This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.


How to use COSO to assess IT controls Logo aicpa

  John White, CPA/CITP, Ph.D. |   Free |   AICPA |   01 May 2014 |   Journal of Accountancy

Maintaining proper controls over information technology is a constant concern for businesses as they try to use technological advances to drive efficiency and growth.

Principle 11 in the updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidelines for assessing the effectiveness of controls over IT. As part of an organization’s overall assessment of internal control under the framework, Principle 11 can help CPAs manage the rapidly advancing technology their organizations are using.

This article shows the steps CPAs can follow to use Principle 11 to understand their organization’s IT system and its controls, and assess the effectiveness of those controls.

Topics covered:
  • Management accounting: Technical: Risk management & internal control: Internal control, Intermediate
  • Financial accounting & reporting: Technical: Internal control, Intermediate
  • Assurance: Technical: Audit: Internal control, Intermediate
  • IT management & assurance: Technical: IT risk & assurance services: IT controls, Intermediate

2 Comments/Reflections

Claire Martin

Claire Martin Jan 2022

Interesting enough (short article), but quite US focussed.  Flow diagram gives useful overview of steps.
Bipin Hathi

Bipin Hathi Jun 2018

This is more used in the US but in my view using this COSO approach in the UK works too in order to assess IT controls within a company. Will be helpful to have this background knowledge when I get involved in projects that rely on IT.