Skip to main content
Contact Us
Careers

Search

Weaver Connect

Payment Portal Client Login MyWeaver Weaver Alumni Login
Home    /    Insights & Resources

How COSO Helps Not-for-Profits Bolster Internal Controls

Resource & Insights
August 2, 2015

Never miss a thing.

Reach out to our team and we'll start a conversation.

Connect

For more than two decades, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided for-profit companies with guidance on designing and maintaining internal controls, as well as assessing their effectiveness. A joint initiative of several professional accounting groups, COSO revised its original framework with the release of Internal Control — Integrated Framework

Not all of the updated framework will apply to not-for-profits. But the guidance can provide a structure for organizations trying to establish, strengthen or assess their internal controls.

Not mandatory, but encouraged

Neither for-profits nor not-for-profits are required to follow COSO’s advice, but the commission has suggested that organizations transition to the new framework. Auditors generally rely on the framework’s components when they assess internal controls. And you may need to implement the framework if your not-for-profit receives federal grant money and is subject to OMB Circular A-133 audits. 

Even if you’re under no obligation to follow COSO, its framework has proven over the years to be an effective risk management tool for many different types of organizations. The updated version, which incorporates recent technological developments, the move toward increased globalization and the demand for better governance and transparency, is designed to help organizations apply internal controls more broadly to operations and reporting objectives.

Core concepts

Both the original and revised COSO frameworks are built around five interrelated components:

  1. Control environment — the set of standards, processes and structures that provide the basis for carrying out internal controls, such as ethical values and people management.
  2. Risk assessment — the process for identifying and assessing risks related to achieving an organization’s objectives.
  3. Control activities — actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, and segregation of duties.
  4. Information and communication — the flow of information necessary to support the internal control function, including communication between board members and executives as well as communication with external stakeholders.
  5. Monitoring — an ongoing evaluation of the internal control system’s performance over time and reporting of any deficiencies that are found.

COSO stresses that each of these five components must be in place and fully functioning for an internal control system to be effective. 

To help organizations turn abstract concepts into actionable items, the 2013 COSO framework introduces 17 principles related to the five components. For example, three principles apply to “control activities”:

  • Select and develop control activities that mitigate risks.
  • Select and develop technology controls.
  • Deploy control activities through policies and procedures.

In addition to the 17 principles, COSO offers 81 “points of focus” in its report.

Applying the framework

As with the old, the new COSO framework is principles-based. This means that your not-for-profit’s leaders can exercise their own judgment when determining which internal controls are appropriate for your organization and those — such as principles related to public company reporting — it can ignore.

But if governance is a particular concern, you might focus on directives about directors’ independence from management and best practices for audit committees. A not-for-profit that has suffered an occupational fraud incident can use the framework to assess current risks (such as poor hiring decisions), strengthen controls (such as segregation of duties), and communicate ethical expectations to staffers. 

Communicating accountability

For help applying the COSO 2013 Internal Control-Integrated framework or reviewing your internal controls, contact us. And be sure that, if your organization implements all or some COSO principles, your not-for-profit’s Form 990 reflects newly adopted or strengthened controls. Following COSO tells regulators, not-for-profit watchdog groups and donors that your not-for-profit is focused on good governance and accountability.

To learn more about COSO 2013 framework implementation for all companies, including not-for-profits, click here.

Read the most updated version here

© 2015