COSO Internal Control GRC Operations Controls
GOING BACK TO ITS ORIGINAL 1992 release, the COSO internal control framework was always meant to be viewed as a three-dimensional model or framework, where each cell component in any one dimension was meant to have a relationship with corresponding cells in the other two dimensions. For example, when we consider the internal control activities depicted in Exhibit 3.2, we should evaluate them in terms of the operations, reporting, and compliance controls described in the cells above them, as well as the business unit cells described on the side of the COSO framework. All too often, descriptions of the original COSO internal controls have all but ignored the other two dimensions of the COSO internal control framework and have focused on front-facing components, ranging from the control environment to monitoring activities.
In this chapter and the three chapters following, we will rotate or flip the COSO internal control framework and look at internal control components from COSO’s other two dimensions. Here, we will look at the top level of the framework and its operations, reporting, and compliance controls. All three of these components highlight the governance, risk, and compliance (GRC) concepts that have become increasingly important to enterprises today. This perspective is usually ignored in other COSO internal control materials, but we feel it makes it easier to understand and use this three-dimensional internal control ...