HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Free Professional Tool — COSO 2013

Internal Control Assessment
& Implementation Tool

Assess and implement the COSO 2013 Internal Control — Integrated Framework. All 5 components, 17 principles, with maturity ratings, assessment questions, evidence checklists, implementation guidance, common deficiencies, and a prioritised action plan.

5Components
17Principles
5Maturity Levels
3Tool Modes
0 / 17 rated
Maturity: Initial Developing Defined Managed Optimising

Components

CE

Control Environment

The organisation demonstrates a commitment to integrity and ethical values. The tone set by the board and senior management directly influences the internal control consciousness of the entire organisation.

P1 Commitment to Integrity and Ethical Values
The organisation demonstrates a commitment to integrity and ethical values. The tone set by the board and senior management directly influences the internal control consciousness of the entire organisation.
Points of Focus
Sets the tone at the top — board and management demonstrate integrity through actions, not just words
Establishes standards of conduct — code of ethics defines acceptable and unacceptable behaviours
Evaluates adherence to standards — processes exist to assess conformance with the code
Addresses deviations promptly — violations are identified, investigated, and remediated in a timely manner
Assessment Questions
Does a formal code of conduct or ethics policy exist and is it board-approved?
Has the code been communicated to all employees, contractors, and relevant third parties?
Are annual acknowledgements or certifications of the code obtained from employees?
Is there a whistleblower mechanism and is it visibly promoted by leadership?
Are ethics violations investigated and resolved with consistent, visible consequences?
Does senior management model ethical behaviour — is 'tone at the top' observed in practice?
Are ethics and integrity considered in performance evaluations and reward systems?
Evidence to Gather
Code of conduct / ethics policy document and board approval record
Employee acknowledgement log — % signed and date of last cycle
Ethics training completion records
Whistleblower reports received, investigated, and resolved in the period
Disciplinary records for ethics violations
Performance appraisal forms showing ethics criteria
Communication records — how ethics expectations were cascaded
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop or update the code of conduct to address current risks — include conflicts of interest, gifts, fraud, confidentiality
2Implement an annual ethics acknowledgement process for all staff
3Establish a confidential ethics hotline accessible to all employees and third parties
4Embed integrity criteria in hiring, performance management, and promotion decisions
5Conduct annual ethics training with scenario-based content relevant to your industry
6Ensure the board discusses ethical culture at least annually and reviews whistleblower statistics
Common Deficiencies
Code of conduct exists but is not actively communicated or enforced
No consequence for ethics violations at senior levels — double standards undermine credibility
Whistleblower mechanism exists but employees do not trust it — fear of retaliation
Ethics not embedded in performance management — considered a compliance checkbox only
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal code of conduct. Ethics expectations informal and unwritten.
DevelopingCode of conduct exists but not consistently communicated or enforced.
DefinedFormal code, annual acknowledgements, whistleblower mechanism in place.
ManagedEthics embedded in performance management; violations investigated consistently.
OptimisingStrong ethical culture — misconduct rare; ethics drives strategic and operational decisions.
P2 Board Independence and Oversight
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. An independent board provides critical oversight that deters management override.
Points of Focus
Establishes oversight responsibilities — board defines its role in internal control oversight
Applies relevant expertise — board members have financial, risk, and industry expertise
Operates independently — sufficient independent directors; audit committee is fully independent
Provides oversight of the system of internal control — reviews reports and takes corrective action
Assessment Questions
Is the board composition appropriate — sufficient number of independent directors?
Does the audit committee consist entirely of independent, financially literate directors?
Does the board have a formal mandate/charter defining its internal control oversight role?
Does the board receive regular management reports on internal control effectiveness?
Are there private sessions between the board and internal/external auditors without management?
Does the board challenge management on risk and control matters — not just receive reports?
Is there a documented process for the board to oversee remediation of control deficiencies?
Evidence to Gather
Board and audit committee charters
Director independence declarations and conflict of interest register
Board meeting agendas and minutes showing internal control discussions
Audit committee meeting minutes showing private sessions
Internal control reports presented to the board
Board evaluation of its own effectiveness on control oversight
Skills matrix of board members
Control Maturity Rating — Select Current Level
Implementation Guidance
1Ensure the audit committee charter explicitly assigns responsibility for internal control oversight
2Conduct annual board skills assessment to identify gaps in financial, risk, and control expertise
3Establish a structured process for internal audit to report directly to the audit committee
4Require management to provide a formal annual internal control declaration to the board
5Schedule at least one board deep-dive session annually on internal control effectiveness
6Ensure board members receive training on their internal control oversight responsibilities
Common Deficiencies
Audit committee includes executive directors or lacks financial literacy
Board receives management reports on controls but does not challenge or scrutinise them
No private sessions between audit committee and auditors — management always present
Board charter does not explicitly assign internal control oversight responsibilities
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialBoard has minimal involvement in internal control. No independent oversight.
DevelopingAudit committee exists but lacks independence or expertise.
DefinedIndependent audit committee with clear charter and regular reporting from internal/external audit.
ManagedBoard actively challenges management on controls; private sessions with auditors are routine.
OptimisingBoard drives a culture of accountability; internal control is a strategic boardroom priority.
P3 Management Structures, Reporting Lines and Appropriate Authorities
Management establishes structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives. A clear organisational structure enables accountability and effective control.
Points of Focus
Considers all structures — organisational structure enables control and accountability at every level
Establishes reporting lines — clarity of who reports to whom and what they are responsible for
Defines, assigns and limits authorities and responsibilities — delegation of authority is documented
Addresses segregation of duties — incompatible duties are identified and separated
Assessment Questions
Is there a current, documented organisational chart reflecting actual reporting lines?
Does a formal delegation of authority (DOA) matrix exist and is it up to date?
Are financial and operational approval limits clearly defined and communicated?
Are incompatible duties identified and segregated — no individual can initiate, authorise, and record a transaction?
Are there compensating controls where full segregation is not feasible?
Are roles and responsibilities formally documented in job descriptions?
Is the DOA reviewed and updated when there are organisational changes?
Evidence to Gather
Current organisational chart with reporting lines
Delegation of authority matrix — including financial and operational limits
Segregation of duties matrix identifying incompatible roles
Job descriptions for key control roles
Systems access rights mapped to roles
Review records showing DOA has been updated for recent changes
Evidence of compensating controls where SOD is impractical
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a comprehensive Delegation of Authority matrix covering all significant transactions
2Conduct an annual SOD review across all critical business processes and IT systems
3Map system access rights to roles to identify SOD conflicts at the application level
4Implement a user access review process — at minimum annually for all significant systems
5Update the DOA and org chart within 30 days of any significant structural change
6Where SOD is impractical (small teams), implement compensating controls such as management review
Common Deficiencies
DOA is outdated — approval limits have not been revised to reflect current risk exposure
SOD conflicts exist in ERP systems — same user can create vendors and process payments
Compensating controls for SOD gaps are informal and not documented
No formal process to update structures and authorities when personnel or strategy changes
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal authority matrix. Roles and responsibilities are informal.
DevelopingDOA exists but is outdated or inconsistently applied.
DefinedCurrent DOA, SOD matrix, and org chart exist and are communicated.
ManagedSOD enforced at system level; DOA reviewed annually; conflicts tracked and mitigated.
OptimisingDynamic authority framework updated in real time; system-enforced SOD across all processes.
P4 Commitment to Attract, Develop and Retain Competent Individuals
The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Competent people are the foundation of effective internal control.
Points of Focus
Establishes policies and practices — HR policies support attraction, development, and retention
Evaluates competence and addresses shortcomings — skills gaps are identified and closed
Attracts, develops and retains individuals — compensation and development incentivise retention
Plans and prepares for succession — continuity plans exist for key control roles
Assessment Questions
Are job descriptions aligned to control objectives — do they specify required competencies?
Is there a formal performance management process with defined competency criteria?
Are training needs assessed annually and addressed through structured development plans?
Are succession plans in place for key internal control roles (CFO, Controller, Head of IA)?
Is there an onboarding programme that includes internal control responsibilities?
Are exit interview themes analysed to identify control risks from staff turnover?
Is the organisation's staff turnover rate in key control functions at an acceptable level?
Evidence to Gather
Job descriptions for key control roles with competency requirements
Training needs assessment and development plan records
Performance appraisal records including competency ratings
Succession plans for critical roles
Staff turnover data for key control functions
Onboarding programme content covering internal control
CPD / professional certification records for key staff
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop or update job descriptions for all key control roles with specific competency requirements
2Implement an annual training needs assessment process linked to control objectives
3Establish succession plans for at minimum the top 3 tiers of management and all key control roles
4Include internal control responsibilities in the onboarding process for all new employees
5Monitor staff turnover in key control functions and investigate causes when above benchmark
6Provide continuing professional development opportunities for finance, audit, and risk staff
Common Deficiencies
Key control roles filled by individuals who lack the required technical competency
No succession plans — single points of failure in critical control positions
Training is generic rather than targeted to the specific control responsibilities of each role
High turnover in key finance and control functions creates persistent knowledge gaps
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal competency requirements for control roles. Hiring is ad hoc.
DevelopingJob descriptions exist but competency criteria are vague or not enforced.
DefinedFormal competency framework; annual training plans; basic succession planning.
ManagedCompetency gaps tracked and closed; succession plans active for all critical roles.
OptimisingTalent strategy directly linked to control objectives; continuous learning culture embedded.
P5 Hold Individuals Accountable for Internal Control Responsibilities
The organisation holds individuals accountable for their internal control responsibilities in pursuit of objectives. Accountability is the mechanism that gives internal control practical force.
Points of Focus
Enforces accountability through structures, authorities and responsibilities — clear ownership of controls
Establishes performance measures, incentives and rewards — control performance is incentivised
Evaluates performance and rewards or disciplines as appropriate — consequences are real and visible
Considers excessive pressures — incentive structures do not create pressure to override controls
Assessment Questions
Are internal control responsibilities formally assigned to named individuals or roles?
Is internal control performance included in individual performance reviews?
Are there clear, visible consequences when controls fail due to individual negligence?
Does the reward structure incentivise control compliance — or does it create pressure to override?
Is there evidence that senior management is held accountable for control failures in their areas?
Are control owners aware of their specific responsibilities?
Is there a formal process to assess excessive performance pressures that could motivate control override?
Evidence to Gather
Control ownership register — who is responsible for each key control
Performance review forms showing internal control criteria
Disciplinary records for control failures
Incentive structure documentation and analysis of pressure points
Management representation letters or control declarations
Evidence of consequences applied at senior level for significant control failures
Control Maturity Rating — Select Current Level
Implementation Guidance
1Create a formal control ownership register assigning every key control to a named individual
2Add internal control performance as a standing criterion in all performance reviews
3Ensure that management bonuses and incentives do not create excessive pressure to override controls
4Require senior management to sign management representation letters on internal control effectiveness
5Establish clear and consistently applied consequences for control failures — documented and communicated
6Conduct an annual assessment of incentive structures for unintended control risk
Common Deficiencies
Control responsibilities are documented but no consequence exists for failure — accountability is theoretical
Incentive structures reward short-term results at the expense of control compliance
No formal control ownership register — controls are 'everyone's responsibility' meaning no one's
Senior management failures attract no consequences — double standard undermines accountability culture
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal accountability structure for internal controls.
DevelopingSome controls have owners but accountability is not enforced.
DefinedControl ownership register exists; controls included in performance reviews.
ManagedConsistent consequences for failures; incentive structure reviewed for control risk.
OptimisingAccountability deeply embedded in culture; control performance drives recognition and reward.
RA

Risk Assessment

The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Without clearly specified objectives, there is no basis for identifying and assessing the risks that could prevent their achievement.

P6 Specify Suitable Objectives
The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Without clearly specified objectives, there is no basis for identifying and assessing the risks that could prevent their achievement.
Points of Focus
Operations objectives — reflect management choices; support financial reporting and compliance
External financial reporting objectives — comply with applicable accounting standards
External non-financial reporting objectives — comply with applicable standards and frameworks
Internal reporting objectives — reliable and timely information for management
Compliance objectives — comply with laws and regulations
Assessment Questions
Are the organisation's strategic, operational, financial reporting, and compliance objectives formally documented?
Are objectives sufficiently clear and measurable to enable risk identification?
Are objectives aligned across all levels of the organisation — entity, division, and process level?
Are financial reporting objectives aligned to the applicable accounting framework (IFRS, local GAAP)?
Are compliance objectives documented for all applicable laws and regulations?
Are operational objectives reviewed and updated when strategy changes?
Is there a linkage between objectives and the organisation's risk management framework?
Evidence to Gather
Strategic plan and documented strategic objectives
Annual operational objectives by department
Financial reporting objectives and alignment to accounting standards
Regulatory compliance register listing applicable laws and regulations
Objective cascade documentation — entity to process level
Risk register linked to objectives
Control Maturity Rating — Select Current Level
Implementation Guidance
1Document objectives at entity, division, and key process levels in a structured objectives register
2Ensure financial reporting objectives explicitly reference the applicable accounting framework
3Develop a compliance register cataloguing all applicable laws, regulations, and standards
4Map all risk assessments to specific objectives — no objective should be without a risk assessment
5Review and update objectives as part of the annual planning cycle and whenever strategy changes
6Communicate objectives clearly to all relevant personnel — objectives must be understood to be actioned
Common Deficiencies
Objectives are set at entity level only — no cascade to process level makes risk identification incomplete
Financial reporting objectives do not explicitly address material misstatement risk
Compliance objectives are incomplete — not all applicable regulations are captured
Objectives are rarely updated — risk assessments become misaligned with current strategy
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal documentation of objectives. Risk cannot be assessed.
DevelopingHigh-level objectives exist but are not cascaded or linked to risk.
DefinedFormal objectives at entity and department level; linked to risk register.
ManagedObjectives cascaded to process level; updated with strategy changes; risk-linked.
OptimisingDynamic objective management with real-time risk linkage; objectives drive control design.
P7 Identify and Analyse Risk
The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how they should be managed. Both inherent and residual risk must be considered.
Points of Focus
Includes entity, subsidiary, division, operating unit and functional levels in risk identification
Analyses internal and external factors — macroeconomic, industry, regulatory, and operational risks
Involves appropriate levels of management — risk identification is not siloed in one function
Estimates significance of risks identified — likelihood and impact are assessed
Determines how to respond to risks — accept, reduce, share, or avoid
Assessment Questions
Is there a formal risk assessment process conducted at least annually?
Does the risk assessment cover all significant organisational levels and functions?
Are both internal and external risk factors considered in the risk identification process?
Does the risk register capture both inherent risk and residual risk?
Are risk owners assigned for every identified risk?
Is the risk assessment linked to control design — do controls address identified risks?
Are risk responses (accept, transfer, mitigate, avoid) documented and implemented?
Evidence to Gather
Current risk register with inherent and residual ratings
Risk assessment methodology documentation
Risk workshop minutes or risk identification records
Risk owner assignments
Risk-to-control linkage documentation (risk and control matrix)
Risk reporting to senior management and board
Evidence of risk response implementation
Control Maturity Rating — Select Current Level
Implementation Guidance
1Establish an annual risk assessment cycle involving all departments and functions
2Use a structured risk register with inherent risk, control effectiveness, and residual risk columns
3Assign a risk owner for every identified risk — make ownership visible and accountable
4Develop a risk and control matrix linking each risk to the controls designed to mitigate it
5Report risk assessment results to senior management and the board at least annually
6Include both upside (opportunity) and downside (threat) risks in the assessment process
Common Deficiencies
Risk assessment is conducted by the risk team in isolation — line management not meaningfully involved
Risk register captures risk labels but no quantification of likelihood or impact
Residual risk not assessed — no consideration of control effectiveness in the risk rating
No risk-to-control linkage — controls exist but are not mapped to the risks they address
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal risk identification or assessment process.
DevelopingAd hoc risk identification; basic risk register without ownership or ratings.
DefinedAnnual formal risk assessment; risk register with owners, likelihood, and impact.
ManagedRisk and control matrix; residual risk tracked; risk reporting to board.
OptimisingContinuous risk monitoring with real-time updates; risk integrated into strategic planning.
P8 Assess Fraud Risk
The organisation considers the potential for fraud in assessing risks to the achievement of objectives. Fraud risk assessment is a distinct and mandatory element of the risk assessment component.
Points of Focus
Considers various types of fraud — fraudulent financial reporting, misappropriation of assets, illegal acts
Assesses incentive and pressure — do incentives or pressures exist that could motivate fraud?
Assesses opportunity — do process or control weaknesses provide opportunity to commit fraud?
Assesses attitudes and rationalisations — could attitudes or values allow fraud to occur?
Assessment Questions
Is there a dedicated fraud risk assessment process separate from or integrated into the general risk assessment?
Are all three elements of the fraud triangle (incentive, opportunity, rationalisation) considered?
Are fraud risks identified at the process level — not just at entity level?
Are anti-fraud controls designed to address the specific fraud risks identified?
Is management override of controls explicitly considered as a fraud risk?
Are fraud risk assessment results used to inform internal audit planning?
Is there an anti-fraud policy and are employees trained on fraud awareness?
Evidence to Gather
Fraud risk assessment documentation
Fraud risk register identifying specific fraud scenarios
Anti-fraud policy and fraud response plan
Fraud awareness training completion records
Controls mapped to fraud risks
Evidence that management override risk is explicitly assessed
Results of any proactive fraud data analytics performed
Control Maturity Rating — Select Current Level
Implementation Guidance
1Conduct a dedicated fraud risk assessment using the fraud triangle as the analytical framework
2Identify specific fraud scenarios relevant to your industry and business model
3Map anti-fraud controls to each identified fraud scenario
4Conduct annual fraud awareness training for all employees
5Implement proactive fraud detection analytics in high-risk areas (payroll, procurement, cash)
6Establish a fraud response plan defining how suspected fraud will be investigated and reported
7Ensure management override of controls is explicitly addressed in the fraud risk assessment
Common Deficiencies
Fraud risk is addressed at a high level only — no scenario-specific assessment
Management override risk is not assessed — the most significant fraud risk is overlooked
Anti-fraud controls are general rather than linked to specific fraud scenarios
No fraud awareness training — employees cannot recognise or report fraud indicators
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo fraud risk assessment. Fraud risk managed reactively.
DevelopingGeneral awareness of fraud risk but no structured assessment.
DefinedDedicated fraud risk assessment; fraud scenarios identified; anti-fraud policy in place.
ManagedControls mapped to fraud scenarios; fraud analytics deployed; regular training.
OptimisingContinuous fraud monitoring; fraud risk culture embedded; proactive detection programme.
P9 Identify and Analyse Significant Changes
The organisation identifies and assesses changes that could significantly impact the system of internal control. Changes in the external and internal environment can render existing controls ineffective or create new control gaps.
Points of Focus
Assesses changes in the external environment — regulatory, economic, technological, and social changes
Assesses changes to the business model — new products, services, acquisitions, or restructuring
Assesses changes in leadership — new senior executives may bring different control philosophies
Assesses changes in information systems — system implementations can disrupt control environments
Assessment Questions
Is there a formal process to identify and assess changes that could affect internal control?
Are major change initiatives (new systems, acquisitions, restructuring) subject to a control impact assessment?
Are internal controls reviewed and updated following significant organisational changes?
Is there a change management process that includes control consideration at the design stage?
Are regulatory and legislative changes monitored for their impact on control requirements?
Are system implementations subject to a pre-go-live control review?
Is there a process to update the risk register when significant changes occur?
Evidence to Gather
Change management policy and procedures
Control impact assessments for major change projects
Post-implementation reviews of control effectiveness after system changes
Regulatory change monitoring records
Updated risk registers following significant changes
Evidence of control review following leadership changes
Project governance documentation for major change initiatives
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a formal change control process requiring a control impact assessment for all significant changes
2Integrate internal control review into project management methodologies for major initiatives
3Maintain a regulatory change calendar to track upcoming regulatory changes affecting controls
4Conduct a post-implementation review of controls within 3 months of major system go-live
5Require notification to the risk/control function whenever a significant organisational change is planned
6Update the risk register and control documentation within 60 days of a significant change
Common Deficiencies
System implementations proceed without a pre-go-live control review — new control gaps created
Risk register is not updated following major changes — assessment becomes stale and misleading
Regulatory changes are monitored by legal but not translated into updated control requirements
Leadership changes result in informal change to control practices without formal documentation
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo process to identify or assess the control impact of changes.
DevelopingAd hoc review of changes; no formal control impact assessment requirement.
DefinedChange process requires control impact assessment for major changes.
ManagedProactive change monitoring; controls updated systematically following changes.
OptimisingReal-time change impact assessment integrated into enterprise risk management.
CA

Control Activities

The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control activities should be appropriate, cost-effective, and directly address the risks they are designed to mitigate.

P10 Select and Develop Control Activities
The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control activities should be appropriate, cost-effective, and directly address the risks they are designed to mitigate.
Points of Focus
Integrates with risk assessment — control activities directly address risks identified in the risk assessment
Considers entity-specific factors — industry, size, complexity, and nature of operations
Determines relevant business processes — controls are embedded in operational processes
Evaluates a mix of control activity types — preventive, detective, manual, automated, management review
Considers at what level activities are applied — entity, business process, transaction level
Addresses segregation of duties — incompatible duties are separated with appropriate controls
Assessment Questions
Are controls directly linked to the risks they are designed to mitigate?
Is there an appropriate mix of preventive and detective controls?
Are automated controls used where feasible to reduce reliance on manual controls?
Is the cost of controls proportionate to the risks they address?
Are controls documented in policies and procedures that are current and accessible?
Are controls regularly reviewed for design effectiveness — do they still address current risks?
Is there evidence that control activities are actually operating as designed?
Evidence to Gather
Risk and control matrix with control type classification
Process narratives and flowcharts showing embedded controls
Control testing results and walk-through documentation
Policy and procedure documents covering key control activities
Evidence of control operation (signed approvals, system logs, reconciliation outputs)
Cost-benefit analysis for significant control investments
Control deficiency log and remediation tracking
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk and control matrix for every key business process, mapping risks to specific control activities
2Classify controls by type (preventive/detective, manual/automated, entity/process/transaction level)
3Prioritise automation of key controls to reduce human error and increase consistency
4Review control design at least annually against the current risk profile
5Ensure all key controls are documented in current, accessible procedure documents
6Implement a control deficiency log to track design and operating effectiveness issues
Common Deficiencies
Controls exist but are not linked to specific risks — control design is not risk-informed
Over-reliance on manual controls that are vulnerable to human error and inconsistency
Redundant controls that address the same risk — efficiency without sacrificing coverage
Controls documented in outdated procedures — operational practice has diverged from documentation
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialControls are ad hoc and undocumented. No risk-to-control linkage.
DevelopingSome documented controls but not systematically linked to risk.
DefinedRisk and control matrix exists; controls classified and documented in procedures.
ManagedControls regularly tested; deficiencies tracked; mix of preventive and detective controls.
OptimisingOptimised control portfolio; automated where feasible; continuous testing and improvement.
P11 Select and Develop General Controls Over Technology
The organisation selects and develops general control activities over technology to support the achievement of objectives. Technology general controls (ITGCs) provide the foundation for the reliability of automated business controls.
Points of Focus
Determines dependency between use of technology in business processes and technology general controls
Establishes relevant technology infrastructure control activities — server, network, database controls
Establishes relevant security management process control activities — access and authentication
Establishes relevant technology acquisition, development and maintenance process control activities
Change management — changes to technology are controlled and tested before implementation
Assessment Questions
Is there a formal IT governance framework or policy governing technology controls?
Are user access management controls adequate — least privilege, periodic reviews, prompt revocation?
Is there a formal change management process for all system changes?
Are data backup and disaster recovery controls tested regularly?
Are segregation of duties controls enforced at the system level?
Is cybersecurity risk formally assessed and managed?
Are patch management and vulnerability management processes in place?
Evidence to Gather
IT general control policy and framework documents
User access review records — frequency and scope
Change management log and approval records
Disaster recovery test results
System SOD conflict reports and remediation records
Penetration test or vulnerability assessment results
Incident management log
Control Maturity Rating — Select Current Level
Implementation Guidance
1Implement a formal ITGC framework covering access management, change management, and IT operations
2Conduct quarterly user access reviews for all critical systems
3Enforce segregation of duties at the system configuration level — not just policy
4Test disaster recovery and data backup restoration at least annually
5Implement a formal vulnerability management programme with defined SLAs for patching
6Establish an IT incident response plan and test it annually
7Map system controls to business process risks in the risk and control matrix
Common Deficiencies
User access reviews conducted annually but only for active users — terminated users not included
Change management process documented but emergency changes bypass approval controls
Segregation of duties enforced in policy but not at system configuration level
DR/BCP plans exist but have never been tested — recovery capability unverified
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal IT general controls. Access and change management ad hoc.
DevelopingBasic IT policies exist but controls not consistently enforced.
DefinedFormal ITGC programme covering access, change management, and operations.
ManagedRegular access reviews; DR tested; SOD enforced at system level.
OptimisingContinuous access monitoring; automated change controls; proactive threat management.
P12 Deploy Control Activities Through Policies and Procedures
The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action. Policies without procedures are intentions without execution.
Points of Focus
Establishes policies and procedures to support deployment of management directives
Establishes responsibility and accountability for executing policies and procedures
Performs in a timely manner — controls are performed consistently and on schedule
Takes corrective action — deviations from policy are identified and corrected
Performs using competent personnel — controls are performed by qualified individuals
Reassesses policies and procedures — policies are reviewed and updated regularly
Assessment Questions
Are all key business processes covered by a documented policy or procedure?
Are policies and procedures current — when were they last reviewed and updated?
Are policies communicated to all relevant personnel and accessible when needed?
Is there a formal policy management framework with assigned owners and review cycles?
Are deviations from policies identified, reported, and corrected?
Do procedures include sufficient detail to enable consistent execution?
Are new employees trained on relevant policies and procedures as part of onboarding?
Evidence to Gather
Policy register with owner, version, and last review date for each policy
Sample of current policies and procedures for key processes
Policy training and acknowledgement records
Evidence of policy deviation tracking and corrective action
Policy review and approval records
Policy communication records
Onboarding programme content covering relevant policies
Control Maturity Rating — Select Current Level
Implementation Guidance
1Establish a policy management framework with a central register, assigned owners, and mandatory review cycles
2Set a maximum policy age of 3 years before mandatory review — high-risk areas reviewed annually
3Ensure all policies have a named owner accountable for currency and compliance
4Implement a policy acknowledgement process — employees confirm they have read and understood
5Track policy deviations and report trends to management as a control health indicator
6Review all policies following significant operational, regulatory, or strategic changes
Common Deficiencies
Policy register does not exist — no central visibility of what policies exist and their status
Policies are outdated — reflect historical practices rather than current operations
Policies exist but are not communicated — employees are unaware of requirements
No consequence for policy deviation — policy compliance is optional in practice
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal policy framework. Controls are informal and undocumented.
DevelopingSome policies exist but are outdated and inconsistently applied.
DefinedPolicy register with owners and review cycles; policies communicated.
ManagedPolicy compliance tracked; deviations reported; regular review cycle enforced.
OptimisingPolicy management integrated with risk; real-time deviation detection; continuous improvement.
IC

Information & Communication

The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control. Poor quality information undermines management decision-making and control effectiveness.

P13 Use Relevant Quality Information
The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control. Poor quality information undermines management decision-making and control effectiveness.
Points of Focus
Identifies information requirements — what information is needed to support each control
Captures internal and external sources — uses information from both inside and outside the organisation
Processes relevant data into information — raw data is transformed into actionable management information
Maintains quality throughout processing — information is accurate, complete, timely, and accessible
Considers costs and benefits — information investment is proportionate to its control value
Assessment Questions
Are management information systems producing accurate, complete, and timely reports?
Are data quality controls in place — input validation, reconciliation, and completeness checks?
Is information used in controls drawn from reliable, authoritative sources?
Are management reports designed to support specific control objectives?
Is there a process to identify and rectify data quality issues?
Are information systems subject to access controls that protect data integrity?
Are there data retention policies aligned to legal and operational requirements?
Evidence to Gather
Sample management reports and dashboards used for control purposes
Data quality controls documentation — validation rules, reconciliation processes
Information systems access control logs
Data quality issue log and resolution records
Data retention policy and evidence of compliance
IT system configuration documentation showing validation controls
User training records for information systems
Control Maturity Rating — Select Current Level
Implementation Guidance
1Define data quality requirements for all information used in key control processes
2Implement input validation controls at system level to prevent erroneous data entry
3Establish regular data reconciliation processes for all critical data sets
4Develop management reporting that is directly aligned to control objectives
5Implement a data quality monitoring programme with defined metrics and escalation
6Train key data users on data quality responsibilities and procedures
Common Deficiencies
Management reports are generated but their accuracy is not verified or reconciled
Multiple versions of data exist in different systems — no single source of truth
Data quality issues are known but not formally tracked or escalated
Information systems lack input validation — garbage-in drives garbage-out in control reporting
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo data quality controls. Information reliability is unknown.
DevelopingBasic reports produced but quality not formally assessed.
DefinedData quality controls in place; reconciliation processes; reliable reporting.
ManagedData quality metrics tracked; issues escalated; single authoritative data sources.
OptimisingReal-time data quality monitoring; predictive information management; automated alerts.
P14 Communicate Internally
The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Everyone must understand their role in internal control for it to be effective.
Points of Focus
Communicates internal control information — responsibilities and expectations are clearly communicated
Communicates between management and the board — information flows up and down the organisation
Provides separate communication lines — mechanisms exist for sensitive communications without going through line management
Selects relevant method of communication — mode and channel are appropriate to the message and audience
Assessment Questions
Are internal control responsibilities clearly communicated to all relevant personnel?
Is there a formal internal communication strategy for control-related information?
Do internal audit findings reach the board in an unfiltered, complete form?
Are there secure channels for employees to raise control concerns without going through their line manager?
Is the organisation's risk appetite communicated to all decision-makers?
Are significant control deficiencies communicated upwards in a timely manner?
Are communication channels two-way — does management receive and act on feedback from employees?
Evidence to Gather
Internal communication samples — town halls, circulars, policy updates related to internal control
Board reporting packs showing unfiltered audit and risk information
Whistleblower / speak-up channel logs
Risk appetite statement and evidence of communication
Deficiency communication records — how issues are escalated
Employee survey results on internal communication effectiveness
Internal audit terms of reference showing direct board reporting
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a communication plan for internal control — who needs to know what, and how often
2Ensure internal audit has a direct reporting line to the audit committee independent of management
3Communicate the organisation's risk appetite in practical, operational terms to all decision-makers
4Implement multiple channels for employees to raise control concerns — line manager, HR, ethics hotline
5Establish a defined escalation timeline for significant control deficiencies — immediate for critical issues
6Conduct regular communication effectiveness checks — do employees understand their control responsibilities?
Common Deficiencies
Internal audit findings are filtered or summarised by management before reaching the board
Risk appetite is a document in the boardroom but is not communicated operationally
No alternative communication channels — employees must raise concerns through their line manager
Control deficiency escalation is informal and slow — significant issues reach the board too late
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal internal communication on control responsibilities.
DevelopingAd hoc communication of control information; no structured escalation.
DefinedDefined communication channels; escalation process documented; direct audit-board reporting.
ManagedTwo-way communication; risk appetite communicated; timely escalation in practice.
OptimisingIntegrated communication ecosystem; real-time control intelligence shared organisation-wide.
P15 Communicate Externally
The organisation communicates with external parties regarding matters affecting the functioning of internal control. External communication ensures accountability to shareholders, regulators, customers, and other stakeholders.
Points of Focus
Communicates to external parties — information about objectives, risks, and internal control is appropriately shared
Enables inbound communications — input from external parties is captured and considered
Communicates with the board — external communication is reported to the board as appropriate
Provides separate communication lines — mechanisms exist for external parties to communicate sensitive matters
Assessment Questions
Are there formal processes for communicating with regulators on internal control matters?
Are external audit findings communicated to the board in full?
Are material weaknesses in internal control disclosed in financial reports where required?
Are customer, supplier, and other third-party concerns captured and directed to the appropriate function?
Is the organisation's internal control framework communicated to external auditors?
Are there whistleblower channels accessible to third parties (suppliers, customers)?
Is external communication reviewed for consistency and accuracy before release?
Evidence to Gather
Regulatory correspondence and filing records
External audit management letter and board response
Annual report disclosures on internal control
Third-party communication protocols
External stakeholder feedback mechanisms
Communication approval process documentation
Third-party accessible whistleblower channel details
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a formal external communication policy covering all stakeholder groups
2Ensure external audit management letters are shared in full with the audit committee
3Include internal control disclosures in annual reports that are accurate and complete
4Extend the whistleblower mechanism to cover third parties — suppliers, customers, agents
5Establish formal channels for regulators to communicate control-related requirements and findings
6Implement a communication approval process for all external statements about risk and control
Common Deficiencies
External audit management letter goes to management only — audit committee does not see all findings
Annual report internal control disclosures are boilerplate rather than organisation-specific
No mechanism for suppliers or customers to report control or ethics concerns
Regulatory communication is handled by legal/compliance with no link to the control function
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo formal external communication on internal control matters.
DevelopingSome external communication but not systematic or complete.
DefinedFormal external communication process; regulatory compliance; full audit committee reporting.
ManagedAll external feedback captured and directed; consistent disclosures; third-party channels.
OptimisingProactive external engagement on control; transparent disclosure; regulator relationship management.
MA

Monitoring Activities

The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Without monitoring, the effectiveness of internal control deteriorates over time.

P16 Conduct Ongoing and/or Separate Evaluations
The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Without monitoring, the effectiveness of internal control deteriorates over time.
Points of Focus
Considers a mix of ongoing and separate evaluations — both types provide assurance on control functioning
Considers rate of change — higher risk and change environments require more frequent monitoring
Establishes baseline understanding — evaluators must understand what good looks like
Uses knowledgeable personnel — evaluators are qualified and objective
Integrates with business processes — ongoing monitoring is embedded in operations
Adjusts scope and frequency — monitoring is calibrated to risk and control effectiveness
Assessment Questions
Are there ongoing monitoring controls embedded in day-to-day operations (exception reports, dashboard reviews)?
Is there a periodic self-assessment process for internal control effectiveness?
Are separate evaluations (internal audit, external reviews) conducted at appropriate frequency?
Are monitoring results reported to management and the board in a timely manner?
Are the scope and frequency of evaluations calibrated to the risk profile?
Is there a consolidated view of monitoring activity across the organisation?
Are control monitoring activities documented and their results retained?
Evidence to Gather
Ongoing monitoring reports and dashboards (exception reports, KRI dashboards)
Internal audit programme and completed engagement reports
Self-assessment results and sign-offs by control owners
Monitoring scope and frequency documentation
Results communicated to management and board
Monitoring coverage map — which controls are monitored and how
Third-party assurance reports where applicable
Control Maturity Rating — Select Current Level
Implementation Guidance
1Implement ongoing monitoring controls in all key business processes — embed exception reporting in operations
2Establish a formal control self-assessment (CSA) process for all significant business units
3Map all monitoring activity to the risk and control matrix to identify monitoring gaps
4Calibrate internal audit frequency to risk — higher-risk areas audited at least annually
5Consolidate monitoring results into a single internal control dashboard reported to senior management
6Implement continuous control monitoring technology for high-volume, high-risk transaction processes
Common Deficiencies
Monitoring relies entirely on annual internal audit — no ongoing monitoring in operations
Self-assessments are conducted but results are not verified by an independent party
Monitoring coverage is concentrated in financial processes — operational and compliance areas unmapped
Monitoring frequency has not been updated to reflect changes in risk — high-risk areas still reviewed infrequently
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialNo systematic monitoring. Reliance on reactive detection of problems.
DevelopingAnnual internal audit only; no ongoing monitoring in business operations.
DefinedMix of ongoing and separate evaluations; self-assessment process in place.
ManagedRisk-calibrated monitoring; results consolidated and reported to board.
OptimisingContinuous control monitoring technology; real-time exception management; predictive analytics.
P17 Evaluate and Communicate Deficiencies
The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board, as appropriate.
Points of Focus
Assesses results — evaluations are analysed to identify control deficiencies
Communicates deficiencies — findings are communicated to those responsible for corrective action
Monitors corrective actions — implementation of remediation is tracked
Defines severity thresholds — deficiencies are classified by severity (deficiency, significant deficiency, material weakness)
Escalates appropriately — more severe deficiencies reach the audit committee and board
Assessment Questions
Is there a formal process to classify and evaluate control deficiencies by severity?
Are deficiency definitions documented — what constitutes a deficiency vs significant deficiency vs material weakness?
Are deficiencies communicated promptly to the appropriate level of management?
Are material weaknesses and significant deficiencies reported to the audit committee?
Is there a deficiency remediation tracking system?
Are corrective actions verified as implemented — not just self-reported by management?
Are deficiency trends analysed to identify systemic or pervasive control weaknesses?
Evidence to Gather
Deficiency classification framework with severity definitions
Control deficiency log for the current period
Audit committee reports showing deficiency escalation
Corrective action tracking register with due dates and status
Evidence of independent verification of remediation
Trend analysis of deficiencies by component, process, or business unit
Management representation on deficiency status
Control Maturity Rating — Select Current Level
Implementation Guidance
1Develop a formal deficiency classification framework defining deficiency, significant deficiency, and material weakness
2Implement a central deficiency log capturing all findings from all monitoring activities
3Establish communication SLAs: material weaknesses to audit committee within 30 days; significant deficiencies within 60 days
4Require independent verification of corrective action completion — not management self-reporting only
5Conduct quarterly trend analysis of deficiencies to identify systemic weaknesses
6Report deficiency trends and open items to the board at least semi-annually
Common Deficiencies
No formal deficiency classification — all findings treated the same regardless of severity
Deficiencies communicated to management but not escalated to audit committee even when significant
Corrective action tracking is informal — no visibility of open items or overdue remediations
Independent verification of remediation not performed — management self-certifies completion
Control Maturity Descriptors
Maturity LevelCharacteristics
InitialDeficiencies not formally tracked or communicated.
DevelopingSome deficiency tracking but no classification framework; escalation informal.
DefinedFormal deficiency log; severity classification; defined escalation to audit committee.
ManagedPrompt communication; independent verification; trend analysis reported to board.
OptimisingPredictive deficiency identification; automated tracking; systemic pattern analysis.

Need Help Implementing COSO Internal Controls?

CTC Global provides COSO implementation support, internal control gap assessments, and training workshops for organisations across Pakistan and the UAE.