Assess and implement the COSO 2013 Internal Control — Integrated Framework. All 5 components, 17 principles, with maturity ratings, assessment questions, evidence checklists, implementation guidance, common deficiencies, and a prioritised action plan.
The organisation demonstrates a commitment to integrity and ethical values. The tone set by the board and senior management directly influences the internal control consciousness of the entire organisation.
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal code of conduct. Ethics expectations informal and unwritten. |
| Developing | Code of conduct exists but not consistently communicated or enforced. |
| Defined | Formal code, annual acknowledgements, whistleblower mechanism in place. |
| Managed | Ethics embedded in performance management; violations investigated consistently. |
| Optimising | Strong ethical culture — misconduct rare; ethics drives strategic and operational decisions. |
| Maturity Level | Characteristics |
|---|---|
| Initial | Board has minimal involvement in internal control. No independent oversight. |
| Developing | Audit committee exists but lacks independence or expertise. |
| Defined | Independent audit committee with clear charter and regular reporting from internal/external audit. |
| Managed | Board actively challenges management on controls; private sessions with auditors are routine. |
| Optimising | Board drives a culture of accountability; internal control is a strategic boardroom priority. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal authority matrix. Roles and responsibilities are informal. |
| Developing | DOA exists but is outdated or inconsistently applied. |
| Defined | Current DOA, SOD matrix, and org chart exist and are communicated. |
| Managed | SOD enforced at system level; DOA reviewed annually; conflicts tracked and mitigated. |
| Optimising | Dynamic authority framework updated in real time; system-enforced SOD across all processes. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal competency requirements for control roles. Hiring is ad hoc. |
| Developing | Job descriptions exist but competency criteria are vague or not enforced. |
| Defined | Formal competency framework; annual training plans; basic succession planning. |
| Managed | Competency gaps tracked and closed; succession plans active for all critical roles. |
| Optimising | Talent strategy directly linked to control objectives; continuous learning culture embedded. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal accountability structure for internal controls. |
| Developing | Some controls have owners but accountability is not enforced. |
| Defined | Control ownership register exists; controls included in performance reviews. |
| Managed | Consistent consequences for failures; incentive structure reviewed for control risk. |
| Optimising | Accountability deeply embedded in culture; control performance drives recognition and reward. |
The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Without clearly specified objectives, there is no basis for identifying and assessing the risks that could prevent their achievement.
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal documentation of objectives. Risk cannot be assessed. |
| Developing | High-level objectives exist but are not cascaded or linked to risk. |
| Defined | Formal objectives at entity and department level; linked to risk register. |
| Managed | Objectives cascaded to process level; updated with strategy changes; risk-linked. |
| Optimising | Dynamic objective management with real-time risk linkage; objectives drive control design. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal risk identification or assessment process. |
| Developing | Ad hoc risk identification; basic risk register without ownership or ratings. |
| Defined | Annual formal risk assessment; risk register with owners, likelihood, and impact. |
| Managed | Risk and control matrix; residual risk tracked; risk reporting to board. |
| Optimising | Continuous risk monitoring with real-time updates; risk integrated into strategic planning. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No fraud risk assessment. Fraud risk managed reactively. |
| Developing | General awareness of fraud risk but no structured assessment. |
| Defined | Dedicated fraud risk assessment; fraud scenarios identified; anti-fraud policy in place. |
| Managed | Controls mapped to fraud scenarios; fraud analytics deployed; regular training. |
| Optimising | Continuous fraud monitoring; fraud risk culture embedded; proactive detection programme. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No process to identify or assess the control impact of changes. |
| Developing | Ad hoc review of changes; no formal control impact assessment requirement. |
| Defined | Change process requires control impact assessment for major changes. |
| Managed | Proactive change monitoring; controls updated systematically following changes. |
| Optimising | Real-time change impact assessment integrated into enterprise risk management. |
The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control activities should be appropriate, cost-effective, and directly address the risks they are designed to mitigate.
| Maturity Level | Characteristics |
|---|---|
| Initial | Controls are ad hoc and undocumented. No risk-to-control linkage. |
| Developing | Some documented controls but not systematically linked to risk. |
| Defined | Risk and control matrix exists; controls classified and documented in procedures. |
| Managed | Controls regularly tested; deficiencies tracked; mix of preventive and detective controls. |
| Optimising | Optimised control portfolio; automated where feasible; continuous testing and improvement. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal IT general controls. Access and change management ad hoc. |
| Developing | Basic IT policies exist but controls not consistently enforced. |
| Defined | Formal ITGC programme covering access, change management, and operations. |
| Managed | Regular access reviews; DR tested; SOD enforced at system level. |
| Optimising | Continuous access monitoring; automated change controls; proactive threat management. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal policy framework. Controls are informal and undocumented. |
| Developing | Some policies exist but are outdated and inconsistently applied. |
| Defined | Policy register with owners and review cycles; policies communicated. |
| Managed | Policy compliance tracked; deviations reported; regular review cycle enforced. |
| Optimising | Policy management integrated with risk; real-time deviation detection; continuous improvement. |
The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control. Poor quality information undermines management decision-making and control effectiveness.
| Maturity Level | Characteristics |
|---|---|
| Initial | No data quality controls. Information reliability is unknown. |
| Developing | Basic reports produced but quality not formally assessed. |
| Defined | Data quality controls in place; reconciliation processes; reliable reporting. |
| Managed | Data quality metrics tracked; issues escalated; single authoritative data sources. |
| Optimising | Real-time data quality monitoring; predictive information management; automated alerts. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal internal communication on control responsibilities. |
| Developing | Ad hoc communication of control information; no structured escalation. |
| Defined | Defined communication channels; escalation process documented; direct audit-board reporting. |
| Managed | Two-way communication; risk appetite communicated; timely escalation in practice. |
| Optimising | Integrated communication ecosystem; real-time control intelligence shared organisation-wide. |
| Maturity Level | Characteristics |
|---|---|
| Initial | No formal external communication on internal control matters. |
| Developing | Some external communication but not systematic or complete. |
| Defined | Formal external communication process; regulatory compliance; full audit committee reporting. |
| Managed | All external feedback captured and directed; consistent disclosures; third-party channels. |
| Optimising | Proactive external engagement on control; transparent disclosure; regulator relationship management. |
The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Without monitoring, the effectiveness of internal control deteriorates over time.
| Maturity Level | Characteristics |
|---|---|
| Initial | No systematic monitoring. Reliance on reactive detection of problems. |
| Developing | Annual internal audit only; no ongoing monitoring in business operations. |
| Defined | Mix of ongoing and separate evaluations; self-assessment process in place. |
| Managed | Risk-calibrated monitoring; results consolidated and reported to board. |
| Optimising | Continuous control monitoring technology; real-time exception management; predictive analytics. |
| Maturity Level | Characteristics |
|---|---|
| Initial | Deficiencies not formally tracked or communicated. |
| Developing | Some deficiency tracking but no classification framework; escalation informal. |
| Defined | Formal deficiency log; severity classification; defined escalation to audit committee. |
| Managed | Prompt communication; independent verification; trend analysis reported to board. |
| Optimising | Predictive deficiency identification; automated tracking; systemic pattern analysis. |
CTC Global provides COSO implementation support, internal control gap assessments, and training workshops for organisations across Pakistan and the UAE.