Implementing an Internal Controls Framework

By David Cram, CPA,
Corporate Treasurer, Wycliffe International  

Internal controls are the procedures and practices we implement to help our organizations achieve their mission. They are the things we do to promote efficiency, reduce the risk of loss, help ensure our financial reports are accurate, and comply with laws and regulations. Ideally, internal controls should be risk based. In other words, focused on the areas within our organizations where things could go wrong. Historically, there has been a tendency to use a generic set of controls. That can cause us to implement procedures that we don’t need and fail to implement controls in activities that are out of the ordinary. 

All of our organizations have internal control systems. How effective they are is sometimes a question. We struggle to have sufficient staff for proper separation of duties. We have managers who in the interest of achieving ministry objectives override controls.  We lack staff with the expertise needed in finance and accounting and in computer information systems. As a result, many of our organizations rely on our auditors to examine our internal control systems and help us improve them.  But a new auditing standard is causing some changes. 

Impact of Statement of Auditing Standard 112 (SAS 112)

SAS 112 is the auditing standard that is causing this change. SAS 112 established requirements for how an auditor communicates to management the internal control issues identified in an audit. Auditors aren’t required to try to identify internal control weaknesses. However, if in doing the audit the auditor becomes aware of a weakness, then SAS 112 requires the auditor to evaluate the seriousness of the problem and appropriately report it to management. 

For many organizations, that isn’t a big change. What does change is that through the use of examples, SAS 112 elevates the seriousness of some internal control weaknesses. For example, SAS 112 includes the following as examples of things that can be material weaknesses:

  1. Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.
  2. Restatement of previously issued financial statements to correct an error or fraud.
  3. The auditor finds a material misstatement in the financial statements he/she is auditing that was not initially found by the organization’s internal control system.
  4. Inadequate documentation of the components of internal control.

We are seeing a shift from the auditors telling clients what weaknesses they have, to management needing to have a system that identifies what weaknesses exist, what controls are needed, and then implements them, documents them and monitors their effectiveness. The auditors then examine the adequacy of the client’s process for doing this.

Disagreement over the Impact of SAS 112

Not all auditors agree on the impact that these SAS 112 examples have on us. One CPA firm shared the following in its newsletter:

"Some misinformation is being communicated about the new auditing standards. A number of organizations whose financial statements are audited have reported being told that they are required under these new standards to produce extensive documentation related to their internal control systems and environment. That is simply not the case."

"It is true that auditors may, in complying with the new standards, request information from their clients that they have not previously requested, but there is no requirement in the standards that organizations being audited provide or maintain extensive documentation of their internal control systems."

Another firm said almost the opposite in some of its management letters:

"Clients will be asked to provide documentation of their risk assessment and internal controls, as well as an evaluation of their effectiveness."

"Significant attention and resources must be allocated to establish, document, and maintain an effective system of internal controls, including as assessment of key risks that could have a significant affect on financial activities and reporting."

Regardless of your auditor's position on the impact of SAS 112, it is good for organizations to have systems for determining what internal controls are needed, and implement, document, and monitor them. There is also a need for a framework to help us develop such a system. But where do we find such a network?

COSO Framework Components

This need for an internal controls framework has led many to the COSO Framework. The COSO Framework comes from the 1992 document called Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission. It has been recognized as a good framework for internal control management for many years.   

While the original COSO framework documentation was good, in 2006, the COSO committee issued additional guidance focused more on smaller companies. It is called Internal Control Over Financial Reporting – Guidance for Smaller Public Companies. It can be found at

The COSO framework has five main components. They are 1) the control environment, 2) risk assessment, 3) control activities, 4) information and communication, and 5) monitoring. 

Control environment is the tone at the top of the organization. It reflects the organization’s fundamental values and attitudes. It includes principles like:

  • The board of directors understands and exercises appropriate oversight over internal controls and financial reporting.
  • Competent people oversee the internal controls and financial reporting processes.

Risk assessment is focused on where things could go wrong in an organization. Where could transactions be missed? Could incorrect or invalid transactions get into the system? Could transaction information be lost or altered after it was recorded? Risk assessment principles are focused on evaluating programs, processes, personnel, computer systems, etc. to determine what could go wrong and how likely the problem could occur. 

Next are the control activities, which are what we do to mitigate the risks we identifited. This includes the selection of appropriate controls, their documentation and their implementation. It specifically includes the design and implementation of IT controls.

COSO documents do not get specific when it comes to a framework for internal controls over IT processes.  Instead the documents point to a similar framework for managing risk and establishing controls over IT systems called Control Objectives for Information and Related Technology (COBIT). 

COBIT is structured similar to COSO with four domains and 34 processes. COBIT has much more detail on IT controls than COSO. For example, there is a strong section on general IT controls. That’s the controls which ensure the financial information in a computer systems can be relied upon. They include requirements for:

  • Data center operation controls like job setup and scheduling processes and data backup and recovery procedures
  • Controls over acquiring and maintaining software, databases, and telecommunications, and
  • Controls to prevent inappropriate and unauthorized use of the system

The IT Governance Institute in collaboration with the Information Systems Audit and Control Association produced a document called IT Control Objectives for Sarbanes-Oxley which maps the COBIT domains and processes to the five COSO components. You can obtain a free copy of this publication at

The fourth COSO component is information and communication. This component covers how we identify, capture, process and distribute information. It is basically how the right hand knows what the left hand is doing. It concerns how we accurately capture financial and control information in a timely manner and how we communicate the information to the board, management and staff so they can use it to fulfill their responsibilities

The last component, monitoring, concerns what we do to know our internal controls systems continue to work as they should. It is what we do to evaluate the effectiveness of our controls, and communicate weaknesses so corrective action can be initiated. The COSO committee recently released a draft of additional guidance on monitoring. You can find it at

Monitoring reveals weaknesses. Addressing those weaknesses takes risk analysis. We again need to evaluate the likelihood that the problem will continue to occur and the impact of the weakness. This leads to the development of new controls or improvements in current controls, which is Control Activity. Can you see how the COSO framework is circular? Applying the COSO framework is not just a one time activity. It is a continuous process. 

Each of these main components is built upon a series of basic principles. There are 20 principles in total. The tools volume of the COSO document has a series of questions for each principle presented in matrices with columns to be used to summarize the controls that exist, and their effectiveness. 

Many of the questions in the matrices are at a high level. For example, there are seven controls listed for the financial reporting principle in the risk assessment category. They include controls like "Are the accounting principles selected appropriate in the circumstances?" and "Do the financial statements reflect the underlying transactions and events in a manner that presents the financial position, results of operations, and cash flows within a range of acceptable limits?" These statements are hard for management to answer with documentation because they are so broad.   

The COSO framework is also focused on smaller public companies, not nonprofit organizations. While many of the questions are applicable to nonprofits, missing are questions focused on some of the unique features of nonprofit accounting such as restricted and unrestricted net assets and functional expense allocation.


Many organizations are working directly with the COSO framework using the documents that come with it. Volume 4 of the COSO documents contains the matrices and questionnaires created by COSO to facilitate its implementation. They come formatted as Microsoft Word tables.

Others have developed specific software for implementing an internal control framework. One such software product is called ControlDocs. It is produced by The Cobre Group and is available from the AICPA. Cost is $960 for AICPA members, $1,200 for non-members. It is licensed for each organization producing financial statements. So for example, if you have two organizations producing financial statements with one consolidated into the other, you must purchase two licenses to cover both organizations.

This software is based on the matrices in the COSO tools volume. It shows each question in each principle with a button you can click on that leads you to a worksheet for recording your observations and documentation. You can attach documents to the worksheet as needed or just answer the questions. The platform is quite flexible. You can add and delete questions and change the layout on each screen. Training and instruction is available online.

One nonprofit organization acquired a package called Focus Software from Paisley Consulting. This package is based on a nonprofit risk model developed originally by Grant Thornton, LLP. The package comes with suggested controls in each area, like cash, donations, and payroll, to which they were able to add the additional controls they implemented. They found the package to be quite adaptable and well geared and scalable for their organization.  Also, they were able to attach policies and hyperlink in documents as they needed. Their original fee to Paisley Consulting was $1,000 per license. They pay an annual renewal fee of $160 per license. This covers annual support including telephone and email support and free upgrades. 


As Christian organizations, we want to be good stewards of the resources the Lord entrusts to us. We want to implement appropriate controls to assure these resources are appropriately used to achieve our ministries.  In the past, many of us implemented internal controls where we were most concerned that funds could be diverted. Often, these controls were implemented years ago. In some cases, implementation was a reaction to a problem that occurred. But how many of us have recently examined our current risks and determined if our internal controls are appropriate for what we are doing today? Through efforts to implement an internal controls framework like the COSO framework, we can take significant steps toward having effective and efficient internal controls. 

Follow @ecfa