© D.L. Crumbley
The COSO Model
Control environment – management’s attitude toward controls, or the “tone at the top.”
Risk assessment – management’s assessment of the factors that could prevent the organization from meeting its objectives.
Control activities – specific policies and procedures that provide a reasonable assurance that the organization will meet its objectives. The control activities should address the risks identified by management in its risk assessment.
Information and communication – system that allows management to evaluate progress toward meeting the organization’s objectives.
Monitoring – continuous monitoring of the internal control process with appropriate modification made as deemed necessary.