In the mid-1980s, the National Commission on Fraudulent Financial Reporting was formed as a response to growing U.S. financial crises and the cry for governmental oversight of accounting and audit practices. This independent private-sector consortium was more commonly referred to as the Treadway Commission because it was headed by James C. Treadway, Jr., executive vice president and general counsel at Paine Webber Incorporated and a former commissioner of the U.S. Securities and Exchange Commission. In its initial 1987 report, the group recommended that the organizations sponsoring the commission work together to develop comprehensive guidelines for internal control. Hence the Committee of Sponsoring Organizations (COSO) was formed by the five (5) major professional associations in the United States:
American Institute of Certified Public Accountants (AICPA)
American Accounting Association (AAA)
Financial Executives Institute (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
The commission is wholly independent of each of the sponsoring organizations and contains representatives from industry, public accounting, investment firms, and the New York Stock Exchange.
COSO published the first formalized guidelines for internal controls, Internal Control- Integrated Framework, in 1992. This publication established a common definition for internal control and a framework against which organizations can assess and improve their control systems. In 1994, COSO's work was endorsed by the head of the General Accounting Office (GAO) of the U.S. Congress. These voluntary industry guidelines were intended to help public companies become self-regulating and thus avoid the need for governmental regulation of the accounting and auditing industries.
In 2001, COSO began its second major initiative aimed at expanding previous work on internal controls to address the growing emphasis on risk management. At about the same time, the United States was barraged with the sensational failures of Enron, Tyco, Global Crossing, Kmart, Adelphia, Worldcom, HealthSouth, and many others. The U.S. government quickly enacted the Sarbanes-Oxley Act of 2002 to mandate the requirement for internal controls to be audited along with financial statements (as discussed in more detail in Chapter 14). On the heels of all this high-profile activity, COSO published in 2004, Enterprise Risk Management-Integrated Framework. This second document provided a more comprehensive framework for identifying, assessing, and managing risk.
The COSO works are commonly accepted today in the United States as the cornerstones of modern internal control and enterprise risk-management practices. COSO revolutionized the accounting and auditing professions by establishing a common definition for internal control, enterprise risk management, and some fundamental concepts.
Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
The following are key concepts of internal control according to COSO:
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It's not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The Internal Control-Integrated Framework publication introduced what is now a well-known graphic: the COSO cube (Figure 13-1).
Figure 13-1: COSO cube.
As explained by COSO, internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the company's management process. Although the components apply to all entities, small and midsize companies may implement them differently than large ones. Its controls may be less formal and less structured, yet a small company still can have effective internal control. The components are
Information and communication
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control-environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors.
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives that should be linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives forming a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Control activities are the policies and procedures that help to ensure that management directives are carried out. They help to ensure that necessary actions are taken to address risks and thus achieve the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
According to COSO, pertinent information must be identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally generated data but also with information about external events, activities, and conditions necessary to informed business decision making and external reporting.
Effective communication also must occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators, and shareholders.
Internal control systems need to be monitored-a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity's infrastructure and are a part of the essence of the enterprise. "Built in" controls support quality and empowerment initiatives, avoiding unnecessary costs and enabling quick response to changing conditions.
There is a direct relationship between the three categories of objectives (described in the COSO definition of internal control) that are what an entity strives to achieve and components that represent what is needed to achieve the objectives. All components are relevant to each objectives category. When looking at any one category-the effectiveness and efficiency of operations, for instance-all five components must be present and functioning effectively to conclude that internal control over operations is effective.
The internal control definition-with its underlying fundamental concepts of a process, affected by people, providing reasonable assurance-together with the categorization of objectives and the components and criteria for effectiveness and the associated discussions, constitutes this internal control framework.
COSO published Enterprise Risk Management-Integrated Framework in 2004 to provide companies with a benchmark for managing risk within their organizations.
Enterprise risk management is a process, affected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise and designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition reflects certain fundamental concepts. Enterprise risk management is
A process, ongoing and flowing through an entity
Affected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
Able to provide reasonable assurance to an entity's management and board of directors
Geared to achievement of objectives in one or more separate but overlapping categories
In the publication Enterprise Risk Management-Integrated Framework, the original COSO cube was expanded, as illustrated in Figure 13-2.
Figure 13-2: Expanded COSO cube.
This enterprise risk-management framework is geared to achieving an entity's objectives, set forth in four categories:
Strategic-high-level goals, aligned with and supporting its mission
Operations-effective and efficient use of its resources
Reporting-reliability of reporting
Compliance-compliance with applicable laws and regulations.
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are
Information and communication
Internal Environment The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity's people. It includes risk-management philosophy and the entities risk appetite, integrity, and ethical values.
Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its appetite for risk.
Event Identification Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.
Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response Management selects risk responses-avoiding, accepting, reducing, or sharing-developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
Control Activities Policies and procedures are established and implemented to help ensure that the risk responses are carried out effectively.
Information and Communication Relevant information is identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Because Internal Control-Integrated Framework has stood the test of time and is the basis for existing rules, regulations, and laws, the document remains in place as the definition of and framework for internal control. At the same time, internal control is an integral part of enterprise risk management. The entirety of the Internal Control-Integrated Framework is incorporated by reference into the publication Enterprise Risk Management-Integrated Framework. The enterprise risk-management framework incorporates internal control, forming an additional conceptualization and tool for management.
The far-reaching principles outlined in the landmark COSO documents are gradually being implemented across the United States in publicly held corporations. COSO is the only framework for internal control mentioned by the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) as a framework for internal control[*].
COSO is specifically referenced by the SEC in its guidance to companies for implementing the provisions of the Sarbanes-Oxley Act.
The PCAOB is the agency within the SEC that was created by the Sarbanes-Oxley Act of 2002 to oversee the accounting processes used by publicly held corporations. This is discussed in more detail in Chapter 14. In Auditing Standard No. 2, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," the PCAOB specifically references COSO.
In providing guidance related to the Sarbanes-Oxley Act, Audit Standard No. 2 states, "Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework. The COSO report known as Internal Control-Integrated Framework provides a suitable and available framework for purposes of management's assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework."
Further, COSO principles are also making their way into governmental agencies, private companies, non-profit organizations, and additional entities around the globe. Stakeholders are recognizing that good practices for public companies are often good practices for them as well.
COSO introduces the concept of controls over information systems.
In Internal Control-Integrated Framework, COSO states that due to widespread reliance on information systems, controls are needed over significant systems. It classifies information systems control activities into two broad groupings. The first is general computer controls, which include controls over IT management, IT infrastructure, security management, and software acquisition, development, and maintenance. These controls apply to all systems-from mainframe to client-server to desktop computer environments.
The second grouping is application controls, which include computerized steps within application software to control the technology application. Combined with other manual process controls where necessary, these controls ensure completeness, accuracy, and validity of information.
[*]Copyright © 1992/2004 by the Committee of Sponsoring Organizations of the Treadway Commission. Reproduced with permission from the AICPA acting as authorized copyright © administrator for COSO.