Business executives and some internal auditors may ask, “Who or what is COSO”? It’s not a standard or a detailed requirement but only a framework. In our business world of multiple rules and regulations that have requirements from multiple governmental and other regulatory agencies often using hard-to-remember acronyms, it is easy to roll our eyes or shrug our shoulders at yet another acronym and set of requirements. COSO internal controls is a framework outlining professional practices for establishing preferred business systems and processes that promote efficient and effective internal controls. The sponsoring organizations that issue and publish this material are neither governmental nor some other type of regulatory agencies. Nevertheless, the COSO internal control framework is an important set or model of guidance materials that enterprises should follow when developing their business processes, systems, and procedures as well as in establishing Sarbanes-Oxley Act (SOx) compliance. An understanding of the COSO internal control framework is an internal audit CBOK must requirement.

The COSO internal control framework was originally launched in the United States in 1992, now a long time ago. This was a period of some significant fraudulent business practices in the United States and elsewhere that revealed a well-recognized need for improved internal control processes and procedures guidance. This 1992 COSO internal control framework ...