Chapter 6

Establishing Internal
Controls Through COSO
 A system of strong internal controls has been and continues to be
the basis for effective operational and accounting business
processes.

 in the 1970s, a series of events led to the development & release of

the Committee of Sponsoring Organizations (COSO) internal control
framework. (A standard for assessing internal controls by internal and
external auditors).

 COSO What Is It?

 Is the Committee of Sponsoring Organizations of Treadway commission
 Established in 1985
 Developed recommendations on internal controls
 Issued the 1992 framework on internal control framework.
 In 2010 began project to update the 1992 framework
 Representatives from industry, academia, government & non-profit formed
advisory council to provide input
 New framework organized as:
• Executive Summary
• Framework itself
• Appendices
• Application guide with Illustrative Tools
Why the need to update the 1992 framework??
 Significant changes in the business environment
 Globalization
 Increased expectations on governance
 Impact of technology
 Demand for greater transparency
 Enron, World com,…(strain of scandals)
What hasn’t changed??
 Core definition of internal controls
 COSO Cube remains unchanged
 Emphasis on professional judgement

 It should be noted that there are two different COSO frameworks.

The first COSO and internal control framework is the emphasis of
this chapter .
the second COSO enterprise risk management framework (COSO
ERM, Chapter 9).
Why COSO??
COSO’s goal is to improve the quality of financial reporting through a
focus on corporate governance, ethical practices, and internal
control.
Internal control Frameworks:
• A framework is a body of guiding principles (a
benchmark) that form a template against which
organizations can evaluate or assess a multitude
of business practices [particular structure,
process, environment or even all these together].
• Framework provide a structure within which a
body of knowledge and guidance fit together.
• Framework facilitates consistent development,
interpretation, and application of concepts,
techniques.
• Sarbanes-Oxley act of 2002 legislation section
404 put responsibility for design, maintenance
and effective operation of internal control on
senior management [CEO,CFO] of publicly traded
companies.
Importance of Effective Internal Controls

 Internal controls is one of the most important and fundamental

concepts that business professionals at all levels and both external
and internal auditors must understand.

 The business professional builds and uses internal controls while

auditors review both operational and financial areas of the enterprise
with an objective of evaluating those internal controls.
 A system or process has good internal control only if it:
1) accomplishes its stated mission,
2) produces accurate and reliable data,
3) complies with applicable laws and enterprise policies,
4) provides for economical and efficient uses of resources,
5) provides for appropriate safeguarding of assets.

N.B. All members of an enterprise are responsible for the internal

controls in their area of operation and for operating them effectively.
 COSO INTERNAL CONTROL
FRAMEWORK
* COSO provides an excellent description of this multidimensional
concept of internal controls. It defines internal control as follows:

Internal control is a process, effected by an entity’s board of

directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives in the following categories:
■ Effectiveness and efficiency of operations
■ Reliability of financial reporting
■ Compliance with applicable laws and regulations
This definition reflects four fundamental concepts:
1. Internal control is a process. It is a mean to an end, not an end in
itself [ ongoing process, dynamic]
2. Internal control is affected by people, It is not a policy manual and
forms but about people and actions they take at every level of an
organization to effect internal control.
3. Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity’s management and
board.
4. Internal control is geared to the achievement of objectives in one or
more separate but overlapping categories.
5. Internal control design and operation is the management’s
responsibility.
Internal control objectives:

Operations objectives:
 Focus on the effectiveness and efficiency of the organizations
operations, including operations and financial performance goals and
safeguarding assets against loss.
 Are the controls set by the organization has been properly designed
and are they operating effectively? Are your organization’s operation
procedures efficient? Are the operational and financial performance
goals realistic? Does it safeguard assets against risk and loss?
 ensure achievement of organization’s objectives (profit
maximization, increase market share, etc.…)
 To ensure the optimum utilization of the firm’s resources, i.e.
men, material, machine and money.
 Is the most difficult to achieve as it is influenced by:
• Based on judgment to set the necessary criteria
• External factors such as economic conditions, political factors and
technology development.
Reporting objectives:

 Relates to internal and external financial and non-financial reporting

and may encompass reliability, timeliness, transparency, and other
terms as set forth by regulators, standard setters, or the entity’s
policies.
 relate to the fair presentation of the financial statements being
audited.
 Are the reports reliable, timely, and transparent? What reports to rely
upon? Meeting the reporting objective is vital to meeting the
organization’s goals.
 Ensure that the financial statements are aligned with the
accounting concepts and principles (GAAP).
 Ensure the reliability of financial reporting and compliance with laws
and regulations.
 If not, it will result in unreliable financial reports which do not reflect
the true financial position & performance….Poor public image.
Compliance objectives:
 Relates to adherence to laws and procedures to which the entity is
subject.

 Which laws and regulations apply to the organization?

 Enable the organization to avoid legal financial and or non-financial

complications of non-compliance

• Result in disciplinary actions

• Poor public image

 Reporting objectives & Compliance objectives are standards

established by external parties such as regulators and effected by
the organizational internal control.
EXHIBIT 4.1: COSO Framework of Internal Control
EXHIBIT 4.2: COSO Internal Control Model
 I. COSO Internal Control Elements:
The Control Environment

 Is the foundation of any internal control structure, has an impact

on …How activities are structured
…How risks are assessed

 The control environment reflects the overall attitude, awareness,

and actions by the board of directors, management, and others
concerning the importance of internal controls in the enterprise.

1) Sets “the tone at the top”

2) Establishes standards of conduct
3) Evaluates adherence to standards of conduct
4) Address deviations on a timely manner
1-Integrity and Ethical Values
 A code of ethics or conduct is an important component of
organizational governance.{all processes and procedures
undertaken to direct and control org activities to reduce risks in
order to achieve organizational objectives}
 Even though, an enterprise has a strong code, some employees
may unknowingly violate them out of ignorance rather committing
it on purpose.
 Hence, An enterprise’s policies and values must be communicated
& well explained at all levels of the enterprise.
 Obtain an understanding of their enterprise’s code of conduct and
how it is applied.
 Management should issue appropriate policy statements & codes of
conduct and should adopt policies that encourage personnel to
falsify financial statements data. [P.98]
1-Integrity and Ethical Values
Management should maintain the
organization’s ethical tone.
Provide proper guidance for proper behavior.
Remove temptations for unethical behavior.
Provide discipline when appropriate.

Examples:
 Code of conduct
 Tone at the top & communication
 Attitudes toward Ethical Values.
2-Commitment to Competence
For internal control to operate effectively,
properly trained personnel must be
performing appropriate tasks.[e.g. Credit manager]

Assessment of staff competence can be

difficult, therefore, a strong and sound HR
function with adequate assessment
procedures is important as well as providing
appropriate training to enhance the
employees skills.
3-Board of Directors and Audit
Committee
 An active BOD & an independent Audit committee is an
essential component of COSO control environment can
prevent concentration of control by the management & can
effectively interact with external and internal auditors.

 “ therefore, BOD & Audit committee have the ultimate

responsibility for setting this tone at the top”
 Ensure Board has fin expertise
 Challenge the management and ask tough questions
 Seek inputs from internal, external and other professionals
 Discuss with senior management the current system of internal
control
 4-Management’s Philosophy
and Operating Style
 has a considerable influence over an enterprise’s control
environment.

 Some top-level managers frequently take significant

enterprise-level risks in their new business or product
ventures while others are very cautious or conservative.

 Each manager has a definite “ Ideas” about how the

operations of entity should be conducted, therefore,
Internal Auditors and others should take into consideration
these factors when assessing IC or evaluating the
effectiveness of these controls. {e.g. wells-Fargo bank}
 5-Organizational Structure
 The organization structure is the manner or approach for
individual work efforts to be both assigned and integrated
for the achievement of overall goals.
 The organization structure component provides a
framework for planning, executing, controlling, and
monitoring activities to achieve overall objectives.
 This control environment factor relates to how functions
are managed and organized {org. chart]
 The assignment of authority and responsibility within the
company is considered evaluating criterion for the internal
auditor on control environment.{centralized, decentralized,
matrix}

 6- Assignment of Authority &
Responsibility
 This COSO-defined aspect of the control environment is
similar to the organizational structure.
 is essentially the way responsibilities are defined in terms of
job descriptions and structured in terms of organization
charts.
 Internal audit can use budgeting system to investigate any
large deviations between actual and forecasted.

 The control environment is greatly influenced by the extent

to which individuals recognize they will be held accountable.
This holds true all the way to the chief executive, who has
ultimate responsibility for all activities within an entity,
including internal control system.
 7-H.R Policies & Practices
 Criticalto the control environment component
 Internal audit should consider how strong HR
policies & practices when reviewing IC framework.
 Areas where these human resources policies and
practices are particularly important:
 Recruitment and Hiring: hire the best, most qualified candidates,
transmit a message to the prospective candidate about the
enterprise’s values, culture, and operating style.
 New employee orientation: A clear signal should be given to new
employees regarding the enterprise’s value system and the
consequences of not complying with those values.
 Evaluation, promotion, and compensation: Place fair
performance-evaluation program to maintain employee
confidentiality.
 Disciplinary actions: Consistent and well-understood policies for
disciplinary actions should be in place. No double standard exists for
the application of disciplinary actions.(i.e. higher-level employees)
 II. COSO Internal Control Elements:
Risk Assessment
What is risk assessment??
 is defined as the possibility that an event will occur and adversely
affect the achievement of objectives.

• “Risk assessment involves a dynamic and iterative process for

identifying and analyzing risks to achieving the entity’s objectives,
forming a basis for determining how risks should be managed.”

• an enterprise should have a process in place to evaluate the

potential risks that may impact attainment of its various objectives.

 COSO describes risk assessment as a three-step process:

 Estimate the significance of the risk.
 Assess the likelihood or frequency of the risk occurring.
 Consider how the risk should be managed and assess what actions
must be taken.
 II. COSO Internal Control Elements:
Risk Assessment
 The four principles relating to Risk Assessment are:

 The organization specifies objectives with sufficient clarity to enable

the identification and assessment of risks relating to objectives.

 The organization identifies risks to the achievement of its objectives

across the entity and analyzes risks as a basis for determining how
the risks should be managed.

 The organization considers the potential for fraud in assessing

risks to the achievement of objectives.

 The organization identifies and assesses changes that could

significantly impact the system of internal control.
 II. COSO Internal Control Elements:
Risk Assessment
COSO suggests that risks should be considered from three perspectives:
1. Enterprise risks due to external factors.
• Technological developments that can affect the nature and timing of new
product R & D or lead to changes in procurement processes.
• Changing customer needs or expectations, pricing, warranties, or service
activities.
• New legislation or regulations , catastrophes (9/11), can lead to changes in
operations and the importance of contingency planning.
2. Enterprise risks due to internal factors.
• A disruption in an information systems can affect overall operations.
• the quality of personnel hired, their training or motivation, can influence the
level of control consciousness within the entity.
• The extent of employee accessibility to assets can contribute to
misappropriation of resources.
• Ineffective board or audit committee could lead to opportunities for
manipulation.
3. Specific activity-level risks.
• Business unit and key activity risks such as marketing or information systems.
• These risks should be continuously identified and built into various planning
processes.
 II. COSO Internal Control Elements:
2- Risk Assessment

Risk-Analysis Methods:
• First identify the threats.
• Risk analysis can be performed in one of two basic methods:

 Quantitative risk assessment —Deals with dollar amounts. It

attempts to assign a cost (monetary value) to the elements of risk
assessment and the assets and threats of a risk analysis.(cost of
property, Costs equipment, or inventory, cash dollar loss, damage
and repair costs, cost of defending a lawsuit, etc)

 Qualitative risk assessment —Ranks threats by non-dollar values and

is based more on scenario, intuition, and experience. (Loss of public
trust, Bad publicity, Default on a project, Violation of laws)
II. COSO Internal Control Elements:
3- Control Activities
 Are actions [Policies and procedures] taken by
management, the board, and other parties to
mitigate risk and provide assurance that the
company’s objectives will be achieved.

 Five Key Internal Control Activities:

1. Adequate segregation of duties
2. Proper authorization of transactions and activities
3. Design and use adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
II. COSO Internal Control Elements:
Control Activities
1. Adequate segregation of duties:
 Divide responsibilities between different employees so one individual
doesn’t control all aspects of a transaction.
 Reduce the opportunity for an employee to commit errors (intentional
or unintentional) or fraud.
 Separation of the functions of authorization, recordkeeping, custody,
and verification (reconciling).
 Authorization: Control activities to provide reasonable assurance that
all transactions have been granted by the appropriate officials
(approval to execute).
 Record-keeping: Control activities to provide reasonable assurance
that all transactions have been properly recorded on a timely basis.
 Custody: Control activities to provide reasonable assurance that the
responsibility for custody for assets is separate from the responsibility
for maintaining the records relating to those assets
 Verification: Control activities to provide reasonable assurance that
all accounting information has been correctly captured (computer and
II. COSO Internal Control Elements:
Control Activities
 Examples:
 Application of segregation of duties on sales/
receivable cycle:

 Authorization: by Manager/ Head of the purchasing dept.

 Record-keeping: by the accounting dept. (A/R group,

subsidiary ledger)

 Custody of cash receipts: by the treasurer – cash receipts.

 Verification: By the general ledger accounting group

(control group).
II. COSO Internal Control Elements:
Control Activities
2. Proper authorization of transactions and activities:
 Ensure that transactions are properly approved and executed by
employees within the scope of the policies and the procedures
granted.
 The granting of credit is authorized before shipment takes place.

3. Design and use adequate documents and records:

Document & preserve evidence to substantiate:
 Critical decisions and significant events...typically involving the use,
commitment, or transfer of resources.
 Transactions…enables a transaction to be traced from its inception to
completion.
 Pre-numbered consecutive documents so missing items are
noticed.
 Prepared as near to transaction time as possible.
 Good design with instructions and appropriate spaces.
 Recording of sales is supported by authorized shipping
documents and approved customer orders.
II. COSO Internal Control Elements:
Control Activities
4- Physical control over assets and records:
 Secure and restrict access to authorized personnel only to
equipment, cash, inventory, confidential information, etc. to
reduce the risk of loss or unauthorized use. {Direct Access}
 Protect the documents that authorize the usage and disposition
of assets. {Indirect Access}

 Perform periodic physical inventories to verify existence,

quantities, location, condition, and utilization.
 Base the level of security on the vulnerability of items being
secured, the likelihood of loss, and the potential impact should
a loss occur.
 Access controls to prevent getting into computer system.
 Backup and recovery procedures.

 Example, receivables write-off forms of uncollectible A/R should

not be accessed by the cashier.
II. COSO Internal Control Elements:
Control Activities
5- Independent checks on performance:
 Independent checks of transactions, information, and
events to verify accuracy, completeness,
appropriateness, and compliance.
 Frequency of checks is based on the level of materiality,
risk, and overall importance to organization’s objectives.
 Ensure frequency is adequate enough to detect and act
upon questionable activities in a timely manner.
 Conditions of effective checks:
 Examiner independence
 Timing (periodic and unexpected checks)
 Action reporting any discrepancies detected
 i.e. reconciliation, reviews and or physical counts
 II. COSO Internal Control Elements:
Control Activities, Types of Controls:
There are different classifications of controls:
Primary controls (key control): Actions designed to mitigate risks associated with a
critical business objective, which include

Type Definition Example

Deters unintended events Physical and logical access controls, such as
Preventative (risk) from being realized in locked doors and user IDs with unique
the first place. passwords

Discover undesirable events Data mining to detect fraud patterns,

Detective that have already occurred. surveillance cameras to identify physical
access and review of computer logs listing
unauthorized access attempts.

Detects if risk realized and Thermostat in computer room that protects

Corrective reacts valuable equipment, correct detected
deviations.

Directive Encourage or cause the Directors and manuals

occurrence of desirable
events
II. COSO Internal Control Elements:
Control Activities, Types of Controls:
 Secondary controls: are activities designed to either reduce risk
associated with business objectives that are not critical to the
organization’s survival or success or serve as a backup to a key
control.
Type Definition Example
Compensating Designed to supplement key Close supervision in
controls that are either instances when
ineffective or cannot fully adequate
mitigate risk or group of risks segregation of duties
by themselves to an cannot be achieved
acceptable level within risk
established by management
and the board
Complementary Designed to work with other Obtain bank deposit
controls to reduce risk to an slips besides
acceptable level separation of duties
control procedure
II. COSO Internal Control Elements:
Control Activities, Types of Controls:
Entity-Level Control: A control that operates across
an entire entity, and, as such, is not bound by, or associated with,
individual processes.
 “Entity-Level controls include:
 Controls related to the control environment;
 Controls over management override;
 The company’s risk assessment process;
 Centralized processing and controls;
 Controls to monitor results of operations;
 Controls to monitor other controls, including activities of the
internal audit function, the audit committee, and self-assessment
programs;
 Control over the period-end financial reporting process; and
 Policies that address significant business control and risk
management practices.
II. COSO Internal Control Elements:
Control Activities, Types of Controls:

Process-Level Control: An activity that operates

within a specific process for the purpose of achieving
process-level objectives.
 Are more detailed in their focus than entity-level controls.
 Established process owners to reduce the risk that threatens
the achievement of process objectives.
 Examples of process-level controls include:
 Reconciliations of key accounts;
 Physical verifications of assets (such as inventory counts);
 Process employee supervision and performance evaluations;
 Process-level risk assessments;
 Monitoring/ oversight of specific transactions.
II. COSO Internal Control Elements:
Control Activities, Types of Controls:

 Transaction- Level Control: An activity that reduces

risk relative to a group or variety of operational-level tasks or
transactions within an organization.
 Are even more detailed in their focus than process-level
controls.
 Designed to ensure that individual operational activities or
transactions are accurately processed timely.
 Examples of transaction-level controls include:
 Authorization;
 Documentation (such as source documents);
 Segregation of duties;
 IT Application controls (input, processing, output).
II. COSO Internal Control Elements:
4- Information and communication:
 Relevant information must be captured, identified and
communicated on a timely basis.
 Effective information and communication systems enable
the organization’s people to exchange the information
needed to conduct, manage, and control its operations.
 Factors to be considered:
• Internal and external information on operational
performance provided to management
• Information distributed to the "right" people
• Effective internal communications
• Effective external communications
• Diverse organization information systems
• Information aligned with current business needs
• Updated information system.
II. COSO Internal Control Elements:
4- Information and communication:
What information should be
communicated?
• Performance data
– need to determine progress towards
organization’s mission and vision
• Operational data
– need to determine organization's compliance
with laws and regulations
• Financial data
– need to develop financial statements, budget
reports, and other accounting based data
II. COSO Internal Control Elements:
4- Information and communication:
Forms of communication:
Hard copies:
• Policy & procedures manuals
•Memoranda
•Bulletin boards located in areas where individuals assemble
Face to face:
•Meetings
•Speeches & briefings
•Management directives
Electronically:
• Memos & emails
• Internet & Intranet
•Video conferencing
•Electronic bulletin boards
• Information systems
II. COSO Internal Control Elements:
5- Monitoring:
 Internal control systems must be monitored to assess
their effectiveness… Are they operating as intended?
 Ongoing monitoring built into business processes is
necessary to react dynamically to changing conditions…
Have controls become outdated, redundant, or obsolete?
 Monitoring occurs in the course of everyday operations, it
includes regular management & supervisory activities
and other actions personnel take in performing their
duties.
 Periodic testing can be done by the process owner,
internal audit and external audit.
“Client management’s ongoing and periodic assessment of
the quality of internal control performance to determine
whether controls are operating as intended and modified
when needed”. “
II. COSO Internal Control Elements:
5- Monitoring:
For many companies, especially larger ones, an
independent internal audit department is essential
for effective monitoring and that they report to a
high level of authority, preferably the audit
committee of the board of directors.

.Factors to be considered:
• Monitoring should be ongoing
• Separate evaluations take place
• Findings are resolved
II. COSO Internal Control Elements:
5- Monitoring:
Monitoring of grantees by reviewing and using the
Single Audit reports to help assess grantee
performance
• Monitoring contractor performance against terms
and conditions of contract
• Monitoring usage of cell phones
• Communications from external parties.
• Enterprise structure and supervisory activities,
routinely review and correct lower-level errors ,
assure improved clerical employee performance.
II. COSO Internal Control Elements:
5- Monitoring:

Factors to be considered
• Monitoring should be ongoing
• Separate evaluations take place
• Findings are resolved
II. COSO Internal Control Elements:
5- Monitoring:
• Financial statement auditors
• Peer reviews
• Inspector General/Public Auditor
• Management control reviews
• Physical inventories and asset reconciliation
II. COSO Internal Control Elements:
5- Monitoring:

Factors to be considered:
• Monitoring should be ongoing
• Separate evaluations take place
• Findings are resolved
Evaluating the system of internal controls: an
overview
 Management Responsibility to place
adequate and effective operating entity-
level and activity-level controls to mitigate
risks of the achievement of business
objectives as defined by the COSO
framework (operations, reporting, and
compliance.
 The internal audit function independently
validates management’s results and submits
a report to the audit committee outlining
the results of management’s assessment
regarding the ICFR.
Evaluating the system of internal controls: an
overview
 Sarbanes-Oxley additionally requires
management of registered organizations
with the SEC to publicly report on the
reliability of ICFR.
 Entity-wide and business process control
activities are designed to provide reasonable
assurance of the financial reporting
assertion reliability objectives are achieved
(recognition, measurement, presentation,
and disclosure of accounts).
Evaluating the system of internal controls: an
overview
 Five basic financial statement assertions are:
Transactions (revenues, Balances
expenses)
Occurrence(are they real) Existing (real)
Accuracy (right $ amount) Valuation $ Allocation (are items
recorded amount and type ST &
LT)

Completeness (all my transactions) Completeness (all assets and

liabilities were recorded)
Cut-off (correct period) Cut-off
Classification (using correct account Rights and Obligation
when debiting & crediting)
Presentation + Disclosure
Understandability of assertions
Limitation of Internal Control
Thank You….