In 1985, the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) was formed to sponsor the National Commission on Fraudulent
Financial Reporting, whose charge was to study and report on the
factors that can lead to fraudulent financial reporting. A significant
part of this mission was aimed at developing guidance on internal
In 1992, the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) developed a model for evaluating internal controls
titled as Internal Control-Integrated Framework. This framework
has been adopted as the generally accepted framework for internal
Renewed interest in COSO these days is because of recent accounting
scandals and Sarbanes-Oxley Oxley Act of 2002 (SOX). The COSO
model is widely recognized as the definitive standard against
which organizations measure the effectiveness of their systems
of internal control.
The COSO model defines internal control as “a process,
effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance of the
achievement of objectives in the following categories:Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
According to the COSO, internal control......
– is a process. It is a means to an end, not an end in itself.
– is affected by people at every level of the organization.
– cannot be expected to provide more than reasonable assurance.
– is geared to the achievement of the entity’s objectives
in all areas, not just financial reporting.
– consists of interrelated components.
In an “effective” internal control system, the following
five components work to support the achievement of an entity’s
mission, strategies and related business objectives.
1- Control EnvironmentSets the tone of the organization, influencing control consciousness
of its people
Acts as foundation for all other components of control
Integrity and Ethical Values
Commitment to Competence
Effective and independent Board of Directors and Audit Committee
Management’s Philosophy and Operating Style
Assignment of Authority and Responsibility
Human Resource Policies and Procedures
2- Risk Assessment
Risk Identification and Analysis. Drafting a process by setting
objectives, identifying risk, assessing risk and managing risk.
This will be followed by defining control objectives and designing
Managing Change within operating environment, new resources, new
technology and restructurings.
3- Control Activities
Policies and Procedures must be established and executed to address
the risk identified.
Design control activities such as reviews, analysis, approvals,
physical security, segregation of duties, reconciliation etc.
Security (Application and Network)
Application Change Management
Business Continuity / Backups
4- Information and Communication
Pertinent information identified, captured and communicated in
a timely manner
Access to internally and externally generated information
Flow of information that allows for successful control actions
from instructions on responsibilities to summary of findings for
Quality of Information
Effectiveness of Communication
Assessment of a control system’s performance over time
Combination of ongoing and separate evaluation
Management and supervisory activities
Internal audit activities
These components work to establish the foundation for sound internal
control within the company through directed leadership, shared
values and a culture that emphasizes accountability for control.
The various risks facing the company are identified and assessed
routinely at all levels and within all functions in the organization.
Control activities and other mechanisms are proactively designed
to address and mitigate the significant risks. Information critical
to identifying risks and meeting business objectives is communicated
through established channels up, down and across the company.
The entire system of internal control is monitored continuously
and problems are addressed timely.
Who is Responsible for the Design and Effectiveness of
Management is responsible for the control design and assessment
of internal controls within their areas of responsibility. This
responsibility cannot be delegated or outsourced.
• Controls over initiating, recording, processing and reporting
significant account balances, classes of transactions and disclosures,
and the related assertions embodied in financial statements
• Antifraud programs and controls
• Controls, including general controls, on which other significant
controls are dependent
• Each significant control in a group of controls that functions
together to achieve a control objective
• Controls over significant routine and nonsystematic transactions
(such as accounts involving judgments and estimates)
• Controls over the period-end financial reporting process,
including controls over procedures used to:
– Enter transaction totals into the general ledger
– Initiate, record and process journal entries in the general
– Record recurring and nonrecurring adjustments to the financial
Definition of Internal Control Deficiency
May consist of either a design or operating deficiency:
• A design deficiency exists when:
– A necessary control is missing OR
– An existing control is not properly designed so that even
when the control is operating as designed the control objective
is not always met
• An operating deficiency exists when:
– A properly designed control is not operating as designed
– The person performing the control does not possess the
necessary authority or qualifications to perform the control effectively
• Range from inconsequential internal control deficiencies
to material weaknesses
• An internal control deficiency that could adversely affect
the entity’s ability to initiate, record, process and report
financial data consistent with the assertions of management in
the financial statements
• Could arise from a single deficiency or an aggregation
Definition of Material Weakness
• A significant deficiency in one or more of the internal
control components that alone or in the aggregate precludes the
entity’s internal control from reducing to an appropriately
low level the risk that material misstatements in the financial
statements will not be prevented or detected in a timely manner
Regardless of how well designed and operated, Internal Control
provides reasonable, but not absolute, assurance that specific
entity objectives will be achieved. Even the best internal control
may breakdown due to: Judgement - decisions are made by humans, often under pressure
and time constraints, based on information at hand
Breakdowns- Employees may not understand instructions or may
simply make mistakes. Errors may result from new systems and processes.
Management Override- high level personnel may be able to override
prescribed policies and procedures.
Collusion - two or more individuals, working together, may be
able to circumvent controls.
Cost vs. Benefit - The risk of failure and the potential effects
must be weighed against the cost of establishing controls.