Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Internal Control-Integrated Framework
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) Internal Control–Integrated Framework defines internal control as a systematic
process of providing reasonable assurance regarding the achievement of the
company’s objectives. These objectives relate to the following aspects of internal control
namely: operating, reporting, and compliance with laws and regulations. Internal control
framework generally aims to provide effective internal control over financial reporting. It
can be applied by any type of organization regardless of its size and type.
The enterprise’s organizational structure is also embedded in the COSO Cube
including the overall company itself, its divisions, subsidiaries, operational units, or
departments that cover crucial business operations like sales, purchasing, production,
and marketing. The board of directors, management, and other personnel implement
this process and ensure that through proper communication, training, and organization,
the value of the financial output will be reasonably ensured. Most importantly, this
framework integrates five (5) essential components: control environment, risk
assessment, control activities, information and communication, and monitoring
activities.
Each of the three objectives as well as all unit and entity operations are impacted
by the control environment. It is viewed as the cornerstone for all other internal control
elements. The establishment of a disciplined control environment fosters the evaluation
of risks required for the accomplishment of the entity’s objectives and other functions of
the internal control system. The control environment consists of five principles such as
integrity and ethical values, independence and oversight of those in charge of
governance, organizational structure, recruitment and staffing of competent people, and
individual responsibilities necessary for accountability. Integrity and ethical values
highlight the value of adhering to rules and acting ethically, which should be embraced
and incorporated into all aspects of company operations. In order to conduct
independence and oversight for the internal control system, the management must be
given oversight tasks, apply pertinent skills, and act independently. Management also
creates reporting structures and delegation of authorities as part of the organizational
structure. In line with its goals, the company exhibits a dedication to attract, train,
mentor, evaluate, and retain competent personnel. Lastly, for the sake of achieving
goals, the organization holds people accountable for their internal control duties through
communication of their responsibilities. Overall, the establishment of an effective control
environment is vital in creating a strong organizational culture.
The process of identifying and evaluating the internal and external risks that
might impede the accomplishment of business objectives is known as risk assessment.
Part of the process is to determine the occurrence of those risks and reduce the level of
risk within the tolerance level. In order to properly assess risks, management must take
into account the potential effects of any modifications to both the external environment
and its own internal operating model that might compromise the effectiveness of internal
controls. An effective risk assessment process includes the following key principles:
clear objectives specified; identification of risks to the achievement of objectives,
consideration of a potential fraud, and identification and assessment of significant
changes. To allow the identification and evaluation of risks, the organization's objectives
must be sufficiently well defined. The organization must next determine which risks exist
throughout the whole institution and examine those risks to provide a framework for how
those risks should be handled. When evaluating risks to the accomplishment of goals,
the company must also take fraud into account. And lastly, the organisation must
identify and assess changes that could significantly impact the system of internal
control.
Information is important in order to fulfill its internal control obligations and assist
the accomplishment of its goals. To ensure that all of its internal controls are operating
as intended, management receives, generates, and uses pertinent information from
both internal and external sources. Moreover, communication is a continuous process of
giving, exchanging, and receiving relevant information within and outside the
organization. This internal control component is supported by three principles: provision
of information, internal communication, and external communication. Management is
required by the company to identify and specify information requirements with a high
level of depth and detail. To ensure that everyone in the company is aware of the
overall goals, their duties, and their roles, this information must be communicated.
Internal control vulnerabilities may also be assessed as a result of communication with
external parties to ensure compliance with the enterprise's policies and external laws,
rules, and standards.
Control activities are the core element in the overall internal control framework. It
is where the actions are carried out from the established policies and procedures set by
those charge with governance. These control activities may be preventive and detective
performed at all levels of an enterprise in both manual and automated activities. The
three guiding principles of control activities are: developing controls, technology
controls, and policies and procedures. As part of the developing controls, the company
chooses and creates risk-reduction strategies that help keep risks at manageable
levels. The organization then chooses and creates broad control actions over
technology to aid in the accomplishment of goals. Lastly, the management implements
control activities through policies and put these policies into action.
Lastly, to guarantee that internal control procedures continue to be efficient,
monitoring procedure is put in place. Monitoring is necessary to determine internal
control issues and address them quickly, increase the production of accurate and
reliable information, create accurate and timely financial statements, and to possess the
ability to periodically certify or claim that internal controls are effective. Monitoring
control principles are ongoing and/or separate evaluations conducted and deficiency
management. Ongoing evaluation is a call for enterprise direct supervision while
separate monitoring is an independent assessment that includes observations,
inquiries, reviews, and other examinations that ensure internal control are present and
functioning. Lastly, the organization is required to assess internal control weaknesses
and promptly inform senior management and the board of directors, if necessary, who
are in charge of taking corrective action.