In the 1970s, concern over the rise in corporate bankruptcies and financial collapses
When the savings and loan industry
Since that time, other professional associations have
In the mid-1980s, the National Commission on Fraudulent Financial Reporting was
American Institute of Certified Public Accountants (AICPA)
American Accounting Association (AAA)
Financial Executives Institute (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
The commission is
COSO published the first
In 2001, COSO
The COSO works are commonly accepted today in the United States as the
Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
The following are key concepts of internal control according to COSO:
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It's not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The Internal Control-Integrated Framework publication introduced what is now a well-known graphic: the COSO cube (Figure 13-1).
Figure 13-1: COSO cube.
As explained by COSO, internal control consists of five interrelated
Information and communication
sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control-environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives that should be linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives forming a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
are the policies and procedures that help to ensure that management directives are carried out. They help to ensure that necessary actions are taken to address risks and thus achieve the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as
According to COSO, pertinent
must be identified, captured, and
in a form and time frame that enable people to carry out their responsibilities. Information systems produce
Effective communication also must occur in a broader sense,
Internal control systems need to be
There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity's infrastructure and are a part of the essence of the enterprise. "Built in" controls support quality and empowerment initiatives, avoiding unnecessary costs and enabling quick response to changing conditions.
There is a direct relationship between the three categories of objectives (described in the COSO definition of internal control) that are what an entity strives to achieve and components that represent what is needed to achieve the objectives. All components are relevant to each objectives category. When looking at any one category-the effectiveness and efficiency of operations, for instance-all five components must be present and functioning effectively to conclude that internal control over operations is effective.
The internal control definition-with its underlying fundamental concepts of a process, affected by people, providing reasonable assurance-together with the categorization of objectives and the components and criteria for effectiveness and the associated discussions,
COSO published Enterprise Risk Management-Integrated Framework in 2004 to provide companies with a benchmark for managing risk within their organizations.
Enterprise risk management is a process, affected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise and designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition reflects certain fundamental concepts. Enterprise risk management is
A process, ongoing and flowing through an entity
Affected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
Able to provide reasonable assurance to an entity's management and board of directors
Geared to achievement of objectives in one or more separate but overlapping categories
In the publication
Enterprise Risk Management-Integrated Framework
, the original COSO cube was expanded, as
Figure 13-2: Expanded COSO cube.
This enterprise risk-management framework is geared to achieving an entity's objectives, set forth in four categories:
Strategic-high-level goals, aligned with and supporting its mission
Operations-effective and efficient use of its resources
Reporting-reliability of reporting
Compliance-compliance with applicable laws and regulations.
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are
Information and communication
The internal environment encompasses the tone of an organization and sets the basis for how risk is
Objectives must exist before management can identify potential events
Event Identification Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.
Risk Response Management selects risk responses-avoiding, accepting, reducing, or sharing-developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
Control Activities Policies and procedures are established and implemented to help ensure that the risk responses are carried out effectively.
Information and Communication Relevant information is identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Because Internal Control-Integrated Framework has stood the test of time and is the basis for existing rules, regulations, and laws, the document remains in place as the definition of and framework for internal control. At the same time, internal control is an integral part of enterprise risk management. The entirety of the Internal Control-Integrated Framework is incorporated by reference into the publication Enterprise Risk Management-Integrated Framework. The enterprise risk-management framework incorporates internal control, forming an additional conceptualization and tool for management.
The far-reaching principles outlined in the landmark COSO documents are gradually being implemented across the United States in
The PCAOB is the agency within the SEC that was created by the Sarbanes-Oxley Act of 2002 to oversee the accounting processes used by publicly held corporations. This is discussed in more detail in Chapter 14. In Auditing Standard No. 2, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," the PCAOB specifically references COSO.
In providing guidance related to the Sarbanes-Oxley Act, Audit Standard No. 2 states, "Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework. The COSO report known as Internal Control-Integrated Framework provides a suitable and available framework for purposes of management's assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework."
Further, COSO principles are also making their way into governmental agencies, private companies, non-profit organizations, and additional entities around the globe. Stakeholders are recognizing that good practices for public companies are often good practices for them as well.
COSO introduces the concept of controls over information systems.
Internal Control-Integrated Framework
, COSO states that due to widespread
The second grouping is application controls , which include computerized steps within application software to control the technology application. Combined with other manual process controls where necessary, these controls ensure completeness, accuracy, and validity of information.
[*] Copyright 1992/2004 by the Committee of Sponsoring Organizations of the Treadway Commission. Reproduced with permission from the AICPA acting as authorized copyright administrator for COSO.