Internal Accounting and Operational Control in Private Companies: A Practical Guide to the COSO Framework

By Rebeca Sequeira

Internal control is much more than an accounting requirement: it is the foundation for protecting assets, reducing risks, and ensuring reliable financial information. In private companies in Costa Rica, adopting international frameworks such as COSO helps organize processes, assign responsibilities, and foster a culture of transparency and efficiency.

COSO in Simple Terms

The COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) is a widely recognized reference model for designing, implementing, and evaluating internal control in organizations.

In practice, COSO helps to:

• Identify events that may affect the entity.

• Manage key risks.

• Align control management with the company’s strategic and financial objectives.

For example, COSO enables senior management to gain a comprehensive view of business risks and coordinate the implementation of mitigation plans. From an accounting and internal control perspective, COSO is necessary because it provides criteria to assess the effectiveness of processes and ensures reasonable assurance in financial reporting and asset safeguarding.

COSO is essential in financial control because it promotes a culture of corporate governance and proactive risk management. By integrating its five classic components (control environment, risk assessment, control activities, information and communication, and monitoring), it strengthens risk management policies and improves strategic planning, fraud prevention, and regulatory compliance.

The Five Key Components of COSO

1. Control Environment: ethical leadership and oversight from management.

2. Risk Assessment: identifying scenarios that may affect operations.

3. Control Activities: policies and procedures that reduce those risks.

4. Information and Communication: ensuring data flows clearly and on time.

5. Monitoring: periodically reviewing the effectiveness of controls.

Examples of Controls under COSO

• Segregation of duties: the person recording an invoice should not be the same person authorizing or paying it.

• Bank reconciliations: must be performed monthly and reviewed by someone other than the person executing the payments.

• Purchasing controls: requiring tiered approvals on purchase orders to avoid overpricing or conflicts of interest.

• Inventories: conducting periodic physical counts and comparing them with accounting records to detect discrepancies.

• Digital access controls: setting differentiated users and passwords in accounting systems to prevent unauthorized access.

• Ongoing monitoring: internal reports that flag unusual variations in expenses, revenues, or margins.

These examples show how COSO translates into concrete actions that protect the company’s assets and strengthen the quality of financial information.

Comparison with Other Frameworks (COBIT and ISO 31000)

COBIT (Control Objectives for Information and Related Technology): developed by ISACA, it focuses on IT governance and management. COBIT 2019 aligns technology with business objectives and defines processes, structures, and policies to ensure IT systems deliver value and manage cyber risks.

Example: a bank may use COBIT to design security controls for its digital payment systems.

ISO 31000 – Risk Management: an international standard that provides a structured approach to identifying, evaluating, and treating risks in any organization. It emphasizes integrating risk management into all processes, adapting to specific contexts, and fostering continuous improvement.

COSO (and COSO ERM 2017): while traditional COSO focuses on comprehensive internal control, COSO ERM 2017 broadens the scope to strategic enterprise risk management, including governance, objective setting, performance, review and monitoring, and information–communication.

Global Trends Influencing Internal Control

• Digitalization and Artificial Intelligence (AI): automate reconciliations and detect anomalies in real time.

• Continuous review: permanent monitoring of operations instead of annual reviews.

• Cybersecurity: internal controls that protect accounting and operational information against digital attacks.

• ESG (Environmental, Social and Governance): controls that validate the quality of environmental and social information alongside financial information.

• Remote work and cloud systems: new policies to ensure traceability and secure access in digital environments.

The COSO framework provides private companies in Costa Rica with a practical guide to transform internal control into a driver of trust and sustainability. Beyond regulatory compliance, implementing well-designed controls allows businesses to anticipate risks, improve processes, and generate financial information that truly supports decision-making.

In a complex environment, companies that view internal control as a strategic investment—and not merely as a requirement—will be better prepared to grow with transparency and resilience.