COSO and Nonprofit Organizations

By Steve Carter, CPA, Principal
ASL Nonprofit Group

Most people who know the acronym COSO (Committee of Sponsoring Organizations of the Treadway Commission) immediately think of publicly traded companies. COSO came upon the scene when Sarbanes-Oxley became a household name.

So why bring up COSO in the context of nonprofit organizations?

The recently issued Uniform Grant Guidance from the Office of Management and Budget stresses the need and importance of strong internal controls for nonprofits, and especially for those receiving federal awards and grants. Adoption of the COSO framework is not mandatory but strongly encouraged.

COSO has proven over the years to be the most effective framework for effective and efficient internal controls. The framework was most recently revised in 2013.

Not all of the updated framework applies to nonprofits. But the guidance can provide a structure for organizations trying to establish, strengthen or assess their internal controls. Additionally, auditors generally rely on the framework’s components when they assess internal controls.

Even if you’re under no obligation to follow COSO, its framework has proven over the years to be an effective risk management tool for many different types of organizations. The updated version, which incorporates recent technological developments, the move toward increased globalization, and the demand for better governance and transparency, is designed to help organizations apply internal controls more broadly to operations and reporting objectives.

Core Concepts

Both the original and revised COSO frameworks are built around five interrelated components:

  1. Control environment — the set of standards, processes, and structures that provide the basis for carrying out internal controls, such as ethical values and people management.
  2. Risk assessment — the process for identifying and assessing risks related to achieving an organization’s objectives.
  3. Control activities — actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, and segregation of duties.
  4. Information and communication — the flow of information necessary to support the internal control function, including communication between board members and executives as well as communication with external stakeholders.
  5. Monitoring — an ongoing evaluation of the internal control system’s performance over time and reporting of any deficiencies that are found.

COSO stresses that each of these five components must be in place and fully functioning for an internal control system to be effective.

To help organizations turn abstract concepts into actionable items, the 2013 COSO framework introduces 17 principles related to the five components. For example, three principles apply to “control activities”:

  • Select and develop control activities that mitigate risks.
  • Select and develop technology controls.
  • Deploy control activities through policies and procedures.

In addition to the 17 principles, COSO offers 81 “points of focus” in its report.

Applying the Framework

As with the old, the new COSO framework is principles-based. This means that your nonprofit’s leaders can exercise their own judgment when determining which internal controls are appropriate for your organization and those — such as principles related to public company reporting — it can ignore.

But if governance is a particular concern, you might focus on directives about directors’ independence from management and best practices for audit committees. A nonprofit that has suffered an occupational fraud incident can use the framework to assess current risks (such as poor hiring decisions), strengthen controls (such as segregation of duties), and communicate ethical expectations to staffers.

Communicating accountability

For help applying the COSO 2013 Internal Control-Integrated framework or reviewing your internal controls, please contact us. And be sure that, if your organization implements all or some COSO principles, your Form 990 reflects newly adopted or strengthened controls. Following COSO tells regulators, nonprofit watchdog groups, and donors that your nonprofit is focused on good governance and accountability.