An Overview of the COSO

Why an internal control framework?



Section 404 of Sarbanes-Oxleyt Act requires management to file an annual internal control report which should include:

A statement identifying the framework used by management as criteria for evaluating the effectiveness of internal control


If you fail to select a control framework, it will be almost impossible for an external auditor to attest to management’s assertion on the effectiveness of the internal controls and procedures for financial reporting.


If the company doesn’t adopt an internal control framework, there is no criteria against which the company or the independent auditor can measure effectiveness.


“You have to pick the set of rules that you want to play by or the independent auditor can’t referee the
game”
 
Control Frameworks



COSO – Internal control-integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and sponsored by the AICPA, FEI, IIA and others. This is the most dominant control model in the US.

CoCo – The control model developed by the Criteria of Control Committee of the Canadian Institute of Chartered Accountants. CoCo focuses on behavioral values rather than control structure procedures as the fundamental basis for internal control in a company.

Turnbull Report – Internal Control: Guidance for Directors on the Combined Code developed by the Committee on Corporate Governance of the Institute Chartered Accountants in England & Wales, in connection with the London Stock Exchange. The Turnbull Report required companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control system.


ACC – Australian Criteria of Control developed by the Institute of Internal Auditors – Australia, emphasizes the competency of management and employees to develop and operate the internal control framework.


The King Report – Released by the King Committee on Corporate Governance, promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual financial and regulatory aspects of corporate governance by addressing social, ethical and environmental concerns.
 
Components of COSO



COSO identifies five components of internal control that need to be in place and integrated to ensure the achievement of each of the objectives. Such components are:


1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
 
Components of COSO..Control Environment



Control Environment sets the tone of an organization influencing the control consciousness of its people. It is the foundation for the other COSO Components, providing discipline and structure.






Its main fundamentals and requirments are:

1. Integrity and Ethical Values: Objectives are achieved based on preferences, value judgments and management style. These preferences and judgments, which are translated into standards of behavior, reflect management’s integrity and commitment to ethical values.


2. Commitment to Competence: Knowledge and skills needed to accomplish tasks are critical in defining individual job responsibilities.


3. Board of Directors or Audit Committee: An active and involved Board / Audit Committee is critical to effective internal control.

4. Management Philosophy and Operating Style: Affects the way the enterprise is managed, including the kind and degree of business risks accepted.



5. Organizational Structure: Provides the framework within which its activities for achieving an entity’s objectives are planned, executed, controlled and monitored.

6. Assignment of Authority and Responsibility: The degree to which employees and teams are encouraged to use initiative in addressing issues and solving problems.
 
7. Human Resource Policies and Practices: Activities and mechanisms for communicating to employees regarding expected levels of integrity, ethical behavior and competence.
Components of COSO..Risk assessment



Risk Assessment involves identification and analysis of relevant risks – internal and external -- for achievement of objectives, forming a basis for how risks should be managed.


1. Objectives: Objective setting is a precondition to assessing risk and provides the measurable targets toward which the entity moves in conducting its activities. Objectives can be explicitly stated or implicitly known, and are established at all levels of an entity.


2. Risks: Identifying and analyzing risk is an ongoing iterative process. Focus on effective risk management should be performed at all levels of an entity.


3. Managing Change: Mechanisms are in place to anticipate, identify and react to changes that may have a dramatic and pervasive effect on the entity, or may affect achievement of entity or process / application-level objectives.


Components of COSO..Control Activities



Control Activities involve policies, procedures and business disciplines that help ensure management directives are carried out, and that necessary actions are taken to address the organization’s risks.

1. Types of Control Activities:


a) Top Level Reviews – Actual vs. budget, tracking of major initiatives, monitoring of new product development, etc.


b) Direct Functional or Activity Management – Management review of performance reports.


c) Information Processing – Checking for accuracy, completeness and authorization of transactions.


d) Physical Controls – Equipment, inventories, securities, cash, etc.


e) Segregation of Duties – Division of duties among different employees to reduce the risk of error or inappropriate activities.

2. Information Systems


a) General Controls – Data center operations, system software, access security, application system development.


b) Application Controls – Application processing, completeness/ accuracy of transaction processing, authorization and validity.
 
Components of COSO..Information & Comm'n



Information & Communication involves identification, capture and communication of pertinent information in a form and timeframe that enables employees to carry out their duties.

Information: Information is needed at all levels of an organization to support achievement of an entity’s objectives. Quality of Information should be:


a) Appropriate content


b) Timely


c) Current


d) Accurate


e) Accessible


Communication: Communication – internal and external -- takes place in a broader sense than the dissemination of information, and carries with it implicit undertones regarding expectations, importance and responsibilities. Effective Communication should be:


a) Empowered


b) Open and honest


c) Flows up, down and across the entity
 
Components of COSO..Monitoring



Monitoring assesses the quality of internal control performance over time.

Types of monitoring are:

1) On-going Monitoring: Activities that serve to monitor internal control in the normal course of business. Examples:


Reconciliations and data comparisons


Exception reporting


Communications from internal and external parties


Organizational structure for overseeing normal transaction processing
 
Components of COSO..Monitoring



Types of monitoring are:

2) Separate Evaluations: Activities that serve to monitor internal control outside the normal course of business.

a) Scope and Frequency – Evaluations of internal control will vary in scope and frequency based on risk significance and importance of the control(s) in managing the risk.

b) Who Evaluates? – The effectiveness of separate evaluations will depend upon “who” is performing the evaluation and what level of support they have.


Components of COSO..Monitoring



Types of monitoring are:

3) Reporting Deficiencies: Conditions within an internal control system worthy of attention. In evaluating an entity’s process for reporting deficiencies, consideration should be given to the sources where information is received, what is being reported and to whom it is being reported.