COSO Internal Control System
COSO a management framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. The framework’s major objective is to identify the factors that cause fraudulent financial reporting, and to issue recommendations and guidelines on internal control for reducing risks. COSO is recognised for providing guidance on critical aspects of organisational governance, business ethics, internal control, enterprise risk management (ERM), fraud, and financial reporting.
The COSO framework defines internal control as a process, effectively implemented by an entity's board of directors, management and other personnel, and designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations;
- Reliability of financial reporting;
- Compliance with applicable laws and regulations;
- Safeguarding of assets.
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analysing the internal control system implemented in an organisation.
- The control environment sets the tone of an organisation, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organisation.
- Risk assessment. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed. (see Risk Management)
- Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organisation, at all levels and in all functions. They include a range of activities as diverse as approvals, authorisations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
- Information and communication. Information systems play a key role in internal control systems as they produce reports – including operational, financial and compliance-related information – that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organisation. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
- Monitoring. Internal control systems need to be monitored, i.e. a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
COSO 2013 updates the Internal Control — Integrated Framework, to make it more relevant in the increasingly complex business environment. The internal control concepts will now be codified into 17 principles.