been tasked with developing a
framework that would improve organizational
performance and governance, focused on reducing the
extent of fraud in organizations and providing thought
leadership in the areas of internal control, enterprise
risk management and fraud identification. The
original COSO model released in 1992 played a
fundamental role in establishing a scalable framework
for internal controls.
While the COSO model was established in 1992, its
real claim to fame came from the subsequent release
of the Sarbanes-Oxley Act of 2002. During this time,
COSO became the most widely used control framework
used in managements’ assessment of the internal
control environment. However, that is not the model’s
sole purpose, as the COSO model is relevant to all
companies and institutions when establishing a solid
internal control framework.
The CoCo (criteria of control) framework was first The Cadbury Report, titled Financial Aspects of
ISACA first released COBIT in 1996, originally as
published by the Canadian Institute of Chartered
a set of control objectives to help the financial
Corporate Governance, is a report issued by
Accountants in 1995. This model builds on COSO and is "The Committee on the Financial Aspects of
audit community better maneuver in IT-related
thought by some to be more concrete and user- Corporate Governance" chaired by Adrian
environments. Seeing value in expanding the
friendly. CoCo describes internal control as actions Cadbury that sets out recommendations on the
framework beyond just the auditing realm,
that foster the best result for an organization. These arrangement of company boards and accounting
ISACA released a broader version 2 in 1998 and
actions, which contribute to the achievement of the systems to mitigate corporate governance risks
expanded it even further by adding
organization’s objectives, focus on: and failures. The report was published in draft
management guidelines in 2000's version 3. The
effectiveness and efficiency of operations; reliability version in May 1992. Its revised and final
development of both the AS 8015: Australian
of internal and external reporting; compliance with version was issued in December of the same
Standard for Corporate Governance of
applicable laws and regulations and internal policies. year. The report's recommendations have been
Information and Communication Technology in
used to varying degrees to establish other
January 2005 and the more international draft
codes such as those of the OECD, the European
standard ISO/IEC DIS 29382 (which soon after
Union, the United States, the World Bank etc.
became ISO/IEC 38500) in January
The Corporate Governance Committee was set
2007 increased awareness of the need for more
up in May 1991 by the Financial Reporting
information and communication technology (ICT)
Council, the Stock Exchange and the accountancy
governance components. ISACA inevitably
profession in response to continuing concern
added related components/frameworks with
about standards of financial reporting and
versions 4 and 4.1 in 2005 and 2007
accountability, particularly in light of the BCCI
respectively, "addressing the IT-related
and Maxwell cases.
business processes and responsibilities in value
The committee was chaired by Sir Adrian
creation (Val IT) and risk management (Risk IT).
Cadbury and had a remit to review those
In April 2012, COBIT 5 was released. An add-on aspects of corporate governance relating to
for COBIT 5 related to information security was financial reporting and accountability. The final
released in December 2012, and one related to report 'The financial aspects of corporate
assurance was released in June 2013. In governance' (usually known as the Cadbury
November and December of 2018, the next Report) was published in December 1992 and
version of COBIT, COBIT 2019, was released. contained a number of recommendations to
raise standards in corporate governance.