What are the components of internal control per COSOs internal control Integrated Framework?

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

In my last article, I made mention of the Committee of Sponsoring Organization (COSO) which published the “Internal Control Integrated Framework” which is the internal control framework widely adopted the United States of America.

A commission led by James C. Treadway, Jr., the then Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission was set up. This commission was sponsored and funded by five United States private sector organizations made up of the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). These organizations are collectively called the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The Committee of Sponsoring Organizations were charged by the Treadway Commission to develop an integrated guidance on Internal Control. As a result of this, a framework for designing, implementing and evaluating internal control for organizations was released.

The COSO Framework was designed to help businesses establish, assess and enhance their internal control. The importance of Internal Control in the Operations and Financial Reporting of an entity cannot be over-emphasized as the existence or the absence of the process determines the quality of output produced in the Financial Statements. A present and functioning Internal Control process provides the users with a “reasonable assurance” that the amounts presented in the Financial Statements are accurate and can be relied upon for informed decision making.

COSO Internal Control Framework

Internal Control over Financial Reporting therefore are the controls specifically designed to address the risks of intentional or unintentional misstatements in the financial statements.

The COSO Integrated Framework for Internal Control has five (5) components which include:

1. Control Environment: The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

2. Risk Assessment: Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

3. Control Activities: Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

The COSO Framework is a system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards.

COSO is an acronym for the Committee of Sponsoring Organizations. The committee created the framework in 1992, led by Executive Vice President and General Counsel, James Treadway, Jr. along with several private sector organizations, including the following:

American Accounting Association
Financial Executives International
The Institute of Internal Auditors
American Institute of Certified Public Accountants
The Institute of Management Accountants (formerly the National Association of Cost Accountants)

The COSO framework was updated in 2013 to include the COSO cube, a 3-D diagram that demonstrates how all elements of an internal control system are related. In 2017, the committee introduced their COSO Enterprise Risk Management Framework. The COSO ERM Framework aims to help organizations understand and prioritize risks and create a strong link between risk, strategy and how a business performs.

Here are the five components of the COSO framework:

Control environment. The control environment seeks to make sure that all business processes are based on the use of industry-standard practices. This can help ensure that the business is run in a responsible way. It may also reduce an organization's legal exposure if the organization is able to prove that its business processes are all based around industry standard practices. Additionally, the control environment can help with making sure that an organization is adhering to regulatory compliance requirements.
Risk assessment and management. Risk assessment and management -- which is sometimes referred to as enterprise risk management -- is based on the idea that risk is an inherent part of doing business. However, those same risks can sometimes cause a business to suffer adverse consequences. As such, organizations commonly adopt risk management plans that help them to identify risks and either reduce or eliminate risks deemed to pose a threat to the organization's well-being.
Control activities. Control activities are also tied to the concept of risk management. They are essentially internal controls that are put into place to make sure that business processes are performed in a way that helps an organization to meet its business objectives without introducing unnecessary risks into the process.
Information and communications. Communications rules are put in place to make sure that both internal and external communications adhere to legal requirements, ethical values and standard industry practices. For example, private sector organizations commonly adopt privacy policies establishing how customer data can be used.
Monitoring. At a minimum, monitoring is performed by an internal auditor who makes sure that employees are adhering to established internal controls. However, in the case of public companies, it is relatively common for an outside auditor to evaluate the organization's regulatory compliance. In either case, the audit results are usually reported to the board of directors.

The COSO Framework is heavily used by publicly traded companies and accounting and financial firms. The framework seeks to put internal controls in place that formalize the way in which key business processes are performed. This helps organizations to adhere to legal and ethical requirements, while also focusing on risk assessment and management. In addition to integrating such controls into key business processes, the framework places a heavy emphasis on monitoring and reporting, especially as it relates to using internal auditors to monitor adherence to established controls.

One of the primary benefits to implementing the COSO Framework is that it helps business processes to be performed in a uniform manner according to a set of internal controls. Depending on how these controls are designed, they can improve efficiency while also reducing risks.

Another benefit is that an organization that fully employs the COSO Framework is often in a better position to detect fraudulent activity, whether that activity is perpetrated by cyber criminals, customers or trusted employees. Because the framework focuses on risk mitigation and adherence to established best practices, vulnerabilities can be significantly reduced.

Finally, some organizations find that when they implement carefully crafted internal controls, it helps them to make existing business processes more efficient. This can help reduce costs and make the organization more profitable.

Despite the benefits associated with implementing the COSO Framework, it is not without its limitations. The most significant of these limitations is that the framework can be difficult to implement for two main reasons. First, the framework is relatively broad in scope, which means that it can be applied to a wide variety of organizations and processes. But this broad scope also means that the framework lacks a significant amount of prescriptive guidance.

The second limitation that can make the framework difficult to apply is its organizational structure. The COSO Framework is broken into a series of rigid categories. Organizations often find that there are certain processes that could conceivably fall into multiple categories, or that do not align well with any of the categories. As such, organizations will often have to make some tough decisions when implementing the framework.