Internal control failures in Nigerian organisations rarely happen because a control was missing on paper. They happen because the control existed in a policy, was assumed to be operating, and had not been tested in two or three years. The discipline that closes that gap is the control self-assessment, performed against a recognised framework. The most widely adopted framework — and the one Nigerian regulators, external auditors and audit committees increasingly expect — is COSO 2013.
This article is a practical walkthrough of how to run a COSO 2013 self-assessment in a Nigerian organisation: what it is, what it is not, how to structure it, how to score it, and how to interpret the results so that the audit committee and management can act on them.
What COSO 2013 is — and is not
COSO 2013 is the COSO Internal Control – Integrated Framework, updated in 2013 from the original 1992 framework. It defines internal control through five components and 17 supporting principles. It is the framework underlying most external audit work on internal controls over financial reporting, and it is the reference frame for the NCCG's expectation that boards oversee a sound system of internal control.
It is not, in itself, a regulator. There is no "COSO Nigerian certification". The framework is a structure for thinking about and testing internal control; how you apply it is your responsibility. A self-assessment against COSO is not an audit, not an attestation, and does not produce a regulatory opinion. It is management's structured view of the design and operating effectiveness of internal control, surfaced to the audit committee.
The five components and 17 principles
A COSO 2013 self-assessment covers all five components. Each has supporting principles which must, in COSO's framing, all be "present and functioning" for internal control to be effective.
1. Control environment (5 principles)
The tone, integrity and ethical values of the organisation; board oversight; structure and authority; commitment to competence; accountability. Weakness here invalidates effectiveness in every other component — a poor control environment cannot be compensated for by strong controls elsewhere.
2. Risk assessment (4 principles)
Specification of objectives, identification and analysis of risks, assessment of fraud risk, and assessment of significant change. The fraud-risk principle was made explicit in the 2013 update and is frequently the weakest area in self-assessments.
3. Control activities (3 principles)
Selection and development of control activities, IT general controls, and deployment through policies and procedures. This is the component most people think of when they hear "internal control" — but it is one of five, not the whole.
4. Information and communication (3 principles)
Use of relevant information, internal communication, external communication. This includes the whistleblowing channel, regulator reporting and the cadence of management information.
5. Monitoring activities (2 principles)
Ongoing and separate evaluations, and evaluation and communication of deficiencies. Internal audit, control self-assessment programmes and continuous control monitoring all sit here.
Who should run it, and when
The self-assessment is owned by management — typically the CFO, supported by internal audit. It is reviewed by the audit committee. External audit may rely on the work to inform their own risk assessment, but it does not replace the external audit.
Run it at least annually, aligned to year-end. Refresh it quarterly when there has been material change — a new system, a new process, a major incident, a change in regulator expectation. A self-assessment that was last performed two years ago is, for audit committee purposes, no self-assessment at all.
How to structure the assessment
The structure that produces the most useful output in our experience is straightforward.
Step 1 — Map your processes to the COSO components
This is the step most assessments skip. Before scoring any principle, agree which of your processes and entities are in scope, and how they map to the five components. A self-assessment that covers only finance processes will give you false comfort over the rest of the organisation; a self-assessment that includes every business process at full depth will collapse under its own weight in the first cycle.
A practical scoping rule: include all processes that flow into the financial statements, plus the top five non-financial processes by risk exposure (typically information security, regulatory compliance, key operational processes, fraud risk, and HR/payroll).
Step 2 — For each principle, gather the evidence
Each principle should be supported by evidence. The exact evidence varies by principle, but the categories are consistent: documented policy, system configuration or workflow, performance records, exception logs, training records, management certifications, internal audit findings.
Capture what was reviewed alongside the score. A score with no evidence is an opinion, not an assessment.
Step 3 — Score design and operating effectiveness separately
For each principle, score two dimensions.
Design effectiveness asks: if the control operates as designed, will it prevent or detect the relevant risk? This is a question about the design of the control, not its operation.
Operating effectiveness asks: did the control operate consistently and effectively across the assessment period? This is a question about evidence of operation — sampled testing, system logs, exception reports.
A common rating scale: 1 (not present), 2 (ad hoc), 3 (documented), 4 (operating consistently), 5 (optimised and monitored). Average above 4.0 = effective; 3.0–3.9 = partially effective (remediation required); below 3.0 = ineffective (escalate).
A control can be well-designed but operate poorly (common — the policy is good, but the team does not follow it), or poorly designed but operating consistently against its own (low) standard. Scoring both separately surfaces both failure modes.
Step 4 — Identify gaps and remediation
For every principle scored below "effective", record a specific remediation action: what will be done, by whom, by when, with what priority. A gap without a tracked action is a gap that will reappear in next year's assessment.
The remediation log should be a standing item at every audit committee meeting until closed.
Step 5 — Sign off and report to the audit committee
The assessment is signed off by the assessment lead, internal audit, the CFO, the CEO, and acknowledged by the audit committee chair. The signed assessment is the working document that supports the board's confirmation of internal control effectiveness in the annual report.
What a "good" output looks like
A useful COSO self-assessment produces three artefacts.
First, a scoring summary — five component-level scores and an overall score, with a one-line conclusion (effective / partially effective / ineffective) for each.
Second, a gap and remediation log — the principles below the effectiveness threshold, the specific gap, the owner, the due date and the priority.
Third, an audit committee paper — a short narrative that does not repeat the workbook, but tells the audit committee what changed since last year, what the top three areas of concern are, and what management is doing about them. The audit committee does not need to see every score; they need to see the story.
The five mistakes we see most often
After reviewing many Nigerian self-assessments, the same five mistakes recur.
1. Scoring without evidence. Every principle marked "effective" without a documented evidence reference. The audit committee should challenge any "effective" score with no evidence.
2. One score where two are needed. Combining design and operating effectiveness into a single score. The two failure modes are different and require different remediation.
3. Cosmetic scoring. Inflated scores on the control environment ("our tone at the top is strong") to avoid difficult conversations. The control environment is the component most likely to be over-scored and most consequential when wrong.
4. No fraud risk assessment. Skipping or under-scoring RA3 (fraud risk). The 2013 update made fraud risk an explicit principle for a reason; it is also the area most exposed to Nigerian operating risk.
5. A workbook with no follow-through. The assessment is signed off, filed, and the gaps are not tracked. By next year, the same gaps reappear with new dates against them.
What the audit committee should ask
In reviewing the self-assessment, the audit committee should ask five questions:
- Has the scope been agreed and is it consistent with the financial statements and the top operating risks?
- For every principle scored "effective", what is the evidence?
- What has changed since last year — better, worse, unchanged?
- Where are we in remediation of last year's gaps?
- Where, in your professional judgement as CFO and internal audit lead, is our actual exposure greatest, regardless of the formal score?
The last question is the most important. The framework is structure; judgement is what makes the structure useful.
Where the Outliers COSO Self-Assessment Toolkit fits
We maintain a working self-assessment toolkit aligned to the structure above — five component tabs, 17 principle rows, an evidence prompt for each, separate design and operating scores, an automatic scoring summary, a remediation tracker and a management sign-off page. It is calibrated for Nigerian organisations and is intended to be used by management and reviewed by internal audit and the audit committee.
If you are running a COSO self-assessment for the first time, or rebuilding one that has fallen into disuse, the COSO Self-Assessment Toolkit is the fastest way to start. The broader Internal Control Centre and its resource library provide the framework guides, control matrices and audit-committee packs that surround the assessment.
Download the COSO Self-Assessment Toolkit to begin your assessment with a working structure rather than a blank document.