Chapter 8 — Introduction to Internal Controls and Internal Control System (COSO Framework)

A. Definition of Internal Control

  • The term 'internal control' was first defined by the American Institute of Accountants (now AICPA) in 1949; refined in 1958 and 1972.

  • 1949 definition (core idea):

    • "Internal control comprises the plan of organization and all of the co-ordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies".

  • COSO (Committee of Sponsoring Organizations) integrated framework (2013) provides a updated, comprehensive view:

    • Updated definition:

    • "Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance."

    • Emphasizes that internal control is a process, not a one-off event, and involves people at all levels.

  • Key characteristics of the COSO definition: 1) Geared to the achievement of objectives in one or more overlapping categories, which focus on:

    • a) Operations objectives: effectiveness and efficiency of the entity's operations, including operating and financial performance goals, and safeguarding assets against loss.

    • b) Reporting objectives: internal and external financial and non-financial reporting; reliability, timeliness, transparency, etc.

    • c) Compliance objectives: adherence to laws and regulations applicable to the entity.
      2) A process consisting of ongoing tasks and activities; a means to an end, not an end in itself; dynamic and iterative.
      3) Effected by people: board, management, and other personnel; not merely policy manuals or systems.
      4) Able to provide reasonable assurance: not absolute assurance; acknowledges inherent limitations.
      5) Adaptable to the entity structure: applicable to the entire entity or to subsidiaries, divisions, or processes; can be tailored to legal/regulatory contexts.

  • International/UK perspectives:

    • Turnbull Report (UK Turnbull Guidance, 1999; revised 2005) defines internal control in terms of policies, processes, tasks, behaviors, and the way it enables effective operation, risk management, and reliable reporting; emphasizes embedding into operations and culture, and reporting of significant failures or weaknesses with corrective actions.

    • The Turnbull guidance links internal control to corporate governance principles and risk management in the UK context.

  • Application of COSO in practice:

    • COSO Framework comprises five interrelated components and seventeen principles guiding design, implementation, and evaluation of internal control. The five components are:

    • Control Environment; Risk Assessment; Control Activities; Information & Communication; Monitoring Activities.

    • The system is effective only if all five components exist and function together, and operate in an integrated manner.

  • The three-objectives framework (operations, reporting, compliance) and the overall process orientation form the basis for designing and assessing internal control across organizations.

B. Benefits and Costs of Internal Control

  • Benefits of internal control:

    • Provides management and board with added confidence in achieving objectives.

    • Provides feedback on how the business is functioning and helps reduce surprises.

    • Facilitates access to capital markets by supporting reliable external reporting, which in turn enhances investor confidence.

    • Supports reliable decision making (e.g., product pricing, capital investment, resource deployment).

    • Establishes consistent processing mechanisms and reliable information flows across the organization.

    • Improves efficiency within functions and processes.

    • Provides a basis for decisions requiring judgment and substantial estimation.

    • Enables credible communication of performance with partners and customers, supporting ongoing relationships.

  • Costs of internal control:

    • Direct costs of implementing and maintaining controls.

    • Indirect costs (e.g., ongoing maintenance, training, upgrades to technology).

    • Opportunity costs and potential trade-offs in resource allocation.

    • Costs of increased reliance on technology, including development, maintenance, and updates to systems.

    • Data and information requirements growth may drive higher data volumes and storage costs; need to balance information needs with cost.

    • Trade-offs such as hiring more or higher-skilled staff (e.g., CFO) versus cost constraints; more formal controls in larger or publicly traded entities may be justified by risk profile.

  • Decision framework:

    • Management weighs costs against expected benefits; cost alone is not a justification to avoid internal controls.

    • Information requirements must be balanced (right information, right form, right time, to the right people).

    • Control design should focus on areas with greatest risk and complexity, aligning resources to risk priorities and risk appetite.

C. Limitations of Internal Control

  • Internal control provides reasonable assurance, not absolute assurance, due to inherent limitations.

  • Main limitations: 1) Judgment: human decision-making can be flawed; decisions are made under time pressure and with imperfect information; hindsight may reveal better alternatives. 2) Breakdowns: errors or breakdowns can occur due to misunderstanding, fatigue, distraction, or system changes; training gaps can cause incorrect operation of controls. 3) Management Override: management at any level may override controls for improper purposes (e.g., inflating revenue, meeting budgets, boosting bonuses, hiding noncompliance); overrides are often not documented and not disclosed.

    • Management intervention is distinct from overrides; intervention may be legitimate for non-recurring events but should be overt and documented.
      4) Collusion: two or more individuals colluding can bypass controls, making detection difficult; examples include collusion between an employee and a vendor or between sales and operations.

  • These limitations explain why controls operate with residual risk and why ongoing monitoring and governance are vital.

D. Classifications of Internal Controls

  • 1) Mandatory vs voluntary: some controls must be applied by law/policy; others are discretionary.

  • 2) Discretionary vs non-discretionary: some controls permit management discretion based on risk; others must be applied without discretion.

  • 3) Manual vs automated: controls carried out by people vs those embedded in information systems; hybrids exist (human override in automated processes).

  • 4) General controls vs application controls (information systems):

    • General controls ensure reliability of data processing and system operation (e.g., access, change management).

    • Application controls are specific to individual applications to ensure complete and accurate processing of data.

  • 5) Primary vs secondary controls: primary controls are critical to mitigating risk and supporting financial reporting assertions; secondary controls support risk management and may have compensating controls.

  • 6) Preventive vs detective controls:

    • Preventive controls aim to prevent undesired events at the initial point of processing.

    • Detective controls identify and correct events after processing but before final outcomes are completed.

E. Nature of Internal Controls

  • UK Auditing Practices Board (APB) six categories of internal financial controls:
    1) Segregation of duties: divide responsibilities to create checks; e.g., cash handling separation; at the top, chairman and CEO segregation; internal audit independence reporting to the board or audit committee.
    2) Physical controls: restrict access to facilities, areas, equipment; physical protection of assets; e.g., turnstiles, swipe cards, asset tagging.
    3) Authorization and approval controls: spending/signing authority thresholds (e.g., a junior manager may approve up to Php 5,000; higher approvals required for larger amounts).
    4) Management controls: variance analysis, performance management, supervision; organization structure and reporting lines define responsibilities and accountability.
    5) Arithmetical and accounting controls: ensure accurate recording and processing (control totals, bank reconciliations, trial balances).
    6) Personnel/human resources controls: pre-employment verifications (qualifications, references), training effectiveness, ongoing competence checks.

  • These controls collectively form the basis of an internal control system; in practice, organizations tailor and combine these controls to fit size, complexity, and risk profile.

F. Elements of a Sound System of Internal Control

  • COSO (1992 COSO Internal Control Integrated Framework) identifies five interrelated components and seventeen principles guiding design and effectiveness:

    • Five components:
      1) Control Environment
      2) Risk Assessment
      3) Control Activities
      4) Information & Communication
      5) Monitoring Activities

    • Seventeen principles (Exhibit 8.3):
      1) The organization demonstrates a commitment to integrity and ethical values.
      2) The board of directors demonstrates independence from management and exercises oversight of internal control.
      3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
      4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
      5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
      6) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
      7) The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
      8) The organization considers the potential for fraud in assessing risks to the achievement of objectives.
      9) The organization identifies and assesses changes that could significantly impact the system of internal control.
      10) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
      11) The organization selects and develops general control activities over technology to support the achievement of objectives.
      12) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
      13) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
      14) The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
      15) The organization communicates with external parties about matters affecting the functioning of internal control.
      16) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
      17) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

  • UK Turnbull guidance (1999, revised 2005) provides a similar framework, emphasizing:

    • The control environment reflects organizational structure and culture; embedded in operations; able to respond quickly to changing risks; immediate reporting of significant failures or weaknesses; corrective actions.

  • A sound system reduces risk to a tolerable level; however, it cannot eliminate all risk or guarantee objective achievement in all circumstances.

G. Control Environment

  • The control environment is the foundation: set of standards, processes, and structures providing basis for internal control across the organization.

  • Tone at the top: board and senior management establish and reinforce standards of conduct and integrity; management communicates expectations at all levels.

  • Core components of the control environment include:

    • Integrity and ethical values; oversight structures; organizational design with clear authority and responsibility; and competence and accountability for performance.

    • Senior management communicates entity values and codes of conduct; penalties for violations support compliance.

    • Temptations and pitfalls: incentives that push short-term targets; poor segregation of duties; weak internal audit; ineffective board oversight.

    • Responsibility for internal control is shared across all employees; everyone must understand risks, objectives, markets, and industries.

  • Turnbull guidance emphasizes:

    • 1) Commitment to competence: define required competence, develop skills, provide training.

    • 2) Active board and audit committee: independent, experienced, and objective; oversee internal control.

    • 3) Assignment of authority and responsibility; accountable decision-making; proper reporting lines.

    • 4) Organizational structure: aligned with objectives; clear responsibilities; reporting lines; appropriate service provider relationships.

    • 5) HR policies and practices: ongoing education, performance feedback, compensation aligned with competence; establish accountability; respond dynamically to regulatory changes.

  • Delegation of authority: enhances agility but increases risk; ensure limits and accountability exist; authority delegated based on demonstrated competence.

  • The control environment extends beyond management to all employees; the board should demand competence and ethical conduct across the organization.

H. Risk Assessment

  • Risk definition: the possibility that an event will occur and adversely affect objective achievement.

  • Risk assessment is a dynamic, iterative process of identification, analysis, and assessment of risks, considering external and internal changes (regulatory, operating environment, strategy).

  • Setting objectives:

    • Clear, future-focused objectives expressed to be achievable; the board sets risk tolerances and determines how much risk is prudently accepted.

    • Objectives should be aligned with strategy and be specific, measurable, achievable, relevant, and time-bound; cascaded across entity and subunits; activities should have measurable objectives; ensure alignment with laws and standards.

    • Categories of objectives:

    • Operations objectives: mission/vision, efficiency/effectiveness, performance goals, safeguarding resources.

    • Reporting objectives: reliability, timeliness, transparency of internal and external reporting.

    • Compliance objectives: adherence to laws, rules, regulations.

  • Risk identification and assessment:

    • Identify risks at entity level and at activity level; use techniques influenced by industry factors, external auditors, internal auditors, and management input.

    • Consider factors such as competitive dynamics, regulatory changes, market developments, personnel changes, information systems changes, growth, new products, reorganizations, overseas expansions.

    • Consult across the company to verify awareness of objectives and risks; evaluate control strategies and need for improvements; identify changed behaviors.

    • Risk analysis involves assessing likelihood and impact; quantify where possible; consider changes in operating conditions, new personnel, new information systems, rapid growth, new product lines, restructurings, overseas expansion.

  • Risk prioritization:

    • Prioritize risks by impact and likelihood; classify as high/high, high/low, low/high, low/low.

    • Determine for each risk: whether to accept, what control strategy to adopt, who is accountable, residual risk after controls, and early warning indicators.

    • Control strategies: accept, transfer, eliminate, control, share, insure.

    • Delegation: responsibility for risk management should be distributed across functions; avoid concentrating risk management in a single individual.

  • Risk appetite and early warning:

    • Board defines risk appetite; determine whether risk/reward is acceptable.

    • Implement early warning mechanisms (e.g., Key Risk Indicators) to signal emerging issues promptly.

  • Important caveat:

    • Risk assessment is part of the broader internal control system, but the specific plans and actions to address risks are part of management process and not themselves a component of the internal control framework.

I. Control Activities

  • Definition: actions established through policies and procedures to ensure management directives are carried out and to address risks to objectives.

  • Presence: performed at all levels, at various stages of processes, and across technology environments; can be preventive or detective; can be manual or automated; may include integration with information systems.

  • Core categories of control activities (across operations, financial reporting, and compliance): 1) Top-level reviews: actual vs budgets/forecasts; track major initiatives; monitor performance against targets; management reviews of new product development, joint ventures, financing needs; follow-up on issues. 2) Direct functional or activity management: reviews of performance reports by function managers. 3) Information processing controls: ensure accuracy, completeness, validity of transactions; use exception reports and other checks.

    • Definitions used:

      • Accuracy: transactions recorded at correct amounts and in correct accounts, timely;

      • Completeness: all occurrences recorded;

      • Validity: transactions reflect actual events and comply with procedures (authorization and policy).
        4) Physical controls: protect assets and inventories; secure storage; restricted access; periodic counts.
        5) Performance indicators: analyze operational/financial data to detect deviations; investigate unexpected results and trends.
        6) Segregation of duties: split recording, authorizing, approving, and asset handling to reduce errors/fraud; however, complete segregation may be impractical in smaller entities; alternative controls may be needed.

  • The design and execution of control activities should reflect the entity's risk profile and technology environment; ensure alignment with the other components of internal control.

J. Information and Communication

  • Information and communication refer to effective processes for identifying, capturing, and reporting operational, financial, and compliance information in a form and timeframe that supports responsibilities.

  • Information: data is processed into meaningful, timely, high-quality information to support decision-making; information systems process data from internal and external sources; they can be formal or informal (e.g., discussions with customers, suppliers, regulators).

  • Information quality criteria (aspects of information quality):

    • Accessible, Correct, Current, Protected, Retained, Sufficient, Timely, Valid, Verifiable.

  • Information system characteristics:

    • Sets of activities involving people, processes, data, and/or technology; capable of adapting to new objectives and industry changes; can be formal or informal.

  • Communications flows:

    • Internal communication: open channels, downward/upward/lateral flows; management conveys the importance of control responsibilities; employees understand their roles and responsibilities.

    • External communication: with shareholders, investors, customers, regulators, analysts, suppliers; facilitates sharing information about risks, performance, and control issues.

    • The board-management communication frequency and detail should enable oversight and timely action; management should inform the board of performance, risks, major initiatives, and control issues; the board should direct information needs.

  • Emphasis on openness and two-way communication; avoid punitive climates that discourage reporting of issues.

K. Monitoring Activities

  • Monitoring ensures internal control continues to operate effectively over time; involves ongoing evaluations and separate evaluations.

  • Ongoing evaluations: embedded into normal operations; performed in real-time or on a continuous basis; designed to react to changes in the operating environment.

  • Separate evaluations: periodic assessments by objective parties (internal auditors, external auditors, or others); scope and frequency depend on risk assessments and needs.

  • Findings are evaluated against applicable criteria (regulators, standard-setters, or management); deficiencies are communicated to appropriate levels (e.g., senior management or board).

  • Documentation and reporting: the extent of documentation varies by entity size and complexity; documentation aids efficiency and understanding; supports modification of controls as needed.

  • Who to evaluate:

    • Self-assessments by responsible units (e.g., CEO within a division, line managers, divisional controllers).

    • Internal auditors perform ongoing or requested control evaluations.

    • External auditors may supplement evaluation and provide independent assessment.

  • Reporting deficiencies and remediation:

    • All deficiencies that could affect objective attainment should be reported to those who can take corrective action.

    • The scope and approach of evaluations and any deficiencies are communicated to those conducting the overall effectiveness assessment.

    • Management tracks remediation to ensure timely completion; reporting may be escalated to the board or audit committee as required by regulators or internal policy.

Exhibits and UK Guidance (context)

  • Exhibit 8.1: COSO Framework diagram showing the five components and their integration (Operations, Reporting, Compliance; Control Environment; Risk Assessment; Control Activities; Information & Communication; Monitoring Activities).

  • Exhibit 8.2: Turnbull guidance on internal control in the UK context (principles of governance and internal control; D.2 provisions for board oversight, reporting, and risk management).

  • Exhibit 8.3: COSO Internal Control - Integrated Framework Principles (1–17 as above).

  • The Turnbull Report emphasizes that a sound internal control system should be embedded in the company culture, respond quickly to changing risks, and require immediate reporting of significant failures with corrective action plans; it also stresses that internal control cannot eliminate all risk or guarantee objective achievement.