COSO Internal Control - Integrated Framework

Objectives, Components, Principles and Points of Focus

DEFINITION OF INTERNAL CONTROL

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

OBJECTIVES

The Framework sets forth three categories of objectives, which allow organizations to focus on separate aspects of internal control:• Operations Objectives

• Reporting Objectives

• Compliance Objectives

OPERATIONS OBJECTIVES

These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

REPORTING OBJECTIVES

These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.

COMPLIANCE OBJECTIVES

These pertain to adherence to laws and regulations to which the entity is subject.

COMPONENTS

Supporting the organization in its efforts to achieve objectives are five components of internal control:• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring Activities

RELATIONSHIP OF OBJECTIVES, COMPONENTS AND THE ENTITY

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube:

• The three categories of objectives are represented by the columns.

• The five components are represented by the rows.

• The entity structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, are depicted by the third dimension of the cube.

CONTROL ENVIRONMENT• The control environment is the set of standards,

processes, and structures that provide the basis for carrying out internal control across the organization.

• The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct.

• Management reinforces expectations at the various levels of the organization.

PRINCIPLES AND POINTS OF FOCUS OF THE “CONTROL ENVIRONMENT”

Principle 1. The organization demonstrates a commitment to integrity and ethical values.Points of focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner


Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.Points of Focus:• Establishes Oversight Responsibilities• Applies Relevant Expertise• Operates Independently• Provides Oversight for the System of Internal Control


Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.Points of Focus:• Considers All Structures of the Entity• Establishes Reporting Lines• Defines, Assigns, and Limits Authorities and Responsibilities


Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.Points of Focus:• Establishes Policies and Practices• Evaluates Competence and Addresses Shortcomings• Attracts, Develops, and Retains Individuals• Plans and Prepares for Succession


Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.Points of Focus:• Enforces Accountability through Structures, Authorities, and

Responsibilities• Establishes Performance Measures, Incentives, and Rewards• Evaluates Performance Measures, Incentives, and Rewards

for Ongoing Relevance• Considers Excessive Pressures• Evaluates Performance and Rewards or Disciplines

Individuals

RISK ASSESSMENT• Risk is defined as the possibility that an event will

occur and adversely affect the achievement of objectives.

• Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

• A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity.

PRINCIPLES AND POINTS OF FOCUS OF THE “RISK ASSESSMENT”

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 1. Points of Focus for Operations Objectives:• Reflects Management’s Choices• Considers Tolerances for Risk• Includes Operations and Financial Performance Goals• Forms a Basis for Committing of Resources


Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.2. Points of Focus for External Financial Reporting Objectives:• Complies with Applicable Accounting Standards• Considers Materiality• Reflects Entity Activities


Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.3. Points of Focus for External Non-Financial Reporting Objectives:• Complies with Externally Established Standards and

Frameworks• Considers the Required Level of Precision• Reflects Entity Activities


Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.4. Points of Focus for Internal Reporting Objectives:• Reflects Management’s Choices• Considers the Required Level of Precision• Reflects Entity Activities


Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.5. Points of Focus for Compliance Objectives:• Reflects External Laws and Regulations• Considers Tolerances for Risk


Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.Points of Focus:• Includes Entity, Subsidiary, Division, Operating Unit, and

Functional Levels• Analyzes Internal and External Factors• Involves Appropriate Levels of Management• Estimates Significance of Risks Identified• Determines How to Respond to Risks


Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.Points of Focus:• Considers Various Types of Fraud• Assesses Incentive and Pressures• Assesses Opportunities• Assesses Attitudes and Rationalizations


Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.Points of Focus:• Assesses Changes in the External Environment• Assesses Changes in the Business Model• Assesses Changes in Leadership

CONTROL ACTIVITIES• Control activities are the actions established through policies

and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.

• Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews.

• Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

PRINCIPLES AND POINTS OF FOCUS OF THE “CONTROL ACTIVITIES”

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.Points of Focus:• Integrates with Risk Assessment• Considers Entity-Specific Factors• Determines Relevant Business Processes• Evaluates a Mix of Control Activity Types• Considers at What Level Activities Are Applied• Addresses Segregation of Duties


Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.Points of Focus:• Determines Dependency between the Use of Technology in

Business Processes and Technology General Controls• Establishes Relevant Technology Infrastructure Control

Activities• Establishes Relevant Security Management Process Control

Activities• Establishes Relevant Technology Acquisition, Development,

and Maintenance Process Control Activities


Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.Points of Focus:• Establishes Policies and Procedures to Support Deployment

of Management’s Directives• Establishes Responsibility and Accountability for Executing

Policies and Procedures• Performs in a Timely Manner• Takes Corrective Action• Performs Using Competent Personnel• Reassesses Policies and Procedures

INFORMATION AND COMMUNICATION• Information is necessary for the entity to carry out internal control

responsibilities to support the achievement of its objectives. • Management obtains or generates and uses relevant and quality

information from both internal and external sources to support the functioning of other components of internal control.

• Communication is the continual, iterative process of providing, sharing, and obtaining necessary information.

• Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously.

• External communication is twofold: – it enables inbound communication of relevant external information

and – provides information to external parties in response to requirements

and expectations.

PRINCIPLES AND POINTS OF FOCUS OF THE “INFORMATION AND COMMUNICATION”

Principle 13:The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.Points of Focus:• Identifies Information Requirements• Captures Internal and External Sources of Data• Processes Relevant Data into Information• Maintains Quality throughout Processing• Considers Costs and Benefits

Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.Points of Focus:• Communicates Internal Control Information• Communicates with the Board of Directors• Provides Separate Communication Lines• Selects Relevant Method of Communication


Principle 15: The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.Points of Focus:• Communicates to External Parties• Enables Inbound Communications• Communicates with the Board of Directors• Provides Separate Communication Lines• Selects Relevant Method of Communication


MONITORING ACTIVITIES

• Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning.

• Ongoing evaluations, built into business processes at different levels of the entity, provide timely information.

• Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations.

• Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

PRINCIPLES AND POINTS OF FOCUS OF THE “MONITORING ACTIVITIES”

Principle 16:The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.Points of Focus:• Considers a Mix of Ongoing and Separate Evaluations• Considers Rate of Change• Establishes Baseline Understanding• Uses Knowledgeable Personnel• Integrates with Business Processes• Adjusts Scope and Frequency• Objectively Evaluates

PRINCIPLES AND POINTS OF FOCUS OF THE “MONITORING ACTIVITIES”

Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.Points of Focus:• Assesses Results• Communicates Deficiencies• Monitors Corrective Actions

LIMITATIONS OF INTERNAL CONTROL

• Internal control, no matter how well designed, implemented and conducted, can provide only reasonable assurance to management and the board of directors of the achievement of an entity’s objectives.

• The likelihood of achievement is affected by limitations inherent in all systems of internal control. These include the realities that human judgment in decision making can be faulty and that breakdowns can occur because of human failures such as making errors.

• Additionally, controls can be circumvented by two or more people colluding, and because management can override the internal control system.