INTERNAL CONTROL FRAMEWORKS COMPARISON

COSO COCO COBIT CADBURY

Title Committee of Sponsoring Organizations of Criteria of Control Control Objectives for Information and Related The Cadbury Report 1992
the Treadway Commission Technology
Organization  American Accounting Association (AAA)  Canadian Institute of Chartered Accountants  Information Systems Audit and  Financial Reporting Council
 American Institute of Certified Public (CICA) Control Association (ISACA)  London Stock Exchange
Accountants (AICPA)  Accountancy Profession
 Financial Executives International (FEI)
 Institute of Management Accountants (IMA)
 The Institute of Internal Auditors (IIA).
Date of Publication / 1985 1995 1996 1992
Creation
ELEMENTS Five interrelated components of the framework:- 4 interrelated components:-  Control environment - The attitude
COBIT components include:
 Control environment - sets the tone of an  Purpose - The mission, vision, strategy, and actions of the directors, management and
organization by influencing the control risks and opportunities, policies, planning and employees that set the tone for control within
consciousness of its people. It is the foundation for performance targets and indicators that provide a  Framework: Organizes IT governance the organization.
all other components of internal control, providing clear driver for control criteria that people can objectives and good practices by IT
domains and processes and links them to  Identification and evaluation of risks
discipline and structure. understand. and control objectives - The identification and
business requirements.
 Risk assessment - The identification and  Commitment - The ethical values, integrity,  Process descriptions: A reference process analysis of relevant business risks in a timely
analysis of relevant risks to achievement of human resource policies, authorities, accountability model and common language for everyone manner.
objectives, forming a basis for determining how the and mutual trust that get people to commit to in an organization. The processes map to  Information and communication - The
risks should be managed. control philosophy. responsibility areas of plan, build, run, and performance indicators, information systems,
 Control activities - The policies and  Capability - The knowledge, skills, tools, monitor. and other systems that communicate the right
procedures that help ensure that management communication processes, information, coordination  Control objectives: Provides a complete set information to the right people and enable
directives are carried out. They help to ensure that and control activities that provide people with the of high-level requirements to be them to carry out their responsibilities.
necessary actions are taken to address risks to resources and competence to participate in considered by management for effective  Control procedures - The policies and
achievement of the entity's objectives. designing and installing good controls and being control of each IT process. procedures or control activities that facilitate
 Information and communications - Pertinent able to assess risks.  Management guidelines: Helps assign the execution of management directives and
information must be identified, captured and  Monitoring and learning - The monitoring of responsibility, agree on objectives, ensure compliance.
communicated in a form and time frame that enable internal and external environments and measure performance, and illustrate  Monitoring and corrective action - The
people to carry out their responsibilities. performance as well as challenging assumption interrelationship with other processes. monitoring process that assesses the quality
 Monitoring - Internal control systems need reassessing information needs and information  Maturity models: Assesses maturity and of the internal control system's performance
to be monitored - a process that assesses the systems, conducting follow-up procedures and capability per process and helps to and reports on required changes and
quality of the system's performance over time. effectiveness of control. address gaps. weaknesses necessitating corrective action.
The CoCo model presents 20 specific control criteria
within these control components. It states that all 20
must be in place for internal control to be effective.
Principles 1. Demonstrate commitment to integrity and 1. Objectives should be established and 1. Meeting Stakeholders Needs 1. Order
ethical values communicated. 2. Covering the Enterprise End-to-end 2. Equity
2. Ensure that board exercises oversight 2. Significant internal and external risks should be 3. Applying a Single Integrated 3. Renumeration
responsibility identified and assessed. Framework 4. Centralization and Decentralization
3. Establish structures, reporting lines, authorities 3. Policies should be established, communicated 4. Enabling a Holistic Approach 5. Scalar chain
and responsibilities and practiced. 5. Separating Governance from 6. Division of work
4. Demonstrate commitment to a competent 4. Plans should be established and communicated. Management 7. Authority and Responsibility
workforce 5. Plans should include measurable performance 8. Discipline
5. Hold people accountable targets and indicators. 9. Subordination of individual interests to
6. Specify appropriate objectives 6. Shared ethical values should be established, general interest
7. Identify and analyze risks communicated and practiced. 10. Esprit de corps
8. Evaluate fraud risks 7. HR policies should be consistent with ethical 11. Unity and Command
9. Identify and analyze changes that could values. 12. Unity and direction
significantly affect internal controls 8. Authority, responsibility and accountability 13. Initiative
10. Select and develop control activities that should be clearly defined. 14. Stability of Personnel
mitigate risks 9. Mutual trust should be fostered to support the
11. Select and develop technology controls flow of information.
12. Deploy control activities through policies and 10. Peoples should have the necessary knowledge,
procedures skills and tools.
13. Use relevant, quality information to support the 11. Communication processes should support the
internal control function values of the organization
14. Communicate internal control information 12. Sufficient and relevant information should be
internally identified and communicated.
15. Communicate internal control information 13. Decisions and actions within the organization
externally should be coordinated.
16. Perform ongoing or periodic evaluations of 14. Control activities should be designed as an
internal controls (or a combination of the two) integral part of the organization
17. Communicate internal control deficiencies 15. Environment should be monitored to re-
evaluate controls.
16. Performance should be monitored against the
targets.
17. Assumptions behind objectives should be
periodically challenged.
18. Information needs and related information
systems should be reassessed.
19. Procedures should be established to ensure
appropriate actions occur.
20. Management should periodically assess the
effectiveness of control.
History The Committee of Sponsoring Organizations of the The CoCo (criteria of control) framework was first The Cadbury Report, titled Financial Aspects of
ISACA first released COBIT in 1996, originally as
Treadway Commission (COSO) is a joint initiative of published by the Canadian Institute of Chartered
a set of control objectives to help the financial
Corporate Governance, is a report issued by
five sponsoring organizations formed in 1985. These Accountants in 1995. This model builds on COSO and is "The Committee on the Financial Aspects of
audit community better maneuver in IT-related
five organizations include the American Accounting thought by some to be more concrete and user- Corporate Governance" chaired by Adrian
environments. Seeing value in expanding the
Association, American Institutions of CPAs, Financial friendly. CoCo describes internal control as actions Cadbury that sets out recommendations on the
framework beyond just the auditing realm,
Executives International, The Association of that foster the best result for an organization. These arrangement of company boards and accounting
ISACA released a broader version 2 in 1998 and
Accountants and Financial Professionals in Business actions, which contribute to the achievement of the systems to mitigate corporate governance risks
expanded it even further by adding
and the Institute of Internal Auditors. These five organization’s objectives, focus on: and failures. The report was published in draft
management guidelines in 2000's version 3. The
organizations have been tasked with developing a effectiveness and efficiency of operations; reliability version in May 1992. Its revised and final
development of both the AS 8015: Australian
framework that would improve organizational of internal and external reporting; compliance with version was issued in December of the same
Standard for Corporate Governance of
performance and governance, focused on reducing the applicable laws and regulations and internal policies. year. The report's recommendations have been
Information and Communication Technology in
extent of fraud in organizations and providing thought used to varying degrees to establish other
January 2005 and the more international draft
leadership in the areas of internal control, enterprise codes such as those of the OECD, the European
standard ISO/IEC DIS 29382 (which soon after
risk management and fraud identification. The Union, the United States, the World Bank etc.
became ISO/IEC 38500) in January
original COSO model released in 1992 played a The Corporate Governance Committee was set
2007 increased awareness of the need for more
fundamental role in establishing a scalable framework up in May 1991 by the Financial Reporting
information and communication technology (ICT)
for internal controls. Council, the Stock Exchange and the accountancy
governance components. ISACA inevitably
profession in response to continuing concern
added related components/frameworks with
While the COSO model was established in 1992, its about standards of financial reporting and
versions 4 and 4.1 in 2005 and 2007
real claim to fame came from the subsequent release accountability, particularly in light of the BCCI
respectively, "addressing the IT-related
of the Sarbanes-Oxley Act of 2002. During this time, and Maxwell cases.
business processes and responsibilities in value
COSO became the most widely used control framework The committee was chaired by Sir Adrian
creation (Val IT) and risk management (Risk IT).
used in managements’ assessment of the internal Cadbury and had a remit to review those
control environment. However, that is not the model’s In April 2012, COBIT 5 was released. An add-on aspects of corporate governance relating to
sole purpose, as the COSO model is relevant to all for COBIT 5 related to information security was financial reporting and accountability. The final
companies and institutions when establishing a solid released in December 2012, and one related to report 'The financial aspects of corporate
internal control framework. assurance was released in June 2013. In governance' (usually known as the Cadbury
November and December of 2018, the next Report) was published in December 1992 and
version of COBIT, COBIT 2019, was released. contained a number of recommendations to
raise standards in corporate governance.