Accounting Information Systems (9)

Module 9 - The COSO Internal Control Framework

Understanding Internal Control

  • Definition of Internal Control:

    • Internal control is a process affected by an entity’s board of directors, management, and other personnel.

    • It is designed to provide reasonable assurance regarding the achievement of objectives related to:

    1. Operations

    2. Reporting

    3. Compliance

Importance of Internal Controls

  • Internal controls are crucial for:

    • Ensuring that business operations are executed according to plan (operations).

    • Maintaining accurate accounting records, essential for managing business operations (reporting).

    • Ensuring compliance with important laws and regulations (compliance).

Overview of COSO

  • COSO:

    • Originally formed in 1985, COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a joint initiative of five private sector organizations.

    • COSO is dedicated to providing thought leadership through the development of frameworks and guidance on:

    • Enterprise Risk Management (ERM)

    • Internal Control

    • Fraud Deterrence

    • Aimed at improving internal processes, COSO benefits over 600,000 professionals worldwide.

Significance of Sarbanes-Oxley Act (SOX)

  • SOX Overview:

    • Sarbanes-Oxley Act mandates that management must maintain a system of internal controls.

    • Requirements include assessing the effectiveness of these controls and reporting on them as part of annual reports.

    • Purpose: Enhance corporate governance and restore investor confidence by improving the accuracy and reliability of corporate disclosures.

    • Scope: Applies to all publicly traded companies in the U.S.

  • Role of Auditors:

    • Auditors rely on internal controls when forming assertions about financial statements.

    • They attest to the effectiveness of management's report on internal controls.

Example Case: Walt Disney Company

  • Management’s Report on Internal Control Over Financial Reporting:

    • Indicates management's responsibility for establishing and maintaining adequate internal control as defined in Exchange Act Rule 13a-15(f).

    • Internal control must include:

    1. Maintenance of records that accurately reflect transactions and dispositions of assets.

    2. Assurance that transactions are recorded as necessary for accurate financial statement preparation in accordance with GAAP.

    3. Measures for timely detection of unauthorized activities regarding assets.

    • Internal control evaluations were based on the COSO Internal Control - Integrated Framework (2013).

    • Management concluded effectiveness of internal control over financial reporting as of September 30, 2023.

Auditors' Assessment

  • Report of Independent Registered Public Accounting Firm:

    • Audited financial statements as of September 30, 2023, for fairness in all material respects and conformance with GAAP.

    • Confirmed the effectiveness of internal control based on criteria established by COSO.

Purpose and Objectives of Internal Controls

  • Financial Reporting:

    • Internal control policies ensure accurate financial reporting that reflects true transactions.

  • Broader Scope:

    • Encompasses all activities of an organization aimed at supporting operational, reporting, and compliance objectives.

Objectives of Internal Control according to COSO

  • Operations:

    • Aligns with management’s plans.

  • Reporting:

    • Supports both financial and non-financial reporting, which in turn supports strategic and operational goals.

  • Compliance:

    • Adheres to necessary laws and regulations.

  • The five components of the COSO framework aid in achieving these objectives, ensuring effective internal control.

COSO Internal Control Framework Components

  • The control components of COSO are crucial for achieving control objectives:

    1. Control Environment

    2. Control Activities

    3. Risk Assessment

    4. Information and Communication

    5. Monitoring

Control Environment

  • Definition:

    • Reflects the governance activities conducted by an entity’s Board of Directors and management.

  • Key Elements:

    1. Commitment to integrity and ethical values.

    2. Oversight responsibility regarding risk and other areas.

    3. Structure that clarifies authority and responsibility for fluent objectives.

    4. Commitment to competency in staffing.

    5. Accountability for responsibilities.

Activities Related to Control Environment

  • Responsibilities performed by the board of directors including:

    • Establishing key areas of responsibility from internal aid roles to CFO and CIO.

    • Ensuring that the roles contribute to achieving organizational objectives and maintaining organizational integrity.

Control Activities

  • Definition:

    • Day-to-day activities that minimize risks through preventing issues, detecting problems, and ensuring corrective actions.

  • General controls over technology are also part of risk mitigation strategies, deployed through well-defined policies and procedures.

Risk Assessment

  • Definition:

    • Organizations specify objectives and assess risks related to these objectives.

  • Responsibilities including:

    • Analyzing risks to formulate management strategies and monitoring changes in risks impacting internal control.

Information and Communication

  • Definition:

    • High-quality accounting systems are essential for supporting internal control needs.

  • Internal communication must clarify objectives and responsibilities while external communication must facilitate external collaboration.

Monitoring

  • Definition:

    • Evaluates internal controls outside of daily operations to assess their presence and effectiveness.

  • Communication of deficiencies to senior management and the board is crucial for corrective action.

Internal control is a process involving an entity’s board, management, and personnel, designed to reasonably assure achievement of operations, reporting, and compliance objectives. These controls are vital for executing business operations, maintaining accurate accounting records, and ensuring legal compliance. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), established in 1985, provides frameworks for Enterprise Risk Management (ERM), Internal Control, and Fraud Deterrence. The Sarbanes-Oxley Act (SOX) mandates management to maintain and report on the effectiveness of internal controls, enhancing corporate governance and investor confidence, with auditors attesting to this effectiveness.

For example, Walt Disney Company’s management affirmed responsibility for internal controls over financial reporting, evaluated using the COSO Internal Control—Integrated Framework (2013), and auditors confirmed their effectiveness. COSO's objectives for internal control are:

  • Operations: Aligned with management’s plans.

  • Reporting: Supports financial and non-financial reporting.

  • Compliance: Adheres to laws and regulations.

The COSO framework includes five critical components:

  1. Control Environment: Reflects governance, ethical values, oversight, structure, competency, and accountability.

  2. Control Activities: Day-to-day measures to prevent and detect issues, including general controls over technology.

  3. Risk Assessment: Identifying and analyzing risks related to objectives to formulate management strategies.

  4. Information and Communication: Ensuring high-quality accounting systems and clear internal/external communication.

  5. Monitoring: Ongoing evaluation of internal controls to assess their presence and effectiveness, with deficiencies communicated for corrective action.