Skip to main content

COSO Framework

To help increase the likelihood of Vanderbilt University achieving objectives and adapting to changes in the business and operating environments, we has adopted COSO’s Internal Control – Integrated Framework (2013) by which to evaluate the University’s system of controls.  COSO provides Framework for management, board of trust, external stakeholders, and others interacting with the University to use as a guide in carrying out their respective duties regarding internal control.  


COSO, the Committee of Sponsoring Organizations of the Treadway Commission , is a private sector initiative established in 1985 with the intent of improving the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control .  

The 2013 Framework  is expected to help​​ organizations design and implement internal control in light of many changes in business and operating environments, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control.  


COSO’s 2013 Internal Control — Integrat​​​​​​​​ed Fr​​amework

The 2013 Framework presents the direct relationship that exists between an entity’s objectives, which is what an entity strives to achieve, the components of internal control, which represent what is required to achieve objectives, and the entity’s organizational structure, the system by which activities are directed in the pursuit of achieving objectives. This relationship can be depicted in the form of a cube.

  • Three categories of objectives are presented in columns (top of the cube): Operations, Reporting, and Compliance.
  • Five internal control components are presented by rows (front of the cube): Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
  • An entity’s organizational structure is presented by the third dimension (side of cube): Entity Level, Division, Operating Unit, and Function


Understanding the Internal Control Components

The five internal control components are supported by 17 principles which present fundamental concepts of each component. The 2013 Framework also provides additional guidance in the form of points of focus intended to assist management in the design, implementation, and assessment of relevant principles. Together, the components and principles constitute the criteria of the Framework and the points of focus provide guidance that will assist management in assessing whether the components of internal control are present, functioning, and operating together within the entity. 


Control Environment

Description Examples

The  set  of  standards,  processes,  and  structures  that  provide  the  basis  for  carrying  out internal control across the University.

  • A Standards of Conduct exists and is practiced by all employees.
  • The organization chart illustrates the actual working and reporting relationship.
  • The University has established policies and procedures that govern its operations and effectively communicated them to its employees.


Risk Assessment

Description Examples

The  process of identifying, evaluating and mitigating risks that prevent the University from achieving its objectives

  • A department has identified high employee turnover as an internal risk to serving customers and has taken steps to sustain service by cross-training employees
  • The federal government cuts financial aid by 20% (external risk) and the University seeks alternative funding sources for students


Control Activities

Description Examples

Policies and procedures that ensure management’s directives are carried out and necessary actions are taken to address risks and achieve goals.  Control activities occur throughout the University and are performed by employees at all levels and in all functions.

  • Approvals, authorizations, reconciliations, verifications are performed.  Duties are properly separated.
  • Equipment, cash, and other assets are secured physically, and periodically counted and compared with amounts recorded in books of record.


Information & Communication

Description Examples
Pertinent information must be identified, captured, and communicated to appropriate personnel on a timely basis.  Information systems must provide data that is relevant to established objectives, accurate and in  sufficient  detail, understandable, and in usable form.  Effective communications also must occur in a broader sense, flowing down, across, and up through the organization.  
  • Managers receive timely and accurate budget reports to monitor spending.  
  • Employees report and act on noted exceptions.  


Monitoring Activities

  Description   Examples
Assessment of the quality of the University’s performance over time.  Ongoing monitoring occurs daily in the course of operations through regular supervisory oversight and separate evaluations by external parties.  
  • Managers spot check transactions, records, and reconciliations to ensure they are complete, accurate, and proper.  
  • Managers request peer reviews and audits to learn of deficiencies.  


Additional information regarding internal controls at Vanderbilt University can be found here.

Please contact us to learn more about the Framework and how it can be used to help achieve your business objectives.


Information presented on this webpage was compiled from the following authoritative source: Committee of Sponsoring Organizations of the Treadway Commission

COSO cube Graphic sourced from The Three Lines of Defense in Effective Risk Management and Control, The Institute of Internal Auditors, January 2013.