top of page
  • Ali Hasany

Internal Auditing with Internal Control Frameworks: COSO, ISO, and COBIT

Updated: Mar 1

When describing and evaluating a control environment, internal auditors rely on internal control frameworks.

Since there are so many frameworks available and accessible, management often confuse or reluctant to decide which one to utilize depending on the circumstance.

As per my own experience, the most common Internal Control Frameworks I have seen in my career are these three:

  • COSO

  • ISO


All three are most popular control frameworks used by management for control purpose and used by internal auditors as criteria for the auditing.

A subset of three common Internal Control Frameworks
Internal Control Frameworks - COSO, ISO and COBIT

Before we move further, let read about what is Internal Control Framework.

What Is a Internal Control Framework?

An internal control framework is a well-structured manual that groups and classifies anticipated controls or control subjects.

Companies develop internal controls framework for broad purposes, inspired from COSO internal control framework.

Similarly, COBIT IT Control framework, is specialized to IT related control activties.

Management creates internal control procedures using these frameworks as a starting point. By doing this, the business is better able to build control methods that maximize value while avoiding risk.

Let's, learn about one by one.

COSO Internal Control Framework

The most common used internal control framework is the COSO framework. It is developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) which is used by businesses most commonly to manage an effective and efficient financial statement controls environment.

It has five parts that divide into 17 principles. The principles are further broken down into 87 areas of emphasis to give managers specific instructions when establishing or outlining internal controls that are utilized for risk management and audit risk assessments.

A Components structure of the COSO internal control framework
COSO internal control framework

ISO Framework

The International Standards Organization creates ISOs on a wide variety of topics.

The most commonly used ISO control framework for internal auditors is ISO:27001 for Information Security and Information Security Managment as an Operational Internal control framework,

It is divided into 14 domains. These domains further broken down into 114 controls related to Information Security and Managment for the whole organization.

All 14 controls of ISO 27001:2013
ISO 27001:2013

COBIT Framework

COBIT is the most well-known example of an IT control framework used in the IT audits.

COBIT (Control Objectives for Information and Related Technology) framework was created for IT governance and management and is owned by ISACA (Information Systems Audit and Control Association).

COBIT is said to provide a framework for aggregating guidelines by certain experts.

It cross-references many other well-known IT frameworks as an internal control integrated framework, making it an IT governance framework that handles the risk associated with the IT side of business as a whole.

Whole Structure of the COBIT 2019 - Source ISACA
COBIT 2019 - Source ISACA

Now Let learn how we can do audit using these Internal Control Frameworks.

How to Audit with an Internal Control Framework?

When approaching a control audit, there are six common steps to follow. These six steps guide the team through the process regardless of the framework.

Step 1: Confirm the framework.

Auditing using a control framework begins with validating that management picked the framework that best supports the company's objectives.

Be aware that management, not an internal audit, chooses and implements the framework.

A common internal control framework, such as the COSO internal control framework or the COBIT IT control framework, may still be used if there is no framework in place.

Recommendations for assessing internal control environments and implementing controls appropriately would be the result of this approach.

Step 2: Align internal controls.

The next step is control mapping. In this step, auditors align the organization’s internal controls to the expected controls in the framework.

In the ideal scenario, management would have already conducted the control alignment exercise before the audit, but this is frequently not the case.

Step 3: Perform a gap analysis.

The outcome from the control alignment is a listing of internal controls compared to the expected controls.

For the design test, auditors are identifying missing controls and poorly designed control as gaps in the internal control environment.

Step 4: Gather action plans and note any flaws in the control design.

Audit discusses the gaps with management, who then put corrective action plans into place to close the exposure.

A timing issue will generally occur at this point. The audit team will move into testing while management designs new controls.

Step 5: Test control effectiveness and gather action plans.

The next step is the control effectiveness testing, which is the area where auditors are most comfortable and experienced.

Step 6: Monitor mitigation activity.

After testing is complete, the final step is to monitor progress on management’s corrective action plans.

The corrective action plans could be time-sensitive depending on the use case for the framework.

Thanks for reading...

P.S. If you want these frameworks to download. Let me know in the comments or apply through my contract form.

281 views0 comments
bottom of page