Let’s be honest: the COSO Internal Control Framework is the kale salad of the audit world. We all know it’s good for us and nod approvingly when someone talks about it. But deep down, do we crave it? No. We crave pepperoni pizza!
But the kale salad makes us strong. And COSO (retitled by the GAO as Standards for Internal Control in the Federal Government and nicknamed The Green Book) makes our internal controls strong. Or at least gives us something intelligent-sounding to say during meetings that probably should’ve been emails.
So today, let’s take an irreverent walk through the five COSO components and the 17 underlying principles, with the kind of humor only audit professionals can appreciate. Maybe just maybe this will help these 17 principles stick in our minds once and for all.
(If you’re a non-auditor reading this… bless your little heart. Truly.)
1. Control Environment
Basically, the Control Environment is the organizational vibe. Does anyone care about quality, excellence, and following the rules? Leadership either sets the bar high or lights it on fire.
Control Environment sets the stage and determines whether employees feel empowered or trapped. It determines whether key players in an organization say, “Oh good, controls.” or “Oh no! Controls!”
Control Environment has five (5!) underlying principles:
Principle 1: Demonstrate integrity and ethical values.
Translation: Leadership should not behave like villains in a soap opera. No bribery, no secret yachts, no expense-report ‘creativity.’ Leadership sets the tone at the top and can ruin a good vibe with their bad behavior.
Principle 2: Exercise oversight responsibility.
Boards must actually oversee things. Not ‘rubber stamp’ or just ‘skim and nod.’ Real oversight. Specifically, that means reading stuff.
Principle 3: Establish structure, authority, and responsibility.
Job descriptions should be more than three bullet points scribbled on a sticky note.
Principle 4: Demonstrate commitment to competence.
This is the part where we pretend annual performance reviews aren’t just recycled comments from last year. Under GAGAS, auditors must demonstrate a commitment to competence by earning 80 hours of CPE every two years. But how do the rest of the professionals in the office demonstrate they are the best in their fields?
Principle 5: Enforce accountability.
Holding people accountable means more than sending them a strongly worded email with the subject line, “Gentle Reminder #14.” It could mean letting them go. Yes, I know it’s very difficult to fire a bad employee in government. But if you don’t act, low-performance poison could corrupt your whole organization, and those sort of messes are hard to clean up.
2. Risk Assessment
Risk Assessment is the pessimistic-but-helpful friend we all need. It points out every possible scenario a plan could collapse, but in a way that actually prevents disaster. For this component, channel your inner doomsday prepper, but in a professional, non-tinfoil-hat way.
The Green Book gives us four principles here:
Principle 6: Specify the organization’s objectives.
You can’t assess risks if you don’t know what you’re trying to do. It’s harder than it sounds getting the entire team to agree on this! Once you start asking everyone what they wish to accomplish, I guarantee you will hear diverse answers that don’t align with each other.
Principle 7: Identify and analyze risks.
Brainstorm everything that could sink the ship. But try not to traumatize the interns.
Principle 8: Assess fraud risk, improper payment, and information security risk.
Here, the Green Book wants to make sure you factor in fraud, improper payments, and tech risk into your analysis. Improper payments and information security risks are new in 2025.
Principle 9: Identify and analyze significant change.
New system, new law, new folks? The Risk Assessment should be a living document that periodically and formally takes change into account. Change is the only constant.
3. Control Activities
Control Activities are where internal control gets its hands dirty. This is the action component forcing managers to ask, “Do we really have to initial this?” Yes, Steve. Yes, you do.
The Green Book says we need four principles here.
Principle 10: Select and develop control activities.
Pick controls that actually work. If your control is ‘trust me,’ that is not a control, just wishful thinking. Table 1 on page 63 of the Green Book features a fabulous list of possible controls and includes perennial auditor favorites like approval and segregation of duties.
Principle 11: Select and develop general controls over technology.
Your password cannot be ‘Password123.’
MFA, unfortunately, is not a suggestion.
And no, we cannot circumvent system access rules because ‘the system is being fussy.’
Principle 12: Deploy control activities through policies and procedures.
Policies must be written down, preferably in English, and somewhere people can find them. They should not be in a personal Dropbox folder named ‘Old Stuff Do Not Use FINAL v3.’
4. Information and Communication
This is the component that alerts, informs, and occasionally frustrates people. “I never knew that was a policy!” says every employee, everywhere. Information and Communication tells the right people the right stuff at the right time. COSO says:
Principle 13: Use relevant, quality information.
Garbage in = garbage out.
Quality information means complete, timely, accurate, and not pulled from six-year-old spreadsheets someone keeps ‘just in case.’
Principle 14: Communicate internally.
Tell people what they need to know. No Morse code, no smoke signals, and no sending critical policy updates via a newsletter that everyone deletes.
Principle 15: Communicate externally.
GAGAS encourages transparency in government so that public officials are held accountable for their actions. Here management considers what and how to communicate with the outside world. What information do we share with vendors, regulators, and citizens?
Monitoring Activities
Here you verify whether the controls you designed are still alive and working, or whether they ran away. So, all of the controls you built in the first four components must undergo a wellness check.
Two principles here:
Principle 16: Conduct ongoing and/or separate evaluations.
You can monitor controls daily, quarterly, annually. Just do something besides hoping for the best. This can be done by someone inside the control structure or an independent party. And as auditors know only so well, independent parties are more objective and trustworthy.
Principle 17: Evaluate and communicate deficiencies.
If something’s broken, fix it.
If you can’t fix it, escalate it.
If you can’t escalate it… well, at least document it like your career depends on it.
Why do we care about COSO and the Green Book anyway?
Because COSO is the grand unifying theory of internal control. In particular, It’s the kale salad of audit frameworks. The thing everyone says they love, a few people actually grasp, and many people reference just to sound healthy and responsible.
COSO helps organizations:
- Reduce fraud
- Improve compliance
- Strengthen financial reporting
- Build trust
- Prevent “I didn’t know!” moments
And for auditors, COSO is our trusty sidekick… the quiet powerhouse on the plate. The kale salad we dutifully eat between glorious bites of pepperoni pizza. It may not be glamorous, but it keeps our whole system running smoothly.
Mangia!
Looking for high-quality and convenient CPE?
We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:
- Feb 3: Session #1: Local Government Audit Academy (28 CPE hours = 18 live + 10 bonus self-study)
- Feb 4-5: Think Before You Test: Applying Critical Thinking in Audit Planning (8 CPE Hours)
- Feb 11: 2026 Tech Fest for Government Auditors (6 CPE Hours)
- Feb 18-19: Internal Controls Workshop (8 CPE Hours)
- Feb 26: Comprehensive Fraud Risk Management for Auditors (3 CPE Hours)
Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study e-book and video courses, including the Creating a Productive Auditor & Auditee Relationship Bundle. Learn ways to smooth the auditor and auditee relationship so the auditee welcomes the auditor back year after year after year…
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: