SUSTAINABILITY
contribute to the United Nations Sustainable Development
SEC issued Sustainability Reporting Guidelines for Publicly
Listed Companies (Memorandum Circular No. 4, series of
2019) to promote sustainability reporting in the Philippines.
The Guidelines adopted the comply or explain approach for
the first three years upon implementation.
Based on the Guidelines, Sustainability is defined as
“development that meets the needs of the present without
compromising the ability of future generations to meet their
own needs.” It focuses on how a company manages its
economic, environmental and social impacts, risks and
opportunities.
Sustainability involves developing strategies so that the
organization only uses resources (inputs) at a rate that allows
them to be replenished (in order to ensure that they will
continue to be available). At the same time emissions of waste
(outputs) are confined to levels that do not exceed the capacity
of the environment to absorb them.
The phrase “the triple bottom line” was first coined in 1994 by
John Elkington, the founder of a British consultancy called
Sustainability. His argument was that companies should be
preparing three different (and quite separate) bottom lines.
Triple Bottom Line
The aim of the triple bottom line is to measure the financial,
social and environmental performance of the corporation over
a period of time. Only a company that produces a TBL is taking
account of the full cost involved in doing business.
The Reporting Principles for defining report quality guide
choices on ensuring the quality of information in a
sustainability report, including its proper presentation. The
quality of information is important for enabling stakeholders
to make sound and reasonable assessments of an
organization, and to take appropriate actions.
The Guidelines provides a Sustainability Reporting Framework
for Philippine PLCs that builds upon four of the globally
accepted frameworks:
1. Global Reporting Initiative’s (GRI) Sustainability
Reporting Standards
2. International Integrated Reporting Council’s (IIRC)
Integrated Reporting (IR) Framework
3. Sustainability Accounting Standards Board’s (SASB)
Sustainability Accounting Standards
4. Task Force on Climate-related Financial Disclosure (TCFD)
Disclosure are also required on how companies are able to
Goals (SDGs) through their products and services. SDGs are a
universal call to action, to end poverty, protect the planet and
ensure that all people enjoy peace and prosperity and includes
seventeen (17) goals.
Under the Doctrine of Intergenerational Responsibility,
minors have personality to sue on behalf of the succeeding
generations insofar as the right to a balanced and healthful
ecology is concerned.
Such a right considers the "rhythm and harmony of nature."
Nature means the created world in its entirety.
Rhythm and harmony indispensably include, inter alia, the
judicious disposition, utilization, management, renewal and
conservation of the country's forest, mineral, land, waters,
fisheries, wildlife, offshore areas and other natural resources
to the end that their exploration, development and utilization
be equitably accessible to the present as well as future
generations.
Needless to say, every generation has a responsibility to the
next to preserve that rhythm and harmony for the full
enjoyment of a balanced and healthful ecology. Put a little
differently, the minors' assertion of their right to a sound
environment constitutes, at the same time, the performance
of their obligation to ensure the protection of that right for the
generations to come.
FUNDAMENTAL CONCEPTS OF RISK AND
THE RISK MANAGEMENT PROCESS
Risk
− Various publications view risk as a by-product of setting
objectives, whether for profit or not for profit
− Risk is the effect of uncertainty on objectives
− is the combination of the probability of occurrence of
harm and the severity of that harm.
− is the possibility that events will occur and affect the
achievement of business objectives.
− is the possibility of an event occurring that will have an
impact on the achievement of objectives.
− is measured in terms of impact and likelihood.
− is the deviation from expectations. It can be positive or
negative.
− is not the harm itself. Rather, risk is merely a possibility
that harm will occur. What causes harm is hazard.
Hazard
− can be qualified in order to define the origin of the
hazard or the nature of the expected harm (e.g. “electric
shock hazard”, “crushing hazard”, “cutting hazard”,
“toxic hazard”, “fire hazard”, “drowning hazard”).
Moreover, the concept of risk does not always relate to harm.
Risk can likewise create opportunities. Investing in stocks
presents a speculative risk where either a gain or loss can
result.
The concept of risk must be distinguished from uncertainty.
Frank Knight (1921) distinguished two types of uncertainty:
1. Uncertainty risk or not knowing the potential outcomes
and the probability of these outcomes.
2. Genuine uncertainty where the potential outcomes and
their probabilities are unknown.
Classification of Risks
Risks can be classified based on its effect, controllability,
correlation, impact, and drivers
Risks can be fundamental, particular, speculative, and pure.
Fundamental risks are those that affect society in general. It is
beyond the control of any one e.g. risk of atmospheric
pollution. Particular risks are risks over which an individual
may have some measure of control. For example, there is a risk
attached to smoking and we can mitigate that risk by refraining
from smoking. Speculative risks are those from which either
good or harm may result. Investing in stocks as discussed
earlier presents a speculative risk because either a gain or loss
can result. Pure risks are those whose only possible outcome
is harmful e.g., risk of loss due to fire.
Classification of Risks
1. Controllable vs. Uncontrollable - Risk may be classified
according to controllability, i.e., Controllable
(unsystematic) and Uncontrollable (systematic)
2. Positive vs. Negative Correlation
− Where positive correlation exists, the risks will increase
or decrease together.
− If there is negative correlation, one risk will increase as
the other decreases and vice versa.
− The relationship between the risks is measured by the
correlation coefficient.
3. Financial vs. Non-Financial
− Financial Risk has some direct financial impact on the
entity is treated as financial risk. This risk may be
Market risk, Credit risk, Liquidity risk, Operational Risk,
Legal Risk and Country Risk.
− Non-Financial Risks do not usually have direct and
immediate financial impact on the business.
Nonfinancial risk may have a significant financial impact
if left uncontrolled. Examples are Business/Industry &
Service Risk, Strategic Risk, Compliance Risk, Industry
Fraud Risk, Reputation Risk, Transaction risk, Disaster
Risk.
4. Strategic vs Operational
− Operational risks relate to matters that can go wrong
on a day-to-day basis while the organization is carrying
out its business. It is the risk of loss from a failure of
internal business and control processes.
− Strategic risk is the potential volatility of profits caused
by the nature and type of the business strategies. It
relates to the business long-term effect of key strategic
decisions.
Impact of Risk to Stakeholders
• Shareholders
− When the company’s risk profile changes, shareholders
may sell their shares resulting to a lower share price, or
they may replace directors depending on their level of
risk tolerance.
− Risk averse shareholders can tolerate risks up to a point
where the receive acceptable return. Risk-seeking
shareholders likely enjoy investing in risk ventures. Risk
neutral focus on maximizing return notwithstanding
the level of risk.
• Creditors
− Creditors are concerned whether the company can
fulfil its obligation and limit the risk of default;
otherwise, they can deny credit, charge higher interest,
file actions in court that could lead the company into
liquidation, ask for collateral.
− The long-term strategic objectives of the company may
be unacceptable to potential creditors because of the
differences in their risk appetite. Creditors may place
restrictive provisions in the debt covenant.
• Employees
− Employees are concerned about threats to their job e.g.
salary, promotion, benefits, satisfaction, job itself. If the
business fails, employees may lose their jobs. Hence,
employees pursue their own goals rather than
shareholder interests.
• Customers and suppliers
− Suppliers are concerned about the risk of making
unprofitable sales; while customers are concerned on
getting the value from the goods or services that they
expect.
• The wider community
− The risks that the wider community are concerned
about are less easy to predict. In general, the
community is concerned with risks that the company
does not act as a good corporate citizen. Otherwise,
pressure groups tactics can include publicity, direct
action, sabotage or pressure on government. As a
result, Government can impose tax increases or tighten
regulation.
Risks Faced by Organizations
1. Business risks
− the risk associated in doing business.
− It includes the risk of inadequate profits or even
losses due to uncertainties arising from increased
competition, changes in government policy, changes
in preferences of consumers, or obsolescence of
products and services, etc.
− borne by both the firm's equity holders and providers
of debt, as it is the risk associated with investing in the
firm in whatever capacity. The only way that either
party can get rid of the business risk is to withdraw its
investment in the firm.
2. Financial risk
− is borne entirely by equity holders. This is due to the
fact that payment to debt holders (ie interest) takes
precedence over dividends to shareholders. The more
debt there is in the firm's capital structure, the
greater the financial risk to equity holders, as the
increased interest burden coming out of earnings
reduces the likelihood that there will be sufficient
funds remaining from which to pay a dividend. Debt
holders however know there is a legal obligation on
the firm to meet their interest commitments.
− This relates to the effect of company’s capital
structure or the mix of equity and debt capital.
− can be long term or short term. Shorter-term
financial risks include liquidity risk and credit risk.
And longer-term risks include gearing, currency, and
interest rate risks, among others.
3. Market risk
− is hardly controllable. It is also a good example of a
speculative risk. Businesses can benefit from
favorable price movements as well as lose from
adverse changes.
4. Product risks
− include risks of financial loss due to producing a poor-
quality product. It may be in the form of
compensation to dissatisfied customers, loss of sales
 due to loss reputation, or expenses on improving
quality control procedures.
5. Legal risk
− Companies are subject to the police power of the
country where it seeks to operate. Legislation in a
country may have very serious consequences for the
company. For example, the government may impose
liquor ban during the pandemic.
6. Political risk
− risk that political action will affect the position and
value of an organization. A political policy that
encourages private sector participation will benefit
the private corporations in privatization of certain
public functions. Changes in this policy would have
adverse effect on the corporation.
7. Technological risk
− the failure of system caused due to tampering of data
access to critical information, non-availability of data
and lack of controls.
− can be strategic and operational, physical damage,
data and systems integrity, fraud, internet, denial of
service attack risks
8. Strategic and operational technological risks
− The company may force a new system for strategic
reasons but is impractical for operational purposes. If
in the end the system has to be abandoned, the write-
off costs can be large and the damage to operational
efficiency significant.
9. Environmental risk.
− potential liability of the company arising out of the
environmental effects of the company’s operation
− Ex: pollution caused to bodies of water if waste
materials are toxic.
10. Probity risk
− the risk of unethical behavior by one or more
participants in a particular process.
− Ex: being the victims of bribery or corruption or being
pressurized into it
11. Reputation risk
− arises from the negative public opinion. Reputation
risk is strongly correlated to other risks. Probity risk
and environmental risk increase reputation risk.
12. Fraud risk
− Fraud is perpetrated through the abuse of systems,
controls, procedures and working practices. It may be
perpetrated by an outsider or insider.
− Fraud may not be usually detected immediately and
thus the detection should be planned for on a
proactive basis rather than on a reactive basis.
RISK MANAGEMENT
Risk Management - a process to identify, assess, manage, and
control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s
objectives.
Commonly used standards in managing risks include:
• COSO 2017 Enterprise Risk Management – Integrating
with Strategy and Performance
• COSO 2004 Enterprise Risk Management – Integrated
Framework
• ISO 31000:2018 – Risk Management Principles and
Guidelines
• A Risk Management Standard – IRM/Alarm/AIRMIC 2002
– developed in 2002 by the UK’s 3 main risk organizations.
• The Turnbull Guidance
COSO 2017 Enterprise Risk Management – Integrating with
Strategy and Performance
In 2004, COSO published its Enterprise Risk Management –
Integrated Framework. Because of the changes in the
complexity of the risk, COSO updated its framework in 2017,
now titled: Enterprise Risk Management – Integrating with
Strategy and Performance. The 2017 Framework is a set of
principles organized into five interrelated components:
1. Governance and Culture: Governance sets the
organization’s tone, reinforcing the importance of, and
establishing oversight responsibilities for, enterprise risk
management. Culture pertains to ethical values, desired
behaviors, and understanding of risk in the entity.
• Exercises Board Risk Oversight - The board of directors
provides oversight of the strategy and carries out
governance responsibilities to support management in
achieving strategy and business objectives.
• Establishes Operating Structures - The organization
establishes operating structures in the pursuit of strategy
and business objectives.
• Defines Desired Culture - The organization defines the
desired behaviors that characterize the entity’s desired
culture.
• Demonstrates Commitment to Core Values - The
organization demonstrates a commitment to the entity’s
core values.
• Attracts, Develops, and Retains Capable Individual - The
organization is committed to building human capital in
alignment with the strategy and business objectives.
2. Strategy and Objective-Setting: Enterprise risk
management, strategy, and objective-setting work
together in the strategic-planning process. A risk appetite
is established and aligned with strategy; business
objectives put strategy into practice while serving as a
basis for identifying, assessing, and responding to risk.
• Analyzes Business Context—The organization considers
potential effects of business context on risk profile.
• Defines Risk Appetite—The organization defines risk
appetite in the context of creating, preserving, and
realizing value.
• Evaluates Alternative Strategies—The organization
evaluates alternative strategies and potential impact on
risk profile.
• Formulates Business Objectives—The organization
considers risk while establishing the business objectives
at various levels that align and support strategy.
3. Performance: Risks that may impact the achievement of
strategy and business objectives need to be identified and
assessed. Risks are prioritized by severity in the context of
risk appetite. The organization then selects risk responses
and takes a portfolio view of the amount of risk it has
assumed. The results of this process are reported to key
risk stakeholders.
• Identifies Risk—The organization identifies risk that
impacts the performance of strategy and business
objectives.
• Assesses Severity of Risk—The organization assesses
the severity of risk.
• Prioritizes Risks—The organization prioritizes risks as a
basis for selecting responses to risks.
• Implements Risk Responses—The organization
identifies and selects risk responses.
 • Develops Portfolio View—The organization develops
and evaluates a portfolio view of risk.
4. Review and Revision: By reviewing entity performance,
an organization can consider how well the enterprise risk
management components are functioning over time and
considering substantial changes, and what revisions are
needed
• Assesses Substantial Change—The organization
identifies and assesses changes that may substantially
affect strategy and business objectives.
• Reviews Risk and Performance—The organization
reviews entity performance and considers risk.
• Pursues Improvement in Enterprise Risk
Management—The organization pursues improvement
of enterprise risk management.
5. Information, Communication, and Reporting: Enterprise
risk management requires a continual process of
obtaining and sharing necessary information, from both
internal and external sources, which flows up, down, and
across the organization.
• Leverages Information Systems—The organization
leverages the entity’s information and technology
systems to support enterprise risk management.
• Communicates Risk Information—The organization
uses communication channels to support enterprise risk
management.
• Reports on Risk, Culture, and Performance—The
organization reports on risk, culture, and performance
at multiple levels and across the entity
COSO 2004 Enterprise Risk Management – Integrated
Framework
The adoption of the 2017 Framework is not mandatory. Hence,
management may continue to utilize the Original Framework.
However, COSO reserves the right to supersede or retire the
2004 Enterprise Risk Management– Integrated Framework in
the future.
COSO’s ERM model establishes a direct relationship between
organizational objectives and ERM components. The
relationship is depicted as the cube-shaped three-dimensional
matrix.
The vertical columns depict the four categories of objectives:
1. Strategic (high level goals, aligned with and supporting
the organization’s mission)
2. Operations (efficient and effective use of resources),
3. Reporting (reliability of reporting).
4. Compliance (compliance with laws and regulations).
The entity and its units are depicted by the third dimension:
Entity level, Division, Business unit, Subsidiary.
The horizontal rows represent the eight components:
1. Internal environment,
2. Objective setting,
3. Event identification,
4. Risk assessment,
5. Risk response,
6. Control activities,
7. Information and communication,
8. Monitoring
ISO 31000: 2018
The purpose of risk management is the creation and protection
of value. It improves performance, encourages innovation and
supports the achievement of objectives.
ISO 31000 has three areas of principles and guidance:
• Principles - The interrelated values that are foundational
to the risk-management process.
• Framework - The ways in which the risk-management
plan should be integrated into “significant activities and
functions.”
• Process - A step-by-step list of procedure in managing
risk.
1. Principles - The principles are the foundation for managing
risk and should be considered when establishing the
organization’s risk management framework and processes.
These principles should enable an organization to manage
the effects of uncertainty on its objectives.
• Integrated - Risk management is an integral part of all
organizational activities.
• Structured and comprehensive - A structured and
comprehensive approach to risk management
contributes to consistent and comparable results.
• Customized - The risk management framework and
process are customized and proportionate to the
organization’s external and internal context related to its
objectives.
• Inclusive - Appropriate and timely involvement of
stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved
awareness and informed risk management.
• Dynamic - Risks can emerge, change or disappear as an
organization’s external and internal context changes. Risk
management anticipates, detects, acknowledges and
responds to those changes and events in an appropriate
and timely manner.
• Best available information - The inputs to risk
management are based on historical and current
information, as well as on future expectations. Risk
management explicitly takes into account any limitations
and uncertainties associated with such information and
expectations. Information should be timely, clear and
available to relevant stakeholders.
• Human and cultural factors - Human behavior and
culture significantly influence all aspects of risk
management at each level and stage.
• Continual improvement - Risk management is
continually improved through learning and experience.
2. Framework - The purpose of the risk management
framework is to assist the organization in integrating risk
management into significant activities and functions. The
components of the framework and the way in which they
work together should be customized to the needs of the
organization.
• Leadership and commitment - Top management and
oversight bodies, where applicable, should ensure that
risk management is integrated into all organizational
activities and should demonstrate leadership and
commitment
• Integration - Integrating risk management into an
organization is a dynamic and iterative process and
should be customized to the organization’s needs and
culture.
• Design - This involves understanding the organization
and its context, articulating risk management
commitment, assigning organizational roles, authorities,
responsibilities and accountabilities, allocating resources,
establishing communication and consultation.
 • Implementation - Successful implementation of the
framework requires the engagement and awareness of
stakeholders. Properly designed and implemented, the
risk management framework will ensure that the risk
management process is a part of all activities throughout
the organization, including decision-making, and that
changes in external and internal contexts will be
adequately captured.
• Evaluation - In order to evaluate the effectiveness of the
risk management framework, the organization should:
a. Periodically measure risk management framework
performance against its purpose, implementation
plans, indicators and expected behavior;
b. Determine whether it remains suitable to support
achieving the objectives of the organization.
• Improvement - This involves adapting and continually
improving the risk management framework.
• Adapting - The organization should continually monitor
and adapt the risk management framework to address
external and internal changes. In doing so, the
organization can improve its value.
• Continually improving - The organization should
continually improve the suitability, adequacy and
effectiveness of the risk management framework and the
way the risk management process is integrated.
3. Process - The risk management process involves the
systematic application of policies, procedures and practices
to the activities of communicating and consulting,
establishing the context and assessing, treating,
monitoring, reviewing, recording and reporting risk.
• Scope, context and criteria - The purpose of establishing
the scope, the context and criteria is to customize the
risk management process, enabling effective risk
assessment and appropriate risk treatment. Scope,
context and criteria involve defining the scope of the
process and understanding the external and internal
context.
• Communication and consultation - The purpose of
communication and consultation is to assist relevant
stakeholders in understanding risk, the basis on which
decisions are made and the reasons why particular
actions are required.
• Risk assessment - Risk assessment is the overall process
of:
o risk identification, to find, recognize and describe
risks that might help or prevent an organization
achieving its objectives
o risk analysis, to comprehend the nature of risk and
its characteristics including, where appropriate, the
level of risk.
o risk evaluation, to support decisions.
• Risk treatment - The purpose of risk treatment is to
select and implement options for addressing risk.
Options for treating risk may involve one or more of the
following:
o avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk;
o taking or increasing the risk in order to pursue an
opportunity;
o removing the risk source;
o changing the likelihood;
o changing the consequences;
o sharing the risk (e.g. through contracts, buying
insurance);
o retaining the risk by informed decision.
• Monitoring and review - Monitoring and review should
take place in all stages of the process. The purpose of
monitoring and review is to assure and improve the
quality and effectiveness of process design,
implementation and outcomes.
• Recording and reporting - The risk management process
and its outcomes should be documented and reported
through appropriate mechanisms. Recording and
reporting aims to:
o communicate risk management activities and
outcomes across the organization;
o provide information for decision-making;
o improve risk management activities;
o assist interaction with stakeholders, including those
with responsibility and accountability for risk
management activities.
IRM's Risk Management Standard
The Risk Management Standard was originally published by
the Institute of Risk Management (IRM), The Association of
Insurance and Risk Manager (AIRMIC) and The Public Risk
Management Association (Alarm) in 2002. It was subsequently
adopted by the Federation of European Risk Management
Association (FERMA).
• Risk management protects and adds value to the
organization and its stakeholders through supporting the
organization’s objectives.
• Risk Assessment is defined by the ISO/ IEC Guide 73 as the
overall process of risk analysis and risk evaluation.
• Risk Analysis covers:
a. Risk identification sets out to identify an organization’s
exposure to uncertainty. This requires an intimate
knowledge of the organization, the market in which it
operates, the legal, social, political and cultural
environment in which it exists, as well as the
development of a sound understanding of its strategic
and operational objectives, including factors critical to its
success and the threats and opportunities related to the
achievement of these objectives.
b. The objective of risk description is to display the
identified risks in a structured format, for example, by
using a table. The use of a well-designed structure is
necessary to ensure a comprehensive risk identification,
description and assessment process.
c. Risk estimation can be quantitative, semiquantitative or
qualitative in terms of the probability of occurrence and
the possible consequence. For example, consequences
both in terms of threats (downside risks) and
opportunities (upside risks) may be high, medium or low.
Probability may be high, medium or low but requires
different definitions in respect of threats and
opportunities
• The result of the risk analysis process can be used to
produce a risk profile which gives a significance rating to
each risk and provides a tool for prioritizing risk
treatment efforts.
• Risk Evaluation is the comparison of the estimated risks
against risk criteria which the organization has established.
The risk criteria may include associated costs and benefits,
legal requirements, socioeconomic and environmental
factors, concerns of stakeholders, etc.
• Risk Reporting - There are two types of risk reporting:
internal and external. Different levels within an
organization need different information from the risk
management process. These include the Board of Directors
 in order to be assured that the risk management process is
working effectively; the Business Units in order to be aware
of risks which fall into their area of responsibility; and
individuals who should understand their accountability for
individual risks. Moreover, a company needs to report to its
stakeholders on a regular basis setting out its risk
management policies and the effectiveness in achieving its
objectives.
• Risk treatment is the process of selecting and implementing
measures to modify the risk. Risk treatment includes as its
major element, risk control/mitigation, but extends further
to, for example, risk avoidance, risk transfer, risk financing,
etc.
• Effective risk management requires a reporting and review
structure to ensure that risks are effectively identified and
assessed, and that appropriate controls and responses are
in place. Regular audits of policy and standards compliance
should be carried out and standards performance reviewed
to identify opportunities for improvement.
The Turnbull Guidance
It is officially called as Internal Control Guidance for Directors
on the Combined Code originally published in 1999 in the
United Kingdom.
The Guidance discusses the adoption of a risk-based approach
to internal control and the assessment of its effectiveness.
Listed below are some of the key tenets of the Turnbull
guidance:
• A focus on significant risks - If too many risks are identified,
it becomes difficult to identify and manage the significant
ones. Turnbull recommends that risk identification focus on
those risks that have been identified by senior management
as being potentially damaging to the achievement of the
organization’s objectives.
• Emphasis on risk management - Turnbull positions risk
management as essential in reducing the probability that
organizational objectives are jeopardized by unforeseen
events. It promotes proactively managing risk exposures.
• Ongoing, continuous monitoring of risk and control - An
organization’s risk management and internal control
strategies and policies must be continuously monitored and
fine-tuned in response to changing exposures. A feedback
process should be in place to learn from mistakes and to
harness potential improvements and risk reductions.
• Engaging all employees - Turnbull maintains that all
employees have some responsibility for internal control and
accountability for achieving organization objectives.
Employees must have the necessary knowledge, skills,
information, and authority to establish, operate, and
monitor the system of internal control within their sphere
of responsibility. They must understand organization
objectives and the industries and markets in which the
entity operates as well as the risks it faces.
• Streamlining risk management databases - Control should
be embedded in the organizational processes. Rather than
developing separate risk reporting systems, Turnbull
recommends building early warning mechanisms into
exiting management information systems.
BASIC CONCEPTS AND ELEMENTS OF
INTERNAL CONTROL
Companies establish goals and objectives. And then assess the
risks of achieving those objectives. As a response to the
assessed risk, the company may design and implement
internal control to have a reasonable assurance that the
objectives will be achieved.
Control - defined as any action taken by management, the
board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be
achieved
Internal control
− pertains to actions that foster the best result for an
organization.
− the process designed, implemented and maintained by
those charged with governance, management, and other
personnel to provide reasonable assurance about the
achievement of an entity's objectives with regard to
reliability of financial reporting, effectiveness and
efficiency of operations, and compliance with applicable
laws and regulations. The term “controls” refers to any
aspects of one or more of the components of internal
control.
− a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and
compliance.
COSO explained that this definition reflects certain
fundamental concepts. Internal control is:
• Geared to the achievement of objectives in one or more
categories—operations, reporting, and compliance
• A process consisting of ongoing tasks and activities—a
means to an end, not an end in itself
• Effected by people—not merely about policy and
procedure manuals, systems, and forms, but about people
and the actions they take at every level of an organization
to affect internal control
• Able to provide reasonable assurance—but not absolute
assurance, to an entity’s senior management and board of
directors
• Adaptable to the entity structure—flexible in application
for the entire entity or for a particular subsidiary, division,
operating unit, or business process
According to COSO, internal control has three objectives:
1. Operations objectives – related to the effectiveness and
efficiency of the entity’s operations, including
operational and financial performance goals, and
safeguarding assets against loss.
2. Reporting objectives – related to internal and external
financial and non-financial reporting to stakeholders,
which would encompass reliability, timeliness,
transparency, or other terms as established by
regulators, standard setters, or the entity’s policies.
3. Compliance objectives – related to adhering to laws and
regulations that the entity must follow.
Internal control cannot provide absolute assurance about the
achievement of an entity's objectives; it can only provide
reasonable assurance.
Limitations may result from:
• Suitability of objectives established as a precondition to
internal control,
• Reality that human judgment in decision making can be
faulty and subject to bias,
• Breakdowns that can occur because of human failures
such as simple errors,
• Ability of management to override internal control,
• Ability of management, other personnel, and/or third
parties to circumvent controls through collusion,
• External events beyond the organization’s control.
Classification of Internal Control
• As to Scope. Some controls are designed to operate at a
high level while others apply to specific processes or
transactions.
a. Entity-level controls apply to the entire organization
and are designed both to ensure that organizational
objectives are achieved and to mitigate risks that
threaten the origination as a whole.
b. Process level controls are established by a process
owner to ensure that the objectives of the process are
achieved and that process-level risks are addressed.
c. Transaction-level controls are specific to individual
transactions. They exist to ensure that the objectives
of the transactions are achieved, and transaction-
specific risks are addressed.
• As to importance.
a. Key controls (primary controls) are those that must
operate effectively to reduce a significant risk to an
acceptable level.
b. Secondary controls help process run smoothly but are
not essential.
• As to function (or approach).
a. Preventive controls are proactive controls that deter
undesirable events from occurring.
b. Detective controls are reactive and detect undesirable
events that have occurred.
c. Corrective controls are reactive designed to allow
manual or automated correction of errors or
irregularities discovered by detective controls.
d. Directive controls are proactive that cause or
encourage a desirable even to occur.
e. Mitigating controls reduce the potential impact should
an event occur. Compensating controls compensate
for the lack of an expected control.
• As to how operated.
a. An active or manual control (people-based) implies
task that prevents or detect a deviation from approved
procedure.
b. A passive control or automated control (system-
based) operates without human intervention.
• As to objective.
a. Administrative controls are concerned with achieving
the objectives of the organization and with
implementing policies.
b. Accounting controls aim to provide accurate
accounting records and to achieve accountability.
• As to Financial and non-financial controls.
a. Financial controls focus on the key transaction areas,
with the emphasis being on the safeguarding of assets
and the maintenance of proper accounting records and
reliable financial information.
b. Non-financial controls tend to concentrate on wider
performance issues.
• As to Discretion.
a. Discretionary controls are controls that, as their name
suggests, are subject to human discretion.
b. Non-discretionary controls are provided automatically
by the system and cannot be bypassed, ignored or
overridden.
• As to Imposition.
a. Voluntary controls are chosen by the organization to
support the management of the business.
b. Mandated controls are required by law and imposed
by external authorities.
• As to Timing.
a. Feedback controls report information about
completed activities.
b. Concurrent controls adjust ongoing processes.
Internal Control in Smaller Entities
• Controls relevant to large entity may not be practical nor
appropriate for a small company. Smaller entities often
have fewer employees which may limit the extent to which
segregation of duties is practicable.
• In a small owner-managed entity, the owner-manager may
exercise effective oversight and his day-to-day
involvement may compensate for the lack of segregation
of duties. This involvement should encompass physical,
authorization, arithmetical and accounting controls as well
as supervision. However, the owner-manager may be more
able to override controls because the system of internal
control is less structured.
• In case the manager is not the owner, the manager may
not possess the same degree of commitment to the
running of it as an owner-manager would.
Internal Control Framework
A control framework is a recognized system of concepts
encompassing all elements of internal control.
Several bodies have published control frameworks that
provide a comprehensive means of ensuring that the
organization has considered all relevant aspects of internal
control.
• United States: Internal Control – Integrated Framework,
published by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission (named for James C.
Treadway, its first chairman)
• Canada: Guidance on Control (commonly referred to as
CoCo based on its original title Criteria of Control), published
by the Canadian Institute of Chartered Accountants (CICA).
• United Kingdom: Internal Control: Guidance for Directors
on the Combined Code (commonly referred to as the
Turnbull report after Nigel Turnbull, chair of the committee
that drafted the report), published by the Financial
Reporting Council (FRC) of the UK and re-released as
Internal Control: Revised Guide for Directors on the
Combined Code.
• The UK Committee on the Financial Aspect of Corporate
Governance (known informally as the Cadbury Committee
after its chairman Sir Adrian Cadbury) issued its report
about the same times as the Tredway Commission in the
U.S. it was blended with the reports of two other
organizations. The resulting Combined Code includes such
recommendations for sound governance as requiring that
the CEO and chairperson be separate individuals.
• Information technology. COBIT is the best-known
framework specifically for IT controls. When originally
published, COBIT was an acronym for Control Objectives for
Information and Related Technology.
• Electronic Systems Assurance and Control (eSAC),
published by the Institute of Internal Auditors Research
Foundation, is an alternative control model for IT.
COSO’s Internal Control – Integrated Framework
The COSO’s Internal Control – Integrated Framework sets out
seventeen principles representing the fundamental concepts
associated with each component. Because these principles are
drawn directly from the components, an entity can achieve
effective internal control by applying all principles. All
principles apply to operations, reporting, and compliance
objectives.
• Control environment
o Demonstrates commitment to integrity and ethical
values
o Exercises oversight responsibility
o Establishes structure, authority, and responsibility
o Demonstrates commitment to competence
o Enforces accountability.
• Risk assessment
o Specifies suitable objectives
o Identifies and analyzes risk
o Assesses fraud risk
o Identifies and analyzes significant change
• Control activities
o Selects and develops control activities
o Selects and develops general controls over technology
o Deploys control activities through policies and
procedures
• Information and communications
o Uses relevant information
o Communicates internally
o Communicates externally
• Monitoring activities
o Conducts ongoing and/or separate evaluations
o Evaluates and communicates deficiencies
Control Environment
− the foundation for a sound system of internal control. It
forms the core of any organization.
− the set of standards, processes, and structures that
provide the basis for carrying out internal control across
the organization. The board of directors and senior
management establish the tone at the top regarding the
importance of internal control and expected standards of
conduct.
Under the 2013 Framework, the Control Environment’s five
principles are the following
1. The organization demonstrates a commitment to
integrity and ethical values
2. The board of directors demonstrates independence from
management and exercises oversight of the development
and performance of internal control.
3. Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract,
develop and retain competent individuals in alignment
with objectives.
5. The organization holds individuals accountable for their
internal control responsibilities in the pursuit of
objectives.
Entity's Risk Assessment Process
• Risk assessment involves a dynamic and iterative process
for identifying and analyzing risks to achieving the entity’s
objectives, forming a basis for determining how risks should
be managed.
• A precondition to risk assessment is the establishment of
objectives, linked at different levels of the entity.
Management also considers the suitability of the objectives
for the entity and the impact of possible changes in the
external environment and within its own business model
that may render internal control ineffective.
The four principles relating to Risk Assessment are:
1. The organization specifies objectives with sufficient clarity
to enable the identification and assessment of risks
relating to objectives.
2. The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
3. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
4. The organization identifies and assesses changes that
could significantly impact the system of internal control.
Control Activities - the actions established through policies
and procedures that help ensure that management’s
directives to mitigate risks to the achievement of objectives
are carried out.
Principles related to the control activities component
include:
• The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
• The organization selects and develops general control
activities over technology to support the achievement of
objectives.
• The organization deploys control activities through policies
that establish what is expected and in procedures that put
policies into action.
Segregation of duties - typically built into the selection and
development of control activities. Where segregation of duties
is not practical, management selects and develops alternative
control activities.
Segregation - a number of people being involved in the
accounting process. Segregation of duties is intended to
reduce the opportunities to allow any person to be in a
position to both perpetrate and conceal errors or fraud in the
normal course of the person’s duties.
The key functions that should be segregated are the:
• Authorizing a transaction,
• Recording that transaction in the accounting records,
preparing source documents, and maintaining journals
• Keeping physical custody of the related assets that arise
from the transaction. For example, receiving checks in the
mail.
• The periodic reconciliation of the physical assets to the
recorded amounts for those assets.
Control Activities Over Technology are General IT-controls
and Transaction (Application) controls.
General IT-controls - entity level controls that relate to many
applications and support the effective functioning of
application controls.
Application controls or technical controls - process or
transaction level controls that are usually specific to a given
application but may also control larger technical processes
such as system access rights.
Application controls are sometimes grouped by common
function:
• Input controls verify the integrity of data as it is manually or
automatically entered into a system. For example, a control
total might verify that the proper number of records is
entered.
• Processing controls check that data processing tasks are
accurate, complete, and valid. For example, a control total
might be compared at various processing points.
• Output controls verify that the data outputs are accurate,
complete, and valid. An example is a control to ensure that
output is being sent to and received by the intended
recipient and not other person or system.
Information and Communication
The information and communication component of internal
control supports all of the other components. The principles
related to the information and communication component
include:
• The organization obtains or generates and uses relevant,
quality information to support the functioning of internal
control.
 • The organization internally communicates information,
including objectives and responsibilities for internal
control, necessary to support the functioning of internal
control.
• The organization communicates with external parties
regarding matters affecting the functioning of internal
control.

Monitoring
Monitoring activities assess whether each of the five
components are present and functioning. The two principles
related to the monitoring component include:
• The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and
functioning.
• The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.