Go To Search
Click to Home
Decoding COSO
By Madison Rorschach

As a relatively new government performance auditor, I had heard of COSO, taken a class or two about the internal control framework, and stored it away in the “for later” bin in my brain. After all, I was busy auditing operations: riding on garbage trucks, observing street constructions, investigating evidence rooms, etc. However, in the fall of 2017, COSO was suddenly on the forefront of my mind. 

In the winter of 2014, the federal government updated the Uniform Guidance. This required non-federal entities to establish and maintain effective internal control over federal awards, which should be in compliance with COSO’s Internal Control Integrated Framework. The United States government gave non-federal entities three years to align with this update.1

Unfortunately, at the end of 2017, the City of College Station could not prove compliance with COSO; however, our Finance Director had an idea—the internal auditors! After discussions with our Audit Committee, we accepted this undertaking, believing at first that this “non-audit service” would not benefit our audit office. After completing the assessment, I can tell you—we were wrong. In fact, an organization-wide COSO Internal Control Assessment will provide all audit shops with opportunities for improvement.


So, what are these opportunities? First, a COSO assessment can act as a guide for exploring an organization’s audit universe. As processes are examined and documented, risk areas can be recognized and analyzed, essentially creating an exhaustive risk assessment. In addition, this documentation can expedite the survey phase of audits, as key processes and their internal controls have already been documented and some testing has been performed.

Second, external auditors can utilize this documentation in their review of an organization’s financial statements. Discussing your assessment’s methodology and results with external auditors may generate new ideas for collaboration allowing for a more efficient allocation of audit resources. The external auditors that our city recently hired actually reduced their fee when they learned we had conducted a COSO assessment.

Third, a COSO assessment will generally require several interviews with management and other staff members. This not only presents internal auditors with an opportunity to meet and develop a rapport with employees throughout the organization, but also frees these relationships from the tension an audit may create. Similarly, the process documentation created as part of the assessment could benefit department and division functions. In fact, many City of College Station staff members expressed their appreciation for our efforts and were impressed by the documentation we produced.

Finally, results from the assessment can be used to establish a continuous auditing program. Specifically, process documentation allows auditors to identify weak internal control areas. Testing for these areas can be scripted using general auditing software, such as ACL, IDEA, Arbutus, etc. Running these scripts periodically will aid auditors in identifying areas that should be further scrutinized or should receive a full audit.


So, you’re convinced. A COSO assessment seems like a step in the right direction, but how do you start? There are many COSO resources: the COSO Manual, COSO’s Illustrative Tool,2 the Green Book, and COSO training courses. You can even become COSO certified. In the end, our office found that none of these have actionable steps. What do you really need to conduct this assessment?

The easiest way to document your COSO assessment is in a COSO matrix. Essentially, this EXCEL workbook breaks down each component into its principles and “points of focus,” which emphasize key facets of each principle. As you conduct the assessment, identified internal controls are linked to each point of focus, and the associated methodology and results are described. Including working paper references makes review easy for other auditors. Our office found that there are generally two ways to document control affects: qualitatively and quantitatively.

For instance, Principle 1 is defined by the COSO manual as: “the organization demonstrates a commitment to integrity and ethical values.”3 An internal control that would support this principle is an employee handbook’s ethics section. However, quantifying the effectiveness of this internal control would be difficult, resulting in qualitative methodology and results. On the other hand, another internal control that would support this principle is employee performance evaluations, specifically if supervisors evaluate their staff on ethics. The effectiveness of this internal control can be tested by reviewing performance evaluations, resulting in quantitative methodology and results.

An illustration of how these two types of controls are documented, as well as an example of a COSO matrix, is presented in Figure 1. While it is important to remember that both types of results are required to fully demonstrate COSO compliance, not every point of focus is conducive to quantitative results.

Figure 1
Rorschach Figure 1_thumb.png


So now we know how to document our assessment, but what are we really assessing? We had discussed the points of focus, but our office found that these were broad and difficult to support without further direction. On the other hand, we found that the Green Book helped to sharpen our understanding of each principle with guiding questions.4 In addition, it should be noted that familiarity with the organization will expedite the assessment though it is not a requirement for completion.

Furthermore, COSO is an iterative technique. Each year, processes and controls must be reviewed and recertified by the process owners. While this is a substantial undertaking the first year, updating your documentation should be relatively easy. This allows auditors to continually receive the benefits described in previous sections while also maintaining our independence.

In the following section, I have included some suggestions and ideas for each component that should help direct a COSO assessment. Nevertheless, it is important to consider the principles and points of focus as a whole when planning your assessment. COSO is truly an integrated control framework and our office found that work, including policy reviews, interviews, testing, etc., can often be used to support multiple points of focus—especially when designed correctly.

Control Environment
This component focuses on organization-wide controls, particularly with regards to personnel management, standards of conduct, and organization structure. Our office requested an HR staff member function as a liaison who facilitated our review of employee records and helped us identify HR-owned controls. Principle 2, however, is focused on organizational governance. For us, this meant investigating City Council’s practices, such as trainings, meetings, and committees. Reviewing documents relevant to Council, including the City Charter and the election application packet, aided us in identifying governance controls.

Risk Assessment
This component focuses on how the organization identifies and analyzes its objectives. If your organization has implemented an Enterprise Risk Management (ERM) system, you’re in luck because it will easily support many of this component’s points of focus. That being said, an ERM system is not necessary to comply with COSO. We reviewed documents where departments measured their objectives including the annual budget document and strategic business plans. We also compared objectives across the organization and interviewed department and division supervisors about their objectives and decision criteria.

Control Activities
This component focuses on the organization’s internal controls and relevant processes and will probably take the most time to adequately support—mainly due to Principle 10, which requires that key organizational controls be documented. Admittedly, many critical personnel management, information technology, and security controls are documented in other principles. For this reason, our office concentrated on key financial processes including: accounts payable, payroll, fixed assets, inventory, and accounts receivable. Your organization may have different key processes. Regardless, all selected processes should be broken into sub-processes and documented in process packets, which include the following sections:

  • Internal Control Tables. The first section describes internal controls in tables. One table reports the system access of key personnel in the process, including their names and titles. All critical systems in the process should be included, but it may be helpful to split these tables by sub-process if users are not involved in every system. A second table outlines all internal controls broken up by sub-process, including controls shown in the process narrative (like procurement card approvals) and those not shown in the narrative (like procurement card restrictions). Examples of these tables are shown in Figure 2. 

Figure 2
Rorschach Figure 2_thumb.png

  • Process Narratives. Internal controls do not exist in a vacuum. So, effectively documenting these internal controls requires developing process narratives. Our office found that communicating a process is generally more effective via a swimlane flowchart, which clearly communicates separation of duties. We numbered each flowchart figure and included more detail on a corresponding list. Examples of these are shown in Figure 3. The internal control tables, flowcharts, and associated sub-process lists must then be reviewed and certified by the process owner.

Figure 3
Rorschach Figure 3_thumb.png

Information and Communication
This component focuses on how the organization verifies and communicates information to employees, citizens, and other stakeholders. Many information verification controls can be determined as part of the Control Activities component; however, some information technology questions may need further exploration. Moreover, the methods organizations use to communicate information are varied, but may include: a city-wide intranet; regular public and internal meetings; a fraud hotline; social media policies, posts, and accounts; the Public Communications Department’s activities; financial transparency efforts; and a city website. While this list is not comprehensive, discussions with your organization’s leaders will help you determine applicable communication methods.

This component focuses on the organization’s separate and on-going evaluations of internal controls and how deficiencies are communicated. In our organization, our office and the external auditors were the most consistent source of separate evaluations, both following auditing standards for communicating deficiencies. Likewise, our City Manager’s Office and other department heads often hire consultants to conduct separate evaluations. Evidence of ongoing monitoring may include periodic performance reporting, such as separate reports to management or the annual budget, or any system that allows a review of performance metrics or finances. Many of these controls may be identified during the Control Activities component.


You have the reasons, the tools, and the guidance for conducting an organization-wide, annual COSO assessment. Even if your organization isn’t required to comply with the Uniform Guidance, I encourage you to take advantage of this opportunity. I believe there is no better way to annually take a complete picture of your organization’s internal control framework whether your shop has been around for years or just one day. I can tell you this much—if I was setting up an audit shop, a COSO Assessment would be my first step.


1 Internal Control – Integrated Framework, © [2013] Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

2 While COSO’s Illustrative Tool is similar to the COSO Matrix we describe and can be used as a starting point, we believe a COSO Matrix must be tailored to fit each organization.

3 U.S. Government Accountability Office. Standards for Internal Control in the Federal Government. GSO-14-704G. Washington, DC, 2014. Accessed September 18, 2018. https://www.gao.gov/assets/670/665712.pdf.

4 U.S. Government Publishing Office. "PART 200-UNIFORM ADMINISTRATIVE REQUIREMENTS, COST PRINCIPLES, AND AUDIT REQUIREMENTS FOR FEDERAL AWARDS." Electronic Code of Federal Regulations. September 14, 2018. Accessed September 14, 2018. https://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title02/2cfr200_main_02.tpl.


Madison Rorschach is the Assistant City Internal Auditor of the City of College Station. She became a Certified Internal Auditor in 2017 and has helped earn her City two Knighton Awards in just three years. Currently a member of ALGA’s Diversity, Equity, and Inclusion Committee and the Vice President for her local IIA chapter, Madison believes local government auditing is key to protecting the people’s interests. She holds a Bachelor’s degree in Economics from Texas A&M University and enjoys regression analysis more than any person should.