Best Practices

Internal Control Framework

GFOA recommends governments adopt the COSO’s Internal Control—Integrated Framework (2013) as the conceptual basis for designing, implementing, operating, and evaluating internal control so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives.

Internal control is necessary to provide governments a reasonable basis for believing and asserting that they are meeting their operational (effectiveness, efficiency, safeguarding of assets), reporting, and compliance objectives. Since 1992, the most widely recognized source of guidance on internal control has been the Committee of Sponsoring Organizations (COSO), which released its classicInternal Control—Integrated Framework in 1992.

In May 2013, the COSO significantly expanded its 1992 guidance to address a number of important environmental changes that have occurred since then. Those environmental changes include: higher expectations for governance oversight, increased operational and regulatory complexity, reliance on evolving technologies, and higher expectations relating to the prevention and detection of fraud. The updated and expanded COSO guidance identifies:

  1. Five essentialcomponents of a comprehensive framework of internal control;
  2. 17principles to assess whether those components are effective; and
  3. Numerouspoints of focus to highlight important characteristics relating to those principles.

It also offers guidance on how to assess the effectiveness of internal control in the light of those components, principles, and points of focus.

The Government Finance Officers Association (GFOA) wishes to encourage governments to take full advantage of the enhanced COSO guidelines.  Furthermore, GFOA commits itself to providing additional guidance, as needed, on the practical application of the COSO guidance to governments.

GFOA recommends governments adopt the COSO’s Internal Control—Integrated Framework (2013) as the conceptual basis for designing, implementing, operating, and evaluating internal control so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives.

To implement that guidance, a government needs to:

  1. Establish a comprehensive framework for internal control that includesall five essential components identified by the COSO (control environment, risk assessment, control activities, information and communication, and monitoring);
  2. Ensure that each component of internal control is functioning in a manner consistent withall relevant principles; and
  3. Ensure that the various components complement one another and operate together effectively.

Furthermore, GFOA commits itself to providing additional guidance, as needed, on the practical application of the COSO guidance to governments.

This best practice was previously titled Establishing a Comprehensive Framework for Internal Control.

  • Board approval date: Wednesday, September 30, 2015