Determining Maturity Levels for Internal Control

Numerous factors need to be considered when assessing the completeness of coverage and current maturity level of an organization’s internal control structure across significant processes. There are four maturity levels that a company’s internal controls framework can be categorized into, each with unique associated characteristics. The following list provides guidance for evaluating existing controls and any needs for improvement.

Maturity Level 1: Informal or Ad-hoc

• Control activities fragmented
• Control activities may be managed in “silo” situations
• Control activities dependent upon individual heroics
• Inadequate documentation and reporting methods
• Inadequate monitoring methods

Maturity Level 2: Standard

• Control awareness exists
• Control activities designed
• Control activities in place
• Some documentation and reporting methodology exists
• Automated tools and other control measures may exist, but are not necessarily integrated within all functions
• Accountability and performance monitoring requires improvement

Maturity Level 3: Managed and Monitored

• Key Performance Indicators (KPI) are defined for monitoring effectiveness
• Well-understood chains of accountability exist
• A formal controls framework exists
• Automated tools and other control measures are used to generate more standardized assessments

Maturity Level 4: Optimized

• Highly-automated control infrastructure
• Benchmarking, best practices and continuous improvement elements incorporated into monitoring efforts
• Real-time monitoring

If you are interested in learning more about the four maturity levels for internal control or the 2013 COSO Internal Control-Integrated Framework, download our COSO 2013 Implementation Risk Insights document.