Internal Control Systems
Internal control can be described as any action taken by an organization to help enhance the likelihood that the objectives of the organization will be achieved. This article focuses primarily on the internal control framework proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is the framework used by most companies in the United States.
An important contribution to the field of internal control for business enterprises has been provided by COSO of the National Commission on Fraudulent Financial Reporting (Treadway Commission). The Treadway Commission was created in 1987 in the wake of several major incidents of financial fraud. The sponsoring organizations include the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors. In the United States most companies with publicly traded securities have adopted the internal control framework published in 1992 by COSO.
Section 404 of the Sarbanes-Oxley Act of 2002 requires the management of public companies to issue annual internal control reports that include a statement that management is responsible for establishing and maintaining an adequate internal control structure, as well as procedures for financial reporting, and to make an assessment of the effectiveness of the internal control structure and the procedures for financial reporting. Section 404 also requires a company's independent auditor to issue a report on management's assessment of internal control. Although the Sarbanes-Oxley Act does not specifically require auditor reports on internal control to follow the COSO framework, most companies and auditors do follow this framework.
The 1992 COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with applicable laws and regulations
COSO describes internal control as consisting of five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
The COSO framework can be depicted by a pyramid, with control environment forming the base, while control activities, risk assessment, and monitoring activities constitute various levels of the pyramid. Information and communication link the different levels of the pyramid. As the base of the pyramid, control environment is the most important component because it sets the tone for the organization. Factors of control environment include employees' integrity, the organization's commitment to competence, management's philosophy and operating style, and the attention and direction of the board of directors and its audit committee. Control environment provides discipline and structure for the other components.
Risk assessment refers to the identification, analysis, and management of uncertainty facing the organization. Risk assessment focuses on the uncertainties in meeting the organization's financial, compliance, and operational objectives. Changes in personnel, new product lines, or rapid expansion could affect an organization's risks.
Control activities include the policies and procedures maintained by an organization to address risk-prone areas. An example of a control activity is a policy requiring approval by the board of directors for all purchases exceeding a predetermined amount. Control activities were once thought to be the most important element of internal control, but COSO suggests that control environment is more critical because control environment fosters the best actions, while control activities provide safeguards to prevent wrong actions from occurring.
Information and communication encompasses the identification, capture, and exchange of financial, operational, and compliance information in a timely manner. People within an organization who have timely, reliable information are better able to conduct, manage, and control the organization's operations.
Monitoring activities refers to the assessment of the quality of internal control. Monitoring activities provide information about potential and actual breakdowns in a control system that could make it difficult for an organization to accomplish its goals. Informal monitoring activities might include management's checking with subordinates to see if objectives are being met. A more formal monitoring activity would be an assessment of the internal control system by the organization's internal auditors.
Although the Sarbanes-Oxley Act and the Public Company Accounting Oversight Board (PCAOB) have supported the use of the 1992 COSO internal control framework with respect to internal control over financial reporting, it should be noted that the COSO framework deals with more than financial reporting. It also deals with effectiveness and efficiency of operations and compliance with applicable laws and regulations. Consequently, the COSO framework encompasses all aspects of internal control over company activities that is ultimately the responsibility of the company's management.
In May 2013 COSO issued an updated version of Internal Control—Integrated Framework. Significant changes in rules, regulations, and standards since 1992 have placed increased demands on company management with respect to corporate governance and internal control. Reliance on technology to improve business performance, business processes, and decision making has increased dramatically. Regulators and other stakeholders have increased expectations regarding governance oversight, risk management, and the detection and prevention of fraud.
Although advances have been made to connect risk management and internal control practices, changes since 1992 have increased business risk, resulting in a need for a revised internal control framework. In the past, business managers and auditors have used the COSO framework primarily with respect to internal control over external financial reporting. Thus, the purpose of the revised framework is to increase focus on operations, non-external financial reporting, and compliance objectives, as well as to enhance usability.
The revised COSO internal control framework expands the 5 original components of the internal control structure into 17 internal control principles. These internal control principles declare what the management of the entity should do for each of the 5 components:
1. Demonstrate a commitment to integrity and ethical values
2. Exercise oversight responsibility
3. Establish the internal control structure, authority, and responsibility
4. Demonstrate a commitment to competence
5. Enforce accountability
6. Specify suitable objectives
7. Identify and analyze risks
8. Assess fraud risk
9. Identify and analyze significant changes in risks
10. Select and develop control activities
11. Select and develop general controls over technology
12. Deploy control activities through policies and procedures
Information and communication.
13. Use relevant information
14. Communicate internally
15. Communicate externally
16. Conduct ongoing evaluations of internal control
17. Evaluate and communicate internal control deficiencies
The 17 principles of internal control can be assessed by an entity's management from a benchmarking or self-evaluation perspective. For management to conclude that its system of internal control is effective, all 5 components and 17 principles of internal control should be present and functioning as intended. Being “present” implies that a given component or principle exists in the design of an entity's system of internal control. “Functioning” means that the component or principle is operating as intended.
Effective internal control also requires that all 5 components and 17 principles operate together in an integrated manner. Management should determine if each internal control component is present and functioning and also whether any identified internal control deficiencies in the aggregate lead to a major deficiency whereby management objectives may not be achieved. The 17 principles can be used by management for evaluation purposes and by internal and external auditors to evaluate the effectiveness of internal control. It is anticipated that once the revised version of the COSO internal control framework comes into full effect, the U.S. Securities and Exchange Commission (SEC) and the PCAOB will incorporate these principles into their standards.
The original 1992 COSO framework may be used through December 15, 2014, at which time the 1992 framework will be considered superseded. During the transition period COSO and the SEC have indicated that use of the 1992 framework is acceptable. Entities using COSO's Internal Control—Integrated Framework for external reporting purposes during the transition period should clearly disclose whether they are using the 1992 or 2013 version.
Beasley, M. S., Carcello, J. V., Hermanson, D. R., & Neal, T. L. (2010). Fraudulent financial reporting: 1998–2007: An analysis of U.S. public companies. Almere, Netherlands: Committee of Sponsoring Organizations of the Treadway Commission.
Committee of Sponsoring Organizations of the Treadway Commission. (1992). Internal control—Integrated framework. New York, NY: Author.
Committee of Sponsoring Organizations of the Treadway Commission. (1999). Fraudulent financial reporting: 1987–1997: An analysis of U.S. public companies. Retrieved January 26, 2014, from http://www.coso.org/publications/ffr_1987_1997.pdf
Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal control—Integrated framework: Executive summary. Retrieved January 26, 2014, from http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf
McNally, J. S. (2013). The 2013 COSO framework and SOX compliance: One approach to an effective transition. Committee of Sponsoring Organizations of the Treadway Commission. Retrieved January 26, 2014, from http://www.coso.org/documents/coso%20mcnallytransition%20article-final%20coso%20version%20proof_5-31-13.pdf
Orenstein, E. (2013, May 14). COSO 2013 internal control framework released—supercedes 92 framework in 2014, used for Sarbanes-Oxley assertions. Financial Executives International. Retrieved January 26, 2014, from http://www.financialexecutives.org/KenticoCMS/FEI_Blogs/Financial-Reporting-Blog/May-2013/COSO-2013-Internal-Control-Framework-Released-Will.aspx#axzz2aedgXOjS
Simmons, M. R. (1997, December). COSO based auditing. Internal Auditor, 68–73.
Whittington, O. R., & Pany, K. (2014). Principles of auditing and other assurance services (19th ed.). New York, NY: McGraw-Hill/Irwin.
Audrey A. Gramling
C. Richard Baker