Home Page
   Islamic Corner
   Latest News






Your Ad Here

Mera Pakistan

Its all about Pakistan !!!


COSO Framework

In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting. A significant part of this mission was aimed at developing guidance on internal control.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls titled as Internal Control-Integrated Framework. This framework has been adopted as the generally accepted framework for internal controls.

Renewed interest in COSO these days is because of recent accounting scandals and Sarbanes-Oxley Oxley Act of 2002 (SOX). The COSO model is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.

The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • According to the COSO, internal control......
    – is a process. It is a means to an end, not an end in itself.
    – is affected by people at every level of the organization.
    – cannot be expected to provide more than reasonable assurance.
    – is geared to the achievement of the entity’s objectives in all areas, not just financial reporting.
    – consists of interrelated components.

    In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives.

    1- Control Environment

  • Sets the tone of the organization, influencing control consciousness of its people
  • Acts as foundation for all other components of control
  • Integrity and Ethical Values
  • Commitment to Competence
  • Effective and independent Board of Directors and Audit Committee
  • Management’s Philosophy and Operating Style
  • Organizational Structure
  • Assignment of Authority and Responsibility
  • Human Resource Policies and Procedures

    2- Risk Assessment
  • Company-wide Objectives
  • Process-level Objectives
  • Risk Identification and Analysis. Drafting a process by setting objectives, identifying risk, assessing risk and managing risk. This will be followed by defining control objectives and designing internal controls.
  • Managing Change within operating environment, new resources, new technology and restructurings.


    3- Control Activities
  • Policies and Procedures must be established and executed to address the risk identified.
  • Design control activities such as reviews, analysis, approvals, physical security, segregation of duties, reconciliation etc.
  • Security (Application and Network)
  • Application Change Management
  • Business Continuity / Backups
  • Outsourcing


    4- Information and Communication
  • Pertinent information identified, captured and communicated in a timely manner
  • Access to internally and externally generated information
  • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action
  • Quality of Information
  • Effectiveness of Communication


    5- Monitoring
  • Assessment of a control system’s performance over time
  • Combination of ongoing and separate evaluation
  • Management and supervisory activities
  • Internal audit activities
  • On-going Monitoring
  • Separate Evaluations
  • Reporting Deficiencies

    These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely.

    Who is Responsible for the Design and Effectiveness of Internal Controls?

    Management is responsible for the control design and assessment of internal controls within their areas of responsibility. This responsibility cannot be delegated or outsourced.

    Significant Controls

    • Controls over initiating, recording, processing and reporting significant account balances, classes of transactions and disclosures, and the related assertions embodied in financial statements
    • Antifraud programs and controls
    • Controls, including general controls, on which other significant controls are dependent
    • Each significant control in a group of controls that functions together to achieve a control objective
    • Controls over significant routine and nonsystematic transactions (such as accounts involving judgments and estimates)
    • Controls over the period-end financial reporting process, including controls over procedures used to:
    – Enter transaction totals into the general ledger
    – Initiate, record and process journal entries in the general ledger
    – Record recurring and nonrecurring adjustments to the financial statements

    Definition of Internal Control Deficiency

    May consist of either a design or operating deficiency:
    • A design deficiency exists when:
    – A necessary control is missing OR
    – An existing control is not properly designed so that even when the control is operating as designed the control objective is not always met
    • An operating deficiency exists when:
    – A properly designed control is not operating as designed OR
    – The person performing the control does not possess the necessary authority or qualifications to perform the control effectively
    • Range from inconsequential internal control deficiencies to material weaknesses
    • An internal control deficiency that could adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in the financial statements
    • Could arise from a single deficiency or an aggregation of deficiencies

    Definition of Material Weakness

    • A significant deficiency in one or more of the internal control components that alone or in the aggregate precludes the entity’s internal control from reducing to an appropriately low level the risk that material misstatements in the financial statements will not be prevented or detected in a timely manner

    Regardless of how well designed and operated, Internal Control provides reasonable, but not absolute, assurance that specific entity objectives will be achieved. Even the best internal control may breakdown due to:

  • Judgement - decisions are made by humans, often under pressure and time constraints, based on information at hand
  • Breakdowns- Employees may not understand instructions or may simply make mistakes. Errors may result from new systems and processes.
  • Management Override- high level personnel may be able to override prescribed policies and procedures.
  • Collusion - two or more individuals, working together, may be able to circumvent controls.
  • Cost vs. Benefit - The risk of failure and the potential effects must be weighed against the cost of establishing controls.




    Free Web Hosting