The document discusses internal control frameworks and concepts. It covers the COSO internal control framework which defines internal control as a process designed to provide reasonable assurance of achieving objectives relating to operations, reporting, and compliance. The COSO framework includes five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also describes 17 principles associated with the five components. The document also discusses inherent risk, controllable risk, residual risk, limitations of internal control, and types of controls.
The document discusses internal control frameworks and concepts. It covers the COSO internal control framework which defines internal control as a process designed to provide reasonable assurance of achieving objectives relating to operations, reporting, and compliance. The COSO framework includes five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also describes 17 principles associated with the five components. The document also discusses inherent risk, controllable risk, residual risk, limitations of internal control, and types of controls.
The document discusses internal control frameworks and concepts. It covers the COSO internal control framework which defines internal control as a process designed to provide reasonable assurance of achieving objectives relating to operations, reporting, and compliance. The COSO framework includes five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also describes 17 principles associated with the five components. The document also discusses inherent risk, controllable risk, residual risk, limitations of internal control, and types of controls.
The document discusses internal control frameworks and concepts. It covers the COSO internal control framework which defines internal control as a process designed to provide reasonable assurance of achieving objectives relating to operations, reporting, and compliance. The COSO framework includes five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also describes 17 principles associated with the five components. The document also discusses inherent risk, controllable risk, residual risk, limitations of internal control, and types of controls.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 4
Chapter 6 ( Internal control):
s.4 Standards Relevant to Internal control
s.5 Frameworks: A framework is a body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. These principles are comprised of various concepts, values, assumptions, and practices intended to provide a benchmark against which an organization can assess or evaluate a particular structure, process, or environment, or a group of practices or procedures. Specific to the practice of internal auditing, various frameworks are used to assess the design adequacy and operating effectiveness of controls. The Committee of Sponsoring Organizations' (COSO) mission is to help organizations improve performance by developing thought leadership that enhances internal control, risk management, governance and fraud deterrence. s.6 Internal control frameworks There are no substantive differences among COSO, CoCo, and FRC Internal Control Guidance. All of the frameworks include definitions of internal control that describe a process that provides reasonable assurance for achieving the objectives of an organization in three specific categories: effectiveness and efficiency of operations, reliability of reporting, and compliance. The components of each internal control framework are basically the same and can be examined using the COSO titles for each component. They are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. s.7 U.S. SARBANES-OXLEY ACT OF 2002 COMPLIANCE Many organizations were able to successfully apply the COSO frameworks in their efforts to comply with Section 404 of Sarbanes-Oxley, despite encountering significant unanticipated costs. Smaller publicly held companies (as defined in exhibit 6-4), on the other hand, struggled to comply due to the prohibitive costs as well as several other challenges unique to smaller organizations.
s.8 Definition of internal control COSO broadly defines internal control as: . . . a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition emphasizes that internal control is: Geared to the achievement of objectives in one or more separate but overlapping categories —operations, reporting, and compliance. A process consisting of ongoing tasks and activities—a means to an end, not an end in itself. Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control. Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management and board of directors. Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process. s.9 THE OBJECTIVES, COMPONENTS, AND PRINCIPLES OF INTERNAL CONTROL COSO explains, “A direct relationship exists between objectives, which are what an entity strives to achieve, components [and principles], which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.”* ( See the figure COSO CUBE). s.10 THE PRINCIPLES OF INTERNAL CONTROL: In addition to the five integrated components, COSO also defines 17 supporting principles representing the fundamental concepts associated with each component of internal control. ** See picture in slide 10 S.11 Control Objectives The COSO framework sets forth three categories of objectives, which allow organizations to focus on differing aspects of internal control: Operations Objectives - These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. Reporting Objectives - These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies. Compliance Objectives - These pertain to adherence to laws and regulations to which the entity is subject.* S.12 Internal Control Components COSO indicates, “Supporting the organization in its efforts to achieve objectives are five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
These components are relevant to an entire entity and to the entity level, its subsidiaries, divisions, or any of its individual operating units, functions, or other subsets of the entity.”*
Everyone in an organization has responsibility for internal control: Board of Directors Management Internal Auditors Other Personnel There are legitimate reasons for different groups to be interested in different objectives. Likewise, different groups, because of their different perspectives, will perceive the benefits and related costs of internal control very differently, which is valuable to the organization when assessing the adequate design and effective operation of internal control. s.16 Inherent Risk, Controllable Risk, and Residual Risk Inherent risk is the gross risk that exists assuming there are no internal controls in place. Acknowledgement of the existence of inherent risk and that certain events or conditions are simply outside of management’s control (external risks) is critical to recognizing the inherent limitations of internal control. Identifying external and internal risks at an entity and activity (process and transaction) level is fundamental to effective risk assessment. Once key risks have been identified, management can link them to business objectives and the related business processes.
Once entity-level and activity-level risks have been identified, they must be assessed in terms of impact and likelihood. Risk analysis processes vary depending on many factors specific to an organization, but typically they include: Estimating the impact (or severity) of a risk. Assessing the likelihood (or frequency) of the risk occurring (probability). Considering how to manage the risk—that is, assessing what actions to take. s.17 Inherent Risk, Controllable Risk, and Residual Risk (cont’d) Controls: risk responses management takes to reduce the impact and/or likelihood of threats to objective achievement. Risk appetite: the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value* Acceptable variation in performance: the boundaries of acceptable outcomes related to achieving a business objective (both the boundary of exceeding the target and the boundary of trailing the target)** Controllable risk: that portion of inherent risk that management can directly influence and reduce through day-to-day business activities. Residual risk: the portion of inherent risk that remains after mitigating all controllable risks s.18 LIMITATIONS OF INTERNAL CONTROL While internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals. In other words, even an effective system of internal control can experience a failure. Limitations may result from the: Suitability of objectives established as a precondition to internal control. Reality that human judgment in decision-making can be faulty and subject to bias. Breakdowns that can occur because of human failures such as simple errors. Ability of management to override internal control. Ability of management, other personnel, and/or third parties to circumvent controls through collusion. External events beyond the organization’s control. While a well-designed system of internal controls can provide reasonable assurance to management relative to achievement of the organization’s objectives, no system of internal controls can provide absolute assurance for the reasons listed above.* s.19
s.20 TYPES OF CONTROLS There are many types of controls that are used by an organization to increase the likelihood that objectives will be met: Entity-level, Process-level, and Transaction-level Controls Key Controls and Secondary Controls Compensating Controls Preventive (proactive) and Detective Controls Information Systems (Technology) Controls Specific controls can fit into several categories at the same time. For example, a control can be an entity-level control at the same time that it is a key control. That same control also can be a detective control. s.21 EVALUATING THE SYSTEM OF INTERNAL CONTROLS Management is responsible for putting in place adequately designed and effectively operating entity- level and activity-level controls to mitigate risks associated with the achievement of business objectives in each of the three COSO-defined categories: operations, reporting, and compliance. Internal auditors play a significant role in the verification that management has met its responsibility. Initially, management performs the primary assessment of internal controls using a formalized process developed for that purpose. The internal audit function then independently validates management’s results. A report is typically submitted to the audit committee by either senior management or the CAE outlining the results of management’s assessment regarding the design adequacy and operating effectiveness of the organization’s system of internal controls.
