Not-for-Profit Notebook

Practical insight and analysis on the accounting, audit and tax issues impacting not-for-profit organizations.

How COSO Helps Nonprofits Bolster Internal Controls

For more than two decades, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided for-profit companies with guidance on designing and maintaining internal controls, as well as assessing their effectiveness. A joint initiative of several professional accounting groups, COSO recently revised its original framework with the release of Internal Control — Integrated Framework.

Not all of the updated framework will apply to nonprofits. But this new guidance can provide a structure for organizations trying to establish, strengthen or assess their internal controls.


Not mandatory, but encouraged

Neither for-profits nor nonprofits are required to follow COSO’s advice, but the commission has suggested that organizations transition to the new framework by Dec. 15, 2014. Auditors generally rely on the framework’s components when they assess internal controls. And you may need to implement the framework if your nonprofit receives federal grant money and is subject to OMB Circular A-133/Uniform Guidance audits.

Even if you’re under no obligation to follow COSO, its framework has proven over the years to be an effective risk management tool for many different types of organizations. The updated version, which incorporates recent technological developments, the move toward increased globalization and the demand for better governance and transparency, is designed to help organizations apply internal controls more broadly to operations and reporting objectives.

Core concepts

Both the original and revised COSO frameworks are built around five interrelated components:

  1. Control environment — the set of standards, processes and structures that provide the basis for carrying out internal controls, such as ethical values and people management.
  1. Risk assessment — the process for identifying and assessing risks related to achieving an organization’s objectives.
  1. Control activities — actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, and segregation of duties.
  1. Information and communication — the flow of information necessary to support the internal control function, including communication between board members and executives as well as communication with external stakeholders.
  1. Monitoring — an ongoing evaluation of the internal control system’s performance over time and reporting of any deficiencies that are found.

COSO stresses that each of these five components must be in place and fully functioning for an internal control system to be effective.

To help organizations turn abstract concepts into actionable items, the new framework introduces 17 principles related to the five components. For example, three principles apply to “control activities”:

  • Select and develop control activities that mitigate risks.
  • Select and develop technology controls.
  • Deploy control activities through policies and procedures.

In addition to the 17 principles, COSO offers 81 “points of focus” in its report.

Applying the framework

As with the old, the new COSO framework is principles-based. This means that your nonprofit’s leaders can exercise their own judgment when determining which internal controls are appropriate for your organization and those — such as principles related to public company reporting — it can ignore.

But if governance is a particular concern, you might focus on directives about directors’ independence from management and best practices for audit committees. A nonprofit that has suffered an occupational fraud incident can use the framework to assess current risks (such as poor hiring decisions), strengthen controls (such as segregation of duties), and communicate ethical expectations to staffers.

Communicating accountability

For help applying the COSO framework or reviewing your internal controls, contact your financial advisor. And be sure that, if your organization implements all or some COSO principles, your nonprofit’s Form 990 reflects newly adopted or strengthened controls. Following COSO tells regulators, nonprofit watchdog groups and donors that your nonprofit is focused on good governance and accountability.