COSO Internal Control - Integrated Framework

Objectives, Components,
Principles and Points of Focus

DEFINITION OF INTERNAL CONTROL
Internal control is a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.

OBJECTIVES
The Framework sets forth three categories of
objectives, which allow organizations to focus
on separate aspects of internal control:
• Operations Objectives
• Reporting Objectives
• Compliance Objectives

OPERATIONS OBJECTIVES
These pertain to effectiveness and efficiency of
the entity’s operations, including operational
and financial performance goals, and
safeguarding assets against loss.

REPORTING OBJECTIVES
These pertain to internal and external financial
and non-financial reporting and may encompass
reliability, timeliness, transparency, or other
terms as set forth by regulators, standard
setters, or the entity’s policies.

COMPLIANCE OBJECTIVES
These pertain to adherence to laws and
regulations to which the entity is subject.

COMPONENTS
Supporting the organization in its efforts to
achieve objectives are five components of
internal control:
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring Activities

RELATIONSHIP OF OBJECTIVES,
COMPONENTS AND THE ENTITY
A direct relationship exists between objectives,
which are what an entity strives to achieve,
components, which represent what is required to
achieve the objectives, and entity structure (the
operating units, legal entities, and other
structures). The relationship can be depicted in the
form of a cube:

• The three categories of
objectives are represented
by the columns.
• The five components are
represented by the rows.
• The entity structure, which
represents the overall
entity, divisions,
subsidiaries, operating
units, or functions,
including business
processes such as sales,
purchasing, production,
and marketing and to which
internal control relates, are
depicted by the third
dimension of the cube.

CONTROL ENVIRONMENT
• The control environment is the set of standards,
processes, and structures that provide the basis
for carrying out internal control across the
organization.
• The board of directors and senior management
establish the tone at the top regarding the
importance of internal control including
expected standards of conduct.
• Management reinforces expectations at the
various levels of the organization.

PRINCIPLES AND POINTS OF FOCUS OF
THE “CONTROL ENVIRONMENT”
Principle 1.
The organization demonstrates a commitment to integrity and
ethical values.
Points of focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner

Principle 2:
The board of directors demonstrates independence from
management and exercises oversight of the development and
performance of internal control.
Points of Focus:
• Establishes Oversight Responsibilities
• Applies Relevant Expertise
• Operates Independently
• Provides Oversight for the System of Internal Control

Principle 3:
Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities
in the pursuit of objectives.
Points of Focus:
• Considers All Structures of the Entity
• Establishes Reporting Lines
• Defines, Assigns, and Limits Authorities and Responsibilities

Principle 4:
The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment with
objectives.
Points of Focus:
• Establishes Policies and Practices
• Evaluates Competence and Addresses Shortcomings
• Attracts, Develops, and Retains Individuals
• Plans and Prepares for Succession

Principle 5:
The organization holds individuals accountable for their
internal control responsibilities in the pursuit of objectives.
Points of Focus:
• Enforces Accountability through Structures, Authorities, and
Responsibilities
• Establishes Performance Measures, Incentives, and Rewards
• Evaluates Performance Measures, Incentives, and Rewards
for Ongoing Relevance
• Considers Excessive Pressures
• Evaluates Performance and Rewards or Disciplines
Individuals

RISK ASSESSMENT
• Risk is defined as the possibility that an event will
occur and adversely affect the achievement of
objectives.
• Risk assessment involves a dynamic and iterative
process for identifying and assessing risks to the
achievement of objectives. Risks to the achievement
of these objectives from across the entity are
considered relative to established risk tolerances.
Thus, risk assessment forms the basis for determining
how risks will be managed.
• A precondition to risk assessment is the establishment
of objectives, linked at different levels of the entity.

THE “RISK ASSESSMENT”
Principle 6:
The organization specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to
objectives.
1. Points of Focus for Operations Objectives:
• Reflects Management’s Choices
• Considers Tolerances for Risk
• Includes Operations and Financial Performance Goals
• Forms a Basis for Committing of Resources

Principle 6:
objectives.
2. Points of Focus for External Financial Reporting Objectives:
• Complies with Applicable Accounting Standards
• Considers Materiality
• Reflects Entity Activities

Principle 6:
objectives.
3. Points of Focus for External Non-Financial Reporting
Objectives:
• Complies with Externally Established Standards and
Frameworks
• Considers the Required Level of Precision

Principle 6:
objectives.
4. Points of Focus for Internal Reporting Objectives:
• Reflects Management’s Choices
• Considers the Required Level of Precision

Principle 6:
objectives.
5. Points of Focus for Compliance Objectives:
• Reflects External Laws and Regulations
• Considers Tolerances for Risk

Principle 7:
The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
Points of Focus:
• Includes Entity, Subsidiary, Division, Operating Unit, and
Functional Levels
• Analyzes Internal and External Factors
• Involves Appropriate Levels of Management
• Estimates Significance of Risks Identified
• Determines How to Respond to Risks

Principle 8:
The organization considers the potential for fraud in assessing
risks to the achievement of objectives.
Points of Focus:
• Considers Various Types of Fraud
• Assesses Incentive and Pressures
• Assesses Opportunities
• Assesses Attitudes and Rationalizations

Principle 9:
The organization identifies and assesses changes that could
significantly impact the system of internal control.
Points of Focus:
• Assesses Changes in the External Environment
• Assesses Changes in the Business Model
• Assesses Changes in Leadership

CONTROL ACTIVITIES
• Control activities are the actions established through
policies and procedures that help ensure that
management’s directives to mitigate risks to the
achievement of objectives are carried out.
• Control activities are performed at all levels of the entity,
at various stages within business processes, and over the
technology environment. They may be preventive or
detective in nature and may encompass a range of manual
and automated activities such as authorizations and
approvals, verifications, reconciliations, and business
performance reviews.
• Segregation of duties is typically built into the selection
and development of control activities. Where segregation
of duties is not practical, management selects and
develops alternative control activities.

THE “CONTROL ACTIVITIES”
Principle 10:
The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
Points of Focus:
• Integrates with Risk Assessment
• Considers Entity-Specific Factors
• Determines Relevant Business Processes
• Evaluates a Mix of Control Activity Types
• Considers at What Level Activities Are Applied
• Addresses Segregation of Duties

Principle 11:
The organization selects and develops general control activities
over technology to support the achievement of objectives.
Points of Focus:
• Determines Dependency between the Use of Technology in
Business Processes and Technology General Controls
• Establishes Relevant Technology Infrastructure Control
Activities
• Establishes Relevant Security Management Process Control
Activities
• Establishes Relevant Technology Acquisition, Development,
and Maintenance Process Control Activities

Principle 12:
The organization deploys control activities through policies that
establish what is expected and procedures that put policies
into action.
Points of Focus:
• Establishes Policies and Procedures to Support Deployment
of Management’s Directives
• Establishes Responsibility and Accountability for Executing
Policies and Procedures
• Performs in a Timely Manner
• Takes Corrective Action
• Performs Using Competent Personnel
• Reassesses Policies and Procedures

INFORMATION AND COMMUNICATION
• Information is necessary for the entity to carry out internal control
responsibilities to support the achievement of its objectives.
• Management obtains or generates and uses relevant and quality
information from both internal and external sources to support the
functioning of other components of internal control.
• Communication is the continual, iterative process of providing, sharing,
and obtaining necessary information.
• Internal communication is the means by which information is
disseminated throughout the organization, flowing up, down, and across
the entity. It enables personnel to receive a clear message from senior
management that control responsibilities must be taken seriously.
• External communication is twofold:
– it enables inbound communication of relevant external information
and
– provides information to external parties in response to requirements
and expectations.

PRINCIPLES AND POINTS OF FOCUS OF THE
“INFORMATION AND COMMUNICATION”
Principle 13:
The organization obtains or generates and uses relevant,
quality information to support the functioning of other
components of internal control.
Points of Focus:
• Identifies Information Requirements
• Captures Internal and External Sources of Data
• Processes Relevant Data into Information
• Maintains Quality throughout Processing
• Considers Costs and Benefits

Principle 14:
The organization internally communicates information,
including objectives and responsibilities for internal control,
necessary to support the functioning of other components of
internal control.
Points of Focus:
• Communicates Internal Control Information
• Communicates with the Board of Directors
• Provides Separate Communication Lines
• Selects Relevant Method of Communication

Principle 15:
The organization communicates with external parties regarding
matters affecting the functioning of other components of
internal control.
Points of Focus:
• Communicates to External Parties
• Enables Inbound Communications
• Communicates with the Board of Directors
• Provides Separate Communication Lines
• Selects Relevant Method of Communication

MONITORING ACTIVITIES
• Ongoing evaluations, separate evaluations, or some
combination of the two are used to ascertain whether
each of the five components of internal control, including
controls to effect the principles within each component, is
present and functioning.
• Ongoing evaluations, built into business processes at
different levels of the entity, provide timely information.
• Separate evaluations, conducted periodically, will vary in
scope and frequency depending on assessment of risks,
effectiveness of ongoing evaluations, and other
management considerations.
• Findings are evaluated against criteria established by
regulators, standard-setting bodies, or management and
board of directors, and deficiencies are communicated to
management and the board of directors as appropriate.

THE “MONITORING ACTIVITIES”
Principle 16:
The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.
Points of Focus:
• Considers a Mix of Ongoing and Separate Evaluations
• Considers Rate of Change
• Establishes Baseline Understanding
• Uses Knowledgeable Personnel
• Integrates with Business Processes
• Adjusts Scope and Frequency
• Objectively Evaluates

THE “MONITORING ACTIVITIES”
Principle 17:
The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the
board of directors, as appropriate.
Points of Focus:
• Assesses Results
• Communicates Deficiencies
• Monitors Corrective Actions

LIMITATIONS OF INTERNAL CONTROL
• Internal control, no matter how well designed,
implemented and conducted, can provide only
reasonable assurance to management and the board
of directors of the achievement of an entity’s
objectives.
• The likelihood of achievement is affected by
limitations inherent in all systems of internal control.
These include the realities that human judgment in
decision making can be faulty and that breakdowns
can occur because of human failures such as making
errors.
• Additionally, controls can be circumvented by two or
more people colluding, and because management can
override the internal control system.

COSO Internal Control - Integrated Framework

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to COSO Internal Control - Integrated Framework (20)

Recently uploaded (20)

COSO Internal Control - Integrated Framework