The Committee of Sponsoring Organizations of the Treadway Commission (COSO)1 has recently issued a proposed update to its internal control framework.2 The proposal is an effort to modernize COSO's nearly 20-year-old framework for designing, implementing and evaluating the effectiveness of an internal control system to manage risks to the achievement of organizational objectives. COSO seeks comment on its proposal through March 31, 2012.
The internal control framework has gained widespread acceptance by companies over the years. Although the basic construct of the framework has not changed, COSO has found it necessary to update it to reflect the evolution of corporate structures, processes and technologies. Accordingly, amendments have been proposed to reflect current thinking and practices in use to improve the effectiveness of internal control systems. One of the key proposed updates is the introduction of 17 "principles" and "attributes" that add clarity to the five components on internal control (discussed below).
Internal control is a process designed to provide "reasonable assurance" regarding the achievement of corporate objectives relating to (i) effectiveness and efficiency of operations, (ii) reliability of internal and external financial and nonfinancial reporting, and (iii) compliance with applicable laws and regulations, including the detection and prevention of fraud. Further, those objectives are achieved through implementation of five interrelated components, namely, (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities. The following describes each component as enhanced by the proposed clarifying principles and attributes noted above.
Control Environment. The control environment is the set of standards, processes and structures designed to manage risks that threaten the enterprise. The control environment comprises the integrity and values of the organization and management's oversight and tone at the top. It also includes a governance structure that attempts to ensure individual accountability and a process to attract, develop and retain competent people.
Risk Assessment. Risk assessment is the coordinated approach to identifying, assessing and managing risks that imperil the accomplishment of organizational objectives. The coordination of risk-assessment initiatives across the enterprise greatly enhances the completeness and quality of risk analysis. Risk assessment requires a consideration of the likely occurrence and potential impact of possible changes in the internal and external environments that may vitiate internal controls.
Control Activities. Control activities are policies, procedures, processes, systems and training designed to help mitigate risks to the achievement of corporate objectives. Control activities can include authorizations and approvals, verifications, reconciliations, performance reviews, security of assets, and segregation of duties.
Information and Communication. Management obtains, generates and uses relevant and quality information from internal and external sources to support the implementation of other components of internal control. Communication is the means by which internal and external information is disseminated throughout the organization and externally (as appropriate), which enables individuals to receive clear instructions from management on their responsibilities for internal control.
Monitoring Activities. Ongoing and separate evaluations are performed to ascertain whether the components of internal control are being implemented effectively. Findings are evaluated and internal control deficiencies are communicated to management and possibly the board of directors in a timely manner.
It should be emphasized that an effective system of internal control merely provides "reasonable assurance" regarding the achievement of corporate objectives. The best system of internal control does not guarantee success in accomplishing objectives, because management judgment can be flawed and individuals are prone to make errors and mistakes. Nevertheless, an effective control system will:
- increase the likelihood that critical risks that could threaten the success of an enterprise will be identified and managed;
- improve management's decision-making process through greater awareness of risks and mitigating strategies; and
- facilitate capital allocation across business units through the use of more reliable risk information to weigh expected returns against the risks inherent in undertaking business opportunities.
Footnotes
1. COSO is a private sector organization dedicated to improving the quality of financial reporting, internal control, enterprise risk management and other aspects of organizational governance.
2. Internal Control - Integrated Framework (December 2011), at www.ic.coso.org.
www.daypitney.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
