The Committee of Sponsoring Organisations of the Treadway Commission (COSO) internal control framework has been the global standard for evaluating and implementing internal controls for decades. In the UK, regulators increasingly expect organisations to be familiar with the framework, particularly in regulated sectors like financial services and insurance. An internal controls audit examines whether your organisation actually has controls in place and whether they're functioning effectively.
Many UK organisations have internal controls scattered throughout their operations with no cohesive framework. Spreadsheets with manual approvals, email confirmations, and segregation of duties achieved by accident rather than design. This organic approach often leaves gaps. The COSO framework provides structure.
Understanding the COSO Framework
The original COSO framework, updated in 2013, describes five components of effective internal control. Control environment sets the tone at the top - this is about whether management and the board genuinely care about controls. Risk assessment means identifying what could go wrong and prioritising risks. Control activities are the actual controls - approvals, reconciliations, access restrictions. Information and communication means having systems and processes that tell people what's happening and what's expected. Monitoring means checking whether controls are actually working.
Practical examples illustrate the framework. The control environment component includes whether the board receives accurate financial reports. A company that routinely gets financial reports with errors and does nothing has a weak control environment. Risk assessment involves asking what happens if a key supplier goes out of business or if you can't access critical systems. Some risks are identified on spreadsheets nobody looks at, which means the assessment isn't real.
Control activities include things like requiring two people to sign off on transactions over a certain value, or matching supplier invoices against purchase orders and goods received before paying. Information and communication means ensuring staff understand what they're supposed to be doing - if nobody knows the approval limit for their level, the control isn't working. Monitoring includes things like monthly management meetings that actually review whether transactions are happening as expected.
Common Control Weaknesses
When auditors assess internal controls in UK organisations, certain patterns emerge repeatedly. Segregation of duties is weak. One person can request, approve, and record transactions, which means fraud is easy. This happens most often in smaller organisations where people wear multiple hats, but it also happens in larger organisations where systems haven't been designed carefully.
Compensating controls don't exist. If you can't segregate duties, you can instead have someone else review transactions regularly. Many organisations do neither - they acknowledge the weakness but take no action to mitigate it.
Authorisation limits aren't followed. There's a policy saying someone can only approve up to £10,000, but people regularly approve £15,000 transactions. Nobody's checking, so it continues.
Reconciliations don't happen regularly. A bank account isn't reconciled for months. Inventory records aren't checked against physical stock. This means errors and fraud can go undetected indefinitely.
Exception reporting is missing. If you process 500 transactions and 10 of them are unusual - perhaps transfers to suppliers not normally used, or transactions for unusual amounts - you need someone looking at those 10. Many organisations just process all 500 the same way.
Access controls are inadequate. People have access to systems and data they don't need. Someone in payroll can modify the general ledger. This is usually a system design issue, but it represents a control weakness.
Testing Internal Controls
An internal controls audit involves testing whether controls are actually working. For payment control, this means looking at a sample of payments and checking whether they followed the process. Did someone approve it? Is the approval at the right authority level? Was a purchase order checked? Did invoices match the goods received? For an IT control, it means checking whether access changes are logged, whether people who should have access have it, and whether people who shouldn't have access don't have it.
Testing often reveals that controls exist in policy but don't work in practice. An organisation has a policy requiring two approvals for high-value transactions, but testing shows that recently several transactions above the threshold received only one approval. This means the control environment isn't strong enough to enforce the policy, or the policy isn't clearly communicated, or management doesn't really care about it.
Other testing reveals that compensating controls are working. An organisation can't segregate duties in a certain area because of system limitations, but compensating controls involve the finance manager reviewing all transactions in that area weekly. Testing shows that this does catch errors and unusual items. The compensating control is effective even if it's not the ideal control structure.
Building a Sustainable Control Framework
Organisations starting to formalise internal controls often find they need to make choices about where to invest resources. You can't put compensating controls everywhere. You can't test thousands of transactions monthly. The COSO framework and risk assessment help prioritise.
High-risk areas get strong controls and regular monitoring. A payment system that processes millions annually gets segregation of duties, automated exceptions reporting, and monthly reconciliation. Payroll, which is often a target for fraud and mistakes, gets regular review. Inventory in retail, which is easy to steal, gets regular physical counts.
Medium-risk areas get reasonable controls. A low-volume internal transfer system might rely on compensating controls - one person can make the transfer but another reviews them monthly. Low-risk areas might have minimal controls beyond basic system access.
Systems should enforce controls where possible. If your accounting system can require two approvals for transactions above £10,000 and prohibit anyone below a certain level from approving anything, automation is better than hoping people follow policies. But many organisations use systems that allow exceptions, which means they're relying on the control environment instead.
Documenting the framework isn't just bureaucracy. When control matters - when there's been a fraud attempt or regulators ask questions or internal management wants to understand risk - organisations that have documented their control framework can demonstrate they've thought about it carefully. Organisations that have controls only in people's heads can't demonstrate anything.
