The COSO Framework

The COSO Framework assists: management, board of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive.

• This flexibility allows organizations to tailor their internal control systems to meet specific needs while ensuring compliance with applicable regulations and standards.

For management and boards of directors, the Framework provides:

• A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of entity, operating unit, or function.

• A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal controls—principles that can be applied at the entity, operating, and functional levels.

• Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate together.

• A means to identity and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures.

• An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives.

• An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity’s objectives.

For external stakeholders of an entity and others that interact with the entity, application of this Framework provides:

• Greater confidence in the board of directors’ oversight of internal control system

• Greater confidence regarding the achievement of entity objectives.

• Greater confidence in the organization’s ability to identify, analyze, and respond to risk and changes in the business and operating environments.

• Greater understanding of the requirement of an effective system of internal control.

• Greater understanding that through the use of judgment, management may be able to eliminate ineffective, redundant, or inefficient controls.

Objectives: The framework provides for three categories of objectives, which allow organizations to focus on differing aspects of internal control:

1. Operations Objectives—These pertain to effectiveness and efficiency to the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

2. Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.

3. Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject.

Defining Internal Control

Internal control: is the process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance

Components of Internal Control

1. Control Environment: is the foundation for carrying out internal control across an organization. It includes the standards, processes, and structures that influence how internal control is implemented and maintained.

   1. Key Components:

      • Tone at the Top:

        • Established by the board of directors and senior management.

        • Sets the importance of internal control and expected standards of conduct.

      • Management’s Role:

        • Reinforces internal control expectations at all organizational levels.

   2. Elements of the Control Environment:

      • Integrity and Ethical Values:

        • The organization’s commitment to ethical behavior and honesty.

      • Governance Oversight:

        • Board of directors' ability to perform oversight responsibilities effectively.

      • Organizational Structure:

        • Clear assignment of authority and responsibility within the organization.

      • Competency Process:

        • Strategies for attracting, developing, and retaining skilled individuals.

      • Performance Accountability:

        • Processes for measuring performance, offering incentives, and rewarding accomplishments to promote accountability.

   3. Impact on Internal Control:

      • The control environment influences the effectiveness of the overall internal control system.

      • It creates a culture of accountability, ethical behavior, and operational efficiency throughout the organization.

2. Risk Assessment

• Risk is the possibility of an event occurring that could negatively impact the achievement of objectives.

• Risk assessment is a dynamic and iterative process to identify and evaluate risks that may hinder the achievement of an entity's objectives.

/

1. Purpose:

   • Risk assessment helps determine how identified risks will be managed.

   • It considers risks from both external and internal sources relative to the entity’s established risk tolerances.

2. Key Components:

   • Establishment of Objectives:

     • Objectives are set by management at various levels of the organization.

     • These objectives are linked to categories such as operations, reporting, and compliance.

   • Clarity of Objectives:

     • Objectives must be clearly defined to allow for the identification and analysis of associated risks.

   • Suitability of Objectives:

     • Management evaluates whether the objectives are appropriate for the entity.

3. Factors Considered in Risk Assessment:

   • External Environment:

     • Changes in market conditions, regulations, or external factors that could impact objectives.

   • Internal Business Model:

     • Shifts within the organization, such as process changes or restructuring, that could render internal controls ineffective.

4. Outcome:

   • Risk assessment forms the foundation for determining the appropriate responses to identified risks, ensuring that risks are managed effectively and objectives remain achievable.

3. Control Activities

• Control activities are the actions established through policies and procedures to ensure management's directives to mitigate risks are implemented effectively.

• Purpose:

  • These activities help ensure that risks to the achievement of objectives are managed appropriately.

• Key Features:

  • Performed at All Levels:

    • Control activities occur across all levels of the organization, within business processes, and over the technology environment.

  • Types of Activities:

    • Preventive Controls: Designed to stop issues before they occur.

    • Detective Controls: Designed to identify issues after they occur.

• Examples of Control Activities:

  • Authorizations and Approvals: Ensuring transactions and processes are properly authorized.

  • Verifications: Checking the accuracy and validity of transactions.

  • Reconciliations: Comparing different data sets to ensure consistency and accuracy.

  • Business Performance Reviews: Assessing the organization's performance to identify deviations from expectations.

• Segregation of Duties:

  • Dividing responsibilities to reduce the risk of errors or fraud.

  • When segregation of duties is not feasible, management develops alternative control activities to mitigate risks.

• Outcome:

  • Control activities ensure that management’s directives are executed, helping the organization achieve its objectives while minimizing risks.

5. Information and Communication

   Information is essential for carrying out internal control responsibilities and achieving organizational objectives.

   1. Communication is an ongoing process of providing, sharing, and obtaining necessary information.

      1. Purpose:

         • Ensures that relevant, accurate, and high-quality information is available to support the functioning of internal control components.

      2. Key Components:

         • Information:

           • Obtained or generated from internal and external sources.

           • Must be relevant and of sufficient quality to support decision-making and control processes.

         • Communication:

           • Facilitates the sharing of necessary information across the organization.

   2. Types of Communication:

      • Internal Communication:

        • Disseminates information throughout the organization.

        • Flows up, down, and across all levels to ensure everyone understands their roles in internal control.

        • Reinforces the message from senior management that control responsibilities are critical.

      • External Communication:

        • Supports inbound communication of relevant external information.

        • Provides information to external parties to meet requirements and expectations.

   3. Outcome:

      • Effective information and communication ensure that all components of internal control function cohesively.

      • Personnel are equipped to fulfill their responsibilities, and external stakeholders receive necessary and accurate information.

6. Monitoring Activities

• Monitoring activities: involve ongoing and/or separate evaluations to ensure that the five components of internal control are present and functioning effectively.

1. Types of Monitoring:

   • Ongoing Evaluations:

     • Built into business processes at different levels.

     • Provide timely and continuous feedback on the effectiveness of controls.

   • Separate Evaluations:

     • Conducted periodically.

     • Scope and frequency depend on risk assessments, the effectiveness of ongoing evaluations, and management considerations.

2. Purpose:

   • To evaluate whether internal controls are operating as intended.

   • To ensure that deficiencies in internal control are identified and addressed promptly.

3. Evaluation Criteria:

   • Findings are assessed against criteria established by:

     • Regulators

     • Recognized Standard-Setting Bodies

     • Management and the Board of Directors

4. Deficiency Communication:

   • Identified deficiencies are communicated to management and the board of directors as appropriate.

5. Outcome:

   • Monitoring activities ensure that internal control processes remain effective over time.

   • They provide management with insights to make adjustments when risks, deficiencies, or inefficiencies are identified.

Components and Principle: The Framework identifies 17 principles essential to effective internal control, with five principles specific to the Control Environment. These principles ensure internal control operates effectively and applies to operations, reporting, and compliance objectives.

Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve the entity's objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with its objectives, ensuring that staff are well-trained and equipped to fulfill their roles effectively.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

2. The organization selects and develops general control activities over technology to support the achievement of objectives.

3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

2. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

2. The organization evaluates and communicates internal control deficiencies in timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Effective Internal Control

1. Definition and Purpose:

   • Internal control provides reasonable assurance for achieving an entity’s objectives.

   • Reduces risks to an acceptable level, addressing one, two, or all three categories of objectives: operations, reporting, and compliance.

2. Requirements for an Effective System:

   • Five Components and Principles:

     • All five components and their relevant principles must be present (exist in the system design and implementation) and functioning (continue to operate effectively).

   • Integrated Operation:

     • Components must operate together as an integrated system, collectively reducing risk to an acceptable level.

     • Components and principles interact and are interdependent.

3. Major Deficiency:

   • A major deficiency in any component or principle, or in their integrated operation, means the system does not meet the requirements for effective internal control.

4. Key Outcomes of Effective Internal Control:

   • Operations: Achieves effective and efficient operations, even when external events have a significant impact.

   • Reporting: Produces reports that meet applicable rules, regulations, and standards.

   • Compliance: Ensures adherence to applicable laws and regulations.

5. Judgment and Limitations:

   • Internal control relies on judgment to design, implement, and assess its effectiveness.

   • Limitations of internal control include:

     • Faulty human judgment or bias in decision-making.

     • Errors or failures in execution.

     • Management override of controls.

     • Collusion to circumvent controls.

     • External events beyond organizational control.

   • Internal control provides reasonable, not absolute, assurance.

Roles in Using the Framework

1. Board of Directors:

   • Oversee the state of the internal control system.

   • Ensure senior management is accountable for internal control.

   • Challenge management, assess risks, and seek input from auditors.

2. Senior Management:

   • Assess internal control using the framework and apply its 17 principles.

   • Evaluate updates in the latest framework version and their impact on internal control.

3. Other Management and Personnel:

   • Review changes in the framework and assess their responsibilities accordingly.

   • Suggest ways to strengthen internal control within their roles.

4. Internal Auditors:

   • Review audit plans and assess the impact of framework updates.

   • Evaluate how the entity’s controls support the five components of internal control.

5. Independent Auditors:

   • Assess the effectiveness of internal control over financial reporting.

   • Evaluate how the organization applies controls to the principles within the components.

6. Other Professional Organizations:

   • Align their standards and guidance with the framework to eliminate inconsistencies in concepts and terminology.

7. Educators:

   • Incorporate framework concepts and terminology into university curricula for broader understanding and adoption.