As the business and operating environment changes, there has been a greater demand for transparency and accountability as to the integrity of internal control. This has become very critical today as businesses drive to enhance the likelihood of them achieving their objectives and be able to adapt to changes in the global business environment.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released in 1992 the Integrated Internal Control Framework that will enable organizations to effectively and efficiently develop and maintain systems of internal control. It also includes enhancements and clarifications that will provide organizations the ease of using and applying the Framework.
An Overview of the COSO Framework
The COSO Framework is the globally recognized framework for designing, implementing, conducting, and assessing internal control. It is recognized as the definitive standard against which organizations measure the effectiveness of internal control systems.
If we look at the internal control, this is not a serial process but a dynamic and integrated process. It is a process effected by an organization’s Board of Directors, Management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. It can be considered an enabler when it comes to achieving Operational Excellence.
The COSO Framework provides for 3 categories of objectives. These categories allow organizations to focus on different aspects of internal control. It ensures that the internal control system is operationally efficient and effective, reporting reliable data, and remain compliant to laws and regulations.
The 5 Components of the COSO Framework
In an effective internal control system, 5 Components of the COSO Framework must be present to support the achievement of an organization’s mission, strategies, and related business objectives.
Component 1: Control Environment. This is a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Component 2: Risk Assessment. This forms the basis for determining how risks will be managed. It involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. It determines the possibility that an event will occur and adversely affect the achievement of objectives.
Component 3: Control Activities. The 3rd component ensures that Management’s directives to mitigate risks to the achievement of objectives are carried out. These are actions that are established through policies and procedures. It may be preventive or detective in nature.
Component 4: Information and Communication. This component focuses on the generation of relevant and quality information to support the functioning of other components. It is a continuous iterative process of providing, sharing, ad obtaining the necessary information. This is necessary to enable businesses to carry out internal control responsibilities to support the achievement of its objectives.
Component 5: Monitoring Activities. Monitoring activities, as a component, ascertains whether each of the 5 components of internal control is present and functioning. It includes the conduct of ongoing evaluations, separate evaluations, or a combination of both.
The 5 Components of the COSO Framework are essentially important as they represent what is required to achieve the objectives and the organizational structure of the organization. Each component has its underlying principles and key elements to better guide organizations in putting the components in place.
Additional Key Considerations
The COSO Framework sets the requirements for an effective system of internal control. An effective system reduces, to an acceptable level, the risk of not achieving the organization’s objectives.
There are additional key considerations that organizations must take note of. One consideration is that each of the 5 components and relevant principles is present and functioning. Present refers to the determination that the components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives. Functions refer to the determination that the components and relevant principles continue to exist in the operations and conduct of the system of internal control to achieve specified objectives.
Are you a management consultant?