How to use COSO to assess IT controls

Posted on: November 13, 2018, by :

How to use COSO to assess IT controls

Maintaining proper controls over information technology is a constant
concern for businesses as they try to use technological advances to
drive efficiency and growth.

Principle 11 in the newly updated internal control framework of the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO) provides guidelines for assessing the effectiveness of controls
over IT (see the sidebar, “COSO’s Principle 11”). As part of an
organization’s overall assessment of internal control under the
framework, Principle 11 can help CPAs manage the rapidly advancing
technology their organizations are using.

shows the steps CPAs can follow to use Principle 11 to
understand their organization’s IT system and its controls, and assess
the effectiveness of those controls. This flowchart is general enough
to be applied to any business process, whether large and complex or
small and simple.

The first step is to gain an understanding of the technology
involved, including:

The understanding of these four areas of the technology system
is accomplished using procedures described in the AICPA Clarified
Auditing Standard AU-C Section 315, Understanding the Entity and
Its Environment and Assessing the Risk of Material Misstatement

The last four steps (nodes) in the activity show the analysis of
application controls and the assessment of information-processing
risks they are addressing, and then an analysis of the general
controls over technology that protect the application controls
(picture an umbrella).  Finally, the CPA will use a system with
procedures to assign a value to the probability that the controls will
(or will not) prevent or detect and correct the error.

The last step suggests using a control matrix (probably in a
spreadsheet) and a maturity model to assign the control score on a 0
to 5 scale. As is true throughout the world of accounting and
auditing, judgment must be used to determine if the overall assessment
(score) represents a pass or fail of the IT control system.

Imagine, for example, that a CFO at a manufacturing company was using
the COSO framework to ensure the effectiveness of its system of
internal control. The CFO (or the controller or internal auditor)
could use this exhibit to gain a thorough understanding of the
company’s entire array of IT controls. Although some companies use the
COSO framework only to oversee their internal controls over external
financial reporting, the recently revised 2013 framework also can be
used to assess controls in multiple operating areas and internal and
nonfinancial reporting processes such as the systems for company
email, payroll and HR processing, and various manufacturing processes.

Using this exhibit, the CFO and accounting and audit personnel could
analyze all of the company’s IT application and general controls to
assess their effectiveness. Does the system ensure that
authorizations, verifications, reconciliations, and physical control
activities are properly designed, documented, and operating
effectively in the company’s operating and financial reporting
processes? Is access to employees’ personal information in payroll
data properly secured? These are questions the exhibit can help

As technology continues to evolve and is integrated into more
business processes, the COSO framework provides a helpful guide for
effective controls. Applying the framework and Principle 11 correctly
is an important step toward achieving a robust system of internal control.

Editor’s note: The AICPA is a member of COSO.

COSO’s Principle 11

Principle 11 of the updated internal control framework of the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO) provides guidelines for assessing the effectiveness of
information technology controls. Principle 11 states that the
organization selects and develops general control activities over
technology to support the achievement of objectives. Points of focus
supporting the principle state that the organization:

Source: COSO Framework.


As businesses adapt rapidly developing technology to their
business processes,
CPAs need to understand how to assess
the effectiveness of IT controls. The internal control framework of
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) can help businesses maintain effective controls.

Principle 11 of the newly updated COSO framework contains
specific guidance
that organizations can use to make sure
the appropriate IT controls are present and functioning.

CPAs can follow a step-by-step procedure to apply
Principle 11 to IT controls.

John White (
) is a clinical professor of accountancy for the Daniels College
of Business at the University of Denver.

To comment on this article or to suggest an idea for another
article, contact Ken Tysiac, senior editor, at
or 919-402-2112.


JofA articles


For more information or to make a purchase, go to or call the Institute at 888-777-7077.

Research & References of How to use COSO to assess IT controls|A&C Accounting And Tax Services

Leave a Reply