Chapter Three

Internal Control Framework:

The COSO Standard

Ch 3 Internal Control Framework - COSO Standard 1

 Chapter Main Points:
3.1. Importance of Effective Internal Controls

3.2. Internal Controls Standards: Background

3.3. Events Leading to the Treadway commission

3.4. COSO Internal Control Framework

3.5. Other Dimensions of the COSO Internal Controls Framework

3.6. Internal Audit CBOK Needs

Ch 3 Internal Control Framework - COSO Standard 2

 Introduction
• This chapter briefly discusses how the activities by auditors,
regulators, and other professionals over the years develop
a consistent approach to defining and understanding
internal controls leading to this COSO framework.

• The COSO internal controls framework is an essential tool

for understanding internal controls and for assessing
compliance with SOX internal accounting control
requirements.

Ch 3 Internal Control Framework - COSO Standard 3

 3.1. Importance of Effective Internal
Control
Definition of Internal Control:
Internal controls are processes, implemented by management, that are designed to provide
reasonable assurance for:

1. Reliable financial and operational information

2. Compliance with policies and procedures plans, laws, rules, and regulations

3. Safeguarding of assets

4. Operational efficiency

5. Achievement of an established mission, objectives and goals for enterprise

6. operations and programs

7. Integrity and ethical values

Ch 3 Internal Control Framework - COSO Standard 4

 3.1. Importance of Effective
Internal Control
An enterprise unit or process has good internal controls if it:

(1) accomplishes its stated mission in an ethical manner

(2) produces accurate and reliable data

(3) complies with applicable laws and enterprise policies

(4) provides for economical and efficient uses of resources

(5) provides for appropriate safeguarding of assets.

All members of an enterprise are responsible for the internal controls

in their area of responsibility and for operating them effectively.
Ch 3 Internal Control Framework - COSO Standard
5
 3.1. Importance of Effective Internal
Control
The Institute of Internal Auditors (IIA) International Standards
for the Practice of Internal Auditing, define controls as:

• Any action taken by management, the board, and other parties to

manage risk and increase the likelihood that established
objectives and goals will be achieved.

• Management plans, organizes, and directs the performance of

sufficient actions to provide reasonable assurance that objectives
and goals will be achieved.
Ch 3 Internal Control Framework - COSO Standard 6
 3.2 Internal Controls Standards:
Background
The AICPA’s first codified standards, called the Statement
on Auditing Standards (SAS No. 1), defined the practice
of financial statement external auditing in the United
States for many years. It used this definition for internal
control:
“Internal control comprises the plan of enterprise and all
of the coordinate methods and measures adopted with
a business to safeguard its assets, check the accuracy
and reliability of its accounting data, promote
operational efficiency, and encourage adherence to
prescribed managerial policies.”
Ch 3 Internal Control Framework - COSO Standard 7
 3.2 Internal Controls Standards:
Background (Cont.)
That original AICPA SAS No. 1 was modified to add administrative and
accounting controls to the basic internal control definition.
comprises the plan of enterprise and the procedures and records that are
concerned with the safeguarding of assets and the reliability of financial
records and consequently are designed to provide reasonable assurance that:
a. Transactions are executed in accordance with management’s general or
specific authorization.
b. Transactions are recorded as necessary (1) to permit preparation of financial
statements in conformity with generally accepted accounting principles or any
other criteria applicable to such statement and (2) to maintain accountability
for assets.
c. Access to assets is permitted only in accordance with management’s general
or specific authorization.
d. The recorded accountability for assets is compared with the existing assets at
reasonable intervals and appropriate action is taken with respect to any
differences. Ch 3 Internal Control Framework - COSO Standard 8
 Internal Control Definitions: Foreign
Corrupt Practices Act of 1977
• The period from 1974 to 1977 was a time of extreme social
and political turmoil in the United States. A series of illegal
acts were discovered at the time of the 1972 U.S. presidential
election, including a burglary of the Democratic party
headquarters in a building complex known as Watergate. The
events eventually led to the resignation of President Richard
Nixon.
• Similar to how the failure of Enron brought us SOX Act, the
result here was passage of the 1977 Foreign Corrupt Practices
Act (FCPA).
• The FCPA prohibited bribes to foreign—non-U.S.—officials and
also contained provisions requiring the maintenance of
accurate books and records as well as systems of internal
accounting control.
Ch 3 Internal Control Framework - COSO Standard 9
 Internal Control Definitions: Foreign
Corrupt Practices Act of 1977 (Cont.)
The FCPA required that SEC-regulated enterprises must:
• Make and keep books, records, and accounts, which, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets
of the issuers.
• Devise and maintain a system of internal accounting controls sufficient to
provide reasonable assurances that:
1. Transactions are executed in accordance with management’s general or
specific authorization.
2. Transactions are recorded as necessary both to permit the preparation of
financial statements in conformity with generally accepted accounting
principles (GAAP) or any other criteria applicable to such statements, and
also to maintain accountability for assets.
3. Access to assets is permitted only in accordance with management’s
general or specific authorization.
4. The recorded accountability for assets is compared with the existing
assets at reasonable intervals, and appropriate action is taken with
respect to any differences.
Ch 3 Internal Control Framework - COSO Standard 10
 FCPA Aftermath: What Happened?

• The FCPA emphasized the importance of effective internal

controls even though there was no consistent definition of

internal controls at that time. However, the FCPA heightened
the importance of internal controls, and its anti bribery
provisions continue to be important.

• The FCPA was an important first step for helping enterprises

to think about the need for effective internal controls, even
though there were no guidelines or standards over the FCPA’s
systems documentation requirements.
Ch 3 Internal Control Framework - COSO Standard 11
 3.3 Events Leading to the Treadway
Commission (COSO)
• In 1974, the AICPA formed a high-level Commission on Auditor’s
Responsibilities. This group, better known then as the Cohen
Commission, recommended in 1978 that a statement on the condition
of an enterprise’s internal controls should be required along with their
financial statements.

• Although auditors were accustomed to attesting to the fairness of

financial statements, the Cohen Commission report called for an audit
opinion on the fairness of the management control assertions in the
proposed financial statement internal control letter.

Ch 3 Internal Control Framework - COSO Standard 12

 The Financial Executives International
(FEI), a professional organization
• Just as the IIA is the professional enterprise for internal auditors
and the AICPA represents public accountants in the United
States, the FEI represents enterprise senior financial officers. In
the late 1970s, the FEI endorsed the Cohen Commission’s
internal controls recommendations and agreed that corporations
should report on the status of their internal accounting controls.
As a result, many U.S. corporations began to discuss the
adequacy of internal controls as part of their annual report
management letters.
• They typically included comments stating that management,
through its internal auditors, periodically assessed the quality of
its internal controls. These “negative assurance” comments
indicated that nothing was found to indicate that there might be
any internal control problem in operations.
Ch 3 Internal Control Framework - COSO Standard 13
 Earlier AICPA Standards: SAS No. 55
• Prior to SOX, the AICPA was responsible for releasing
external audit standards through Statements on Auditing
Standards (SASs). As discussed for SAS No. 1, these
standards formed the basis of the external auditor’s
review of the adequacy and fairness of published
financial statements. Although they underwent a few
changes over the years, in the 1970s and 1980s.

Ch 3 Internal Control Framework - COSO Standard 14

 Earlier AICPA Standards: SAS No. 55
• These included SAS No. 30, Reporting on Internal Accounting Control,
which provided guidance for the terminology to be used in internal
accounting control reports. That SAS did not provide much help, however,
on defining the underlying concepts of internal control. SAS No. 55,
Consideration of the Internal Control Structure in a Financial Statement
Audit, was another new standard that defined internal control in terms of
three key elements:

1. Control environment

2. Accounting system

3. Control procedures
Ch 3 Internal Control Framework - COSO Standard 15
 Treadway Committee Report
• During the late 1970s and early 1980s, many major U.S. enterprises failed
due to high inflation and the resultant high interest rates.

• A few of these failures were caused by fraudulent financial reporting,

although many others were due to high inflation or other enterprise
instability issues.

• Nevertheless, several members of Congress proposed legislation to

“correct” these potential business and audit failures. Bills were drafted,
congressional hearings were held, but no legislation was passed.

Ch 3 Internal Control Framework - COSO Standard 16

 Treadway Committee Report
• Also in response to these concerns as well as to the lack of legislative
action, the National Commission on Fraudulent Financial Reporting was
formed. It consisted of five professional organizations:

1. Institute of Internal Auditors (IIA).

2. American Institute of Certified Public Accountants (AICPA).

3. The Financial Executives International (FEI).

4. American Accounting Association (AAA). The AAA is a professional

organization for the academic accountants.

5. Institute of Management Accountants (IMA). The IMA is the

professional organization forControl
Ch 3 Internal managerial or cost accountants.
Framework - COSO Standard 17
 Treadway Committee Report
• The National Commission on Fraudulent Financial Reporting came to be
called the Treadway Commission after the name of its chairperson. Its
major objectives were to identify the causal factors that allowed
fraudulent financial reporting and to make recommendations to reduce their
incidence.
• The Treadway Commission’s final report was issued in 1987 and included
recommendations to management, boards of directors, the public
accounting profession, and others.
• It again called formanagement reports on the effectiveness of
internal control systems and emphasized key elements in what it felt should
be a system of internal control, including a strong control environment, codes
of conduct, a competent and involved audit committee, and a strong internal
audit function.
• The Treadway Commission report again pointed out the lack of a consistent
definition of internal control, suggesting further work was needed.
Ch 3 Internal Control Framework - COSO Standard 18
 3.4 COSO Internal Control Framework
• The five professional auditing and accounting organizations that formed a
committee—COSO—then released an internal control report, with the official
title Internal Control – Integrated Framework.
• The final COSO internal controls report was released in September 1992.
Although not a mandatory standard then, the report proposed a common
framework for the definition of internal control as well as procedures to
evaluate those controls.
• The COSO internal controls framework has become the worldwide recognized
standard for understanding and establishing effective internal controls in
virtually all business systems.
• COSO provides an excellent description of this multidimensional concept of
internal controls, defining internal control in this way: Internal control is a
process, affected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations
Ch 3 Internal Control Framework - COSO Standard 19
3.4 COSO Internal Control Framework
(Cont.)
• COSO internal control framework as a three-dimensional model
with five levels on the front-facing side and the three major
components of internal control on the top of the diagram—
internal controls financial reporting, compliance, and operations
—representing the effectiveness and efficiency of operations,
reliability of financial reporting, and compliance with applicable
laws and regulations.

Ch 3 Internal Control Framework - COSO Standard 20

21
•All internal auditors must develop an
understanding of this COSO internal
controls framework. No matter what area
under review, internal auditors always
need to look at internal controls in this
multilevel and three-dimensional manner.
•While this is true for all internal audit
work, the concept is particularly valuable
when assessing and evaluating internal
controls using the COSO internal controls
framework.
Ch 3 Internal Control Framework - COSO Standard 22
 First: Control Environment
• The foundation of any internal control structure is what COSO calls the
internal control environment. COSO emphasizes that this internal
control environment foundation entity has a pervasive influence on
how all activities are structured and risks assessed.
• The control environment is a foundation for all other components of
internal control; it has an influence on each of the three objectives and
on overall unit and entity activities.
• The control environment reflects the overall attitude, awareness, and
actions by the board of directors, management, and others concerning
the importance of internal control in the enterprise.
• Enterprise history and culture often play a major role in forming the
internal control environment. When an enterprise historically has had
a strong management emphasis on producing error-free products,
when senior management continues to emphasize the importance of
high-quality products, and when this message is communicated to all
levels, it becomes a majorCh 3enterprise control environment factor. 23
Internal Control Framework - COSO Standard
 (1) Integrity and Ethical Values
• The collective integrity and ethical values of an enterprise are essential
control environment elements. These values are often defined by the
tone-at-the-top messages communicated by senior management.

• If the enterprise has developed a strong code of conduct that emphasizes

integrity and ethical values, and if stakeholders appear to follow that code,
all stakeholders will have assurances that the enterprise has a good set of
values.

• All stakeholders, and certainly internal auditors, should have a good

understanding of their enterprise’s code of conduct and how it is applied.

Ch 3 Internal Control Framework - COSO Standard 24

 (1) Integrity and Ethical Values (Cont.)
• The kinds of temptations that encourage stakeholders to engage
in improper accounting or similar acts include:
1. Nonexistent or ineffective controls, such as poor
segregation of duties arrangements in sensitive areas, that
offer temptations to steal or to conceal poor performance
2. High decentralization that leaves top management unaware
of actions taken at lower enterprise levels and thereby
reduces the chances of getting caught
3. A weak internal audit function that has neither the ability
nor the authority to detect and report improper behavior;
this is an area where internal audit can fix itself by performing
effective internals audits
4. Penalties for improper behavior that are insignificant or
unpublicized, causing them to lose their value as deterrents
Ch 3 Internal Control Framework - COSO Standard 25
 (2) Commitment to Competence
• An enterprise’s control environment can be seriously eroded if a
significant number of positions are filled with persons lacking
required job skills. Internal auditors, in particular, will encounter
this situation from time to time in their reviews, interviewing a
person assigned to a particular job who does not seem to have the
appropriate skills, training, or even intelligence to perform that
job.
• An enterprise needs to specify the required competence levels
for its various job tasks and to translate those requirements into
necessary levels of knowledge and skill.
• An assessment of staff competence is an important portion of
the control environment, and it can be difficult. A strong human
resources function, with adequate assessment procedures, is
important.
Ch 3 Internal Control Framework - COSO Standard 26
 (3) Board of Directors and Audit
Committee
• The control environment is very much influenced by the actions
of an enterprise’s board of directors and its audit committee. In
years prior to SOx, boards and their audit committees often were
dominated by senior management inside directors, with a limited
representation from outside, minority board members. This
created situations where the boards were not totally independent
of management.
• SOX has changed this and now requires audit committees to be
truly independent. An active and independent board is an
essential component of the COSO control environment. By setting
high-level policies and by reviewing overall enterprise conduct,
the board and its audit committee have the ultimate
responsibility for setting this tone at the top.

Ch 3 Internal Control Framework - COSO Standard 27

(4) Management’s Philosophy and Operating
Style
• The philosophy and operating style of senior management has a
considerable influence over an enterprise’s control environment.
Some top-level managers take significant enterprise-level risks in their
new business or product ventures; others are very cautious or
conservative.
• Some may take very aggressive approaches in their interpretations
of tax and financial-reporting rules; others go by the book. These
comments do not necessarily mean that one approach is always good
and the other bad.
• Internal auditors responsible for assessing internal controls should
understand these factors and take them into consideration when
evaluating internal controls effectiveness.
• No one set of styles and philosophies is best for all enterprises, but
these factors are important when considering the other components
of internal control in an enterprise .
Ch 3 Internal Control Framework - COSO Standard 28
 (5) Organizational Structure

• This internal control component provides a framework for planning,

executing controlling, and monitoring activities to help achieve overall
objectives. This control environment factor relates to how functions are
managed and organized, following a classic organizational chart.

• An organizational structure is the manner or approach for individual work

efforts to be both assigned and integrated for the achievement of overall
goals.

• Weakness in organization controls can have a pervasive effect throughout

the total control environment. Despite clear lines of authority, enterprises
sometimes have built-in inefficiencies that can become greater as they
expand over time, causing control procedures to break down.
Ch 3 Internal Control Framework - COSO Standard 29
 (6) Assignment of Authority and
Responsibility
• This COSO framework-defined aspect of the control environment
is similar to the organizational structure component. An
enterprise’s organizational structure defines the assignment and
integration of its total work effort. The assignment of authority is
essentially the way responsibilities are defined in terms of job
descriptions and structured in terms of enterprise charts.
• The framework section of the COSO internal controls report
describes this very important area of the control environment:
“The control environment is greatly influenced by the extent to
which individuals recognize they will be held accountable. This
holds true all the way to the chief executive, who has ultimate
responsibility for all activities within an entity, including internal
control system.”
Ch 3 Internal Control Framework - COSO Standard 30
(7) Human Resources Policies and Practices

• Human resource practices cover such areas as hiring, orientation,

training, evaluating, counseling, promoting, compensating, and
taking appropriate remedial actions.

• While the human resources function should have adequate

published policies and guidance materials, its actual practices send
strong messages to employees regarding expected levels of
internal controls compliance, ethical behavior, and competence.

Ch 3 Internal Control Framework - COSO Standard 31

 Areas where these human resources policies and
practices are particularly important include:

• Recruitment and hiring: The enterprise should take steps to hire the best,
most qualified candidates. Backgrounds of potential employees
should be verified, and interviews should be well organized and in-
depth. The interviews also should transmit a message about the
enterprise’s values, culture, and operating style.

• New employee orientation: New employees should be given a clear

signal regarding the enterprise’s value system and the
consequences of not complying with those values.
Ch 3 Internal Control Framework - COSO Standard 32
• Evaluation, promotion, and compensation: There should
be a fair performance-evaluation program in place. Because
issues such as evaluation and compensation can violate
employee confidentiality, the overall system should be
established in a manner that is fair all stakeholders in the
enterprise.
• Disciplinary actions: Consistent and well-understood
policies for disciplinary actions should be in place.
Employees at all levels should know that if they violate
certain rules, they will be subject to disciplinary actions
leading up to dismissal.
• The enterprise should take care to ensure that no double
standard exists for disciplinary actions—or, if any such
double standard does exist, that higher-level employees
are subject to even more severe disciplinary actions.
Ch 3 Internal Control Framework - COSO Standard 33
(8) COSO Control Environment in
Perspective
• As somewhat of a different view, Exhibit 3.2 shows the COSO internal
control as a pyramid, with the control environment as its foundation.
Here, the information and communications component is not shown as an
individual layer in the model but a side component that encompasses the
Risk Assessment and Control Activities layers. This view was more common
when the COSO internal control framework was first drafted, but the
Exhibit 3.1 version is much more common today. This view does not really
describe the components separated entity by entity shown in the right
hand side of Exhibit 3.1.
• COSO internal controls framework, this concept is important. Just as a
strong foundation is necessary for a multistory building, the control
environment provides the foundation for the other components of
internal control.

Ch 3 Internal Control Framework - COSO Standard 34

Ch 3 Internal Control Framework - COSO Standard 35
 Second: Risk Assessment
• An enterprise’s ability to achieve its objectives can be at risk due to a
variety of internal and external factors. Understanding and management of
the risk environment is a basic element of the internal control foundation,
and an enterprise should have a process in place to evaluate the potential
risks that may impact attainment of its objectives.
• COSO internal controls risk assessment should be a forward-looking
process that is performed at all levels and for virtually all activities within
the enterprise. COSO describes risk assessment as a three-step process:
1. Estimate the significance of the risk.
2. Assess the likelihood or frequency of the risk occurring.
3. Consider how the risk should be managed and assess what actions must be
taken.

Ch 3 Internal Control Framework - COSO Standard 36

The COSO internal controls framework suggests that
risks should be considered from three perspectives:
1. Enterprise risks due to external factors: These risks include
technological developments that can affect the nature and timing of
new product research and development or lead to changes in
procurement processes. Other external factor risks include changing
customer needs or expectations, pricing, warranties, or service activities
2. Enterprise risks due to internal factors: As internal auditors
often highlight in their ongoing reviews, there can be many types of
enterprise-level risks. For example, a disruption in an enterprise’s IT
server or storage management processing facility can adversely affect
overall operations. Also, the quality of personnel hired, as well as
their training or motivation, can influence the level of control
consciousness within the entity.
3. Specific activity-level risks: Besides being viewed at an
enterprise-wide level, risks should also be considered for each
significant business unit and key activity, such as for marketing, IT, and
finance. Ch 3 Internal Control Framework - COSO Standard 37
 Third: Control Activities
are the policies and procedures that help
• Control Activities
ensure that actions identified to address risks are carried
out, following a wide range of controls activities sub-
processes.
• Control activities exist at all levels within an enterprise
and, in many cases, may overlap one another. The
concept of control activities is an essential part of building
and then establishing effective internal controls in an
enterprise.
• The COSO internal controls framework identifies a series
of these activities by type of process. From an internal
audit perspective, they should together be helpful in
building effective overall internal controls.
Ch 3 Internal Control Framework - COSO Standard 38
 i) Types of Control Activities
Internal controls are generally classified as manual, IT, or
management controls, and they are also described in terms
of whether they are preventive, corrective, or detective
control activities. While no one set of internal control
definitions is correct for all situations, COSO internal controls
suggests a way to classify these control activities in an
enterprise. Although it certainly is not an all-inclusive list, the
next points represent some of these COSO-recommended
internal control activities for an enterprise:
• Top-level reviews. Management and internal auditors,
at various levels, should review the results of their
performance, contrasting those results with budgets,
competitive statistics, and other benchmark measurements.
Ch 3 Internal Control Framework - COSO Standard 39
 i) Types of Control Activities (Cont.)
• Direct functional or activity management. Managers at various
levels should review the operational reports from their control
systems and take corrective action as appropriate. Many
management systems have been built to produce exception
reports covering these control activities.

• Information processing. IT systems contain many controls

where systems internally check for compliance in certain areas
and then report any internal control exceptions.

Ch 3 Internal Control Framework - COSO Standard 40

 i) Types of Control Activities (Cont.)
• Physical controls. An enterprise should have appropriate control over
its physical assets, including fixtures, inventories, and negotiable
securities. An active program of periodic physical inventories
represents a major control activity here, and internal auditors can
play a major role in monitoring compliance.
• Performance indicators. Management should relate sets of data, both
operational and financial, to one another and take appropriate
analytical, investigative, or corrective actions. This process
represents an important enterprise control activity that can also
satisfy financial- and operational-reporting requirements.
• Segregation of duties. Duties should be segregated among different
people to reduce the risk of error or inappropriate actions. This
basic internal control procedure should be on almost every internal
auditor’s radar screen.
Ch 3 Internal Control Framework - COSO Standard 41
 (ii) Integration of Control Activities with
Risk Assessment
• Control activities should be closely related to the identified risks from the
COSO internal controls risk assessment component. Internal control is a
process, and appropriate control activities should be installed to address
identified risks. Control activities should not be installed just because
they seem to be the right thing to do even if there are no significant risks
in the area where the control activity would be installed.
• Sometimes control activities in place once served some control-risk
concern, although the concerns have largely gone away. A control activity
or procedure should not be discarded just because there have not been
control violation incidents in recent years, but management needs
periodically to reevaluate the relative risks.

Ch 3 Internal Control Framework - COSO Standard 42

(iii) Controls over Information Systems
• Control procedures are needed over all significant IT or
information systems—financial, operational, and compliance
related. COSO internal controls breaks down information
systems controls into the well-recognized general and
application controls. General controls apply to much of the
function of the information systems to help ensure adequate
control procedures over all applications.
• The term application controls refers to specific IT processes.
• The COSO internal controls framework concludes with a
discussion on the need to consider the impact of evolving
technologies when evaluating information systems control
activities. Due to the rapid introduction of new technologies,
what is new today will soon be replaced by something else.
Ch 3 Internal Control Framework - COSO Standard 43
Forth: Communications and Information
• Information and communications are related but distinct components of
the internal control framework.

• Appropriate information, supported by IT systems, must be

communicated up and down the enterprise in a manner and time that
allows people to carry out their responsibilities.

• In addition to formal and informal communication systems, enterprises

must have effective procedures in place to communicate with internal
and external parties. These information and communication flows in the
enterprise must be understood for any internal control evaluation, such
as for a SOX Section 404 evaluation.
Ch 3 Internal Control Framework - COSO Standard 44
(i) Relationship of Information and Internal
Control
• An enterprise needs information at all levels to achieve
its operational, financial, and compliance objectives.
For example, the enterprise needs information to
prepare financial reports that are communicated to
outside investors as well as internal cost and external
market preference information to make correct
marketing decisions.
• COSO internal controls take a broad view of these
types of situations and point to the need to understand
the current requirements of both manual processes
and automated technologies.
Ch 3 Internal Control Framework - COSO Standard 45
• Strategic and Integrated Systems. Accounting and financial
processes were the first enterprise automated or IT systems,
starting with the unit record and then moving to the earliest
computer systems. COSO internal control suggests that the
effective enterprise should go beyond these core
• Quality of Information. The COSO internal controls report has a
brief section on the importance of the quality of information. Poor
quality information systems, filled with errors and omissions, affect
management’s ability to make appropriate decisions.
• Reports should contain enough data and information to support
effective internal control activities. To determine the quality of
information, one must ascertain whether:
1. The content of reported information is appropriate.
2. The information is timely and available when required.
3. The information is current or at least the latest available.
4. The data and information are correct.
5. The information is accessible to appropriate parties.
Ch 3 Internal Control Framework - COSO Standard 46
 (ii) The Communications Aspect of
Internal Control
• Communications is defined as a separate internal
control element in COSO’s internal control framework.
Communication channels allow individuals to carry out
their financial reporting, operational, and compliance
responsibilities.

• COSO internal control highlights the separate

components of internal and external communications.
Ch 3 Internal Control Framework - COSO Standard 47
 Communications: Internal Components
• According to COSO internal control, perhaps the most important component of
the communications element is that stakeholders should receive messages from
senior management reminding them of their internal control responsibilities.

• COSO internal controls and SOX emphasize that a lack of documentation may
mean poor internal control communication channels.

• Communication must flow in two directions, and COSO internal

control emphasizes that stakeholders must also have a mechanism to report
upward throughout the enterprise.

• This section of the COSO internal controls framework concludes with a

discussion on the importance of communication channels between top
management and the board Chof3 Internal
directors.
Control Framework - COSO Standard 48
 External Communications
• Enterprises need to establish communication channels with
outside parties, including customers, suppliers, shareholders,
bankers, regulators, and others. This communication should go
beyond the public relations–type of function that large
enterprises often establish to talk about themselves.
• External communications can be a very important way to
identify potential control problems. Customer complaints
regarding service, billings, or product quality often point out
significant operating and control problems. Independent
mechanisms should be established to receive these messages
and act on them, including taking corrective action when
necessary. Open and frank two-way communications may alert
the enterprise to potential communication problems or allow it
to discuss and solve any problems in advance of adverse
publicity.
Ch 3 Internal Control Framework - COSO Standard 49
 Means and Methods of Communication
• There is no one correct means of communicating
internal control information within the enterprise.
• COSO internal controls summarize this communication
element:
“An entity with a long and rich history of operating with
integrity, and whose culture is well understood by
people through the enterprise, will likely find little
difficulty in communicating its message. An entity
without such a tradition will likely need to put more
into the way the messages are communicated.”

Ch 3 Internal Control Framework - COSO Standard 50

 Fifth: Monitoring
• Monitoring has long been the role of internal auditors, who
perform reviews to assess compliance with established
procedures; however, COSO now takes a broader view of
monitoring.

• COSO internal control recognizes that control procedures and

other systems change over time.

• An enterprise needs to establish a variety of monitoring activities

to measure the effectiveness of its internal controls.

Ch 3 Internal Control Framework - COSO Standard 51

 (i) Ongoing Monitor Activities
COSO internal control gives these examples of the ongoing monitoring component of
internal control:

• Operating management normal functions. Normal management reviews

over operations and financial reports constitute an important
ongoing monitoring activity. Internal control is enhanced if reports
are reviewed on a regular basis and corrective action initiated for
any reported exceptions.
• Communications from external parties. This element of monitoring is
closely related to the component of communication from external
parties.
Ch 3 Internal Control Framework - COSO Standard 52
 (i) Ongoing Monitor Activities (Cont.)
• Enterprise structure and supervisory activities. While
senior management should always review summary
reports and take corrective actions, the first level of
supervision and the related enterprise structure often
plays more significant role in monitoring. Direct
supervision of clerical activities
• Physical inventories and asset reconciliation. Periodic
physical inventories, whether of storeroom stock,
negotiable securities, or other assets, are an important
monitoring activity. An annual inventory in a retail
store, for example, may indicate a significant
merchandise loss. Suspected theft could be a possible
reason for this loss, pointing to the need for better
security controls.
Ch 3 Internal Control Framework - COSO Standard 53
(ii) Separate Internal Control Evaluation
• While COSO internal control points out the importance of ongoing
monitoring activities to support the internal control framework, it also
suggests that “it may be useful to take a fresh look from time to time” at
the effectiveness of internal controls through separate
evaluations.
• The COSO Standard frequency and nature of these separate reviews
depends to a large extent on the nature of the enterprise and the
significance of the risks it must control.
• Management may want to initiate an evaluation of its entire internal
controls environment periodically, but internal audit should initiate
many such reviews to assess specific control areas. These reviews are
often initiated when there has been an acquisition, a change in
business, or some other significant activity.

Ch 3 Internal Control Framework - COSO Standard 54

Internal Control Evaluation Process

• The COSO internal controls guidance materials outline

an evaluation process for reviewing internal controls.
The evaluator should:

(1) develop an understanding of the system design

(2) test key controls

(3) develop conclusions based on the test results. This is

really the internal audit process.
Ch 3 Internal Control Framework - COSO Standard 55
• Internal Control Evaluation Process (Cont.)
COSO internal control also mentions benchmarking as
an alternative approach.
Benchmarking is the process of comparing an enterprise’s
processes and control procedures with those of peer
enterprises. Comparisons are made with similar
enterprises or against published industry statistics.
This approach is convenient for some measures but
filled with dangers for others. For example, it is fairly
easy to benchmark the size, staffing levels, and
average compensations of a sales function against
comparable enterprises in the same general industry;
however, the evaluator may encounter difficulties in
trying to compare other factors due to the many small
differences that make all enterprises unique.
Ch 3 Internal Control Framework - COSO Standard 56
Evaluation Action Plans
• COSO internal control recognizes that many highly effective
procedures are informal and undocumented. Many of
these undocumented controls, however, can be tested and
evaluated in the same manner as documented ones. While
an appropriate level of documentation makes any
evaluation of internal control more efficient and facilitates
employees’ understanding of how the process works.
• Internal auditors reviewing an enterprise’s internal
financial controls systems will certainly request to see
some level of systems documentation as part of their
review work. If an existing process is informal,
undocumented, but recognized as effective, the review
team will need to prepare its own evaluation
documentation to explain how the process works and the
nature of its internal controls.
Ch 3 Internal Control Framework - COSO Standard 57
 (iii) Reporting Internal Control
Deficiencies
• Whether internal control deficiencies are identified through
processes in the internal control system itself, through monitoring
activities, or through other external events, they should be

reported to appropriate levels of enterprise management.

• COSO internal control suggests that all of these should be identified
and reported and that even the most minor of errors should be
investigated to understand if they were caused by any overall control
deficiencies.
Ch 3 Internal Control Framework - COSO Standard 58
• The COSO internal controls guidance concludes by
discussing to whom internal control deficiencies in the
enterprise should be reported.
• Findings on internal control deficiencies usually should
be reported not only to the individual responsible for
the function or activity involved, who is in the position
to take corrective action, but also to at least one level
of management above the directly responsible person.”
• This process enables that individual to provide needed
support or oversight for taking corrective action, and to
communicate with others in the enterprise whose
activities may be affected.

Ch 3 Internal Control Framework - COSO Standard 59

• Internal auditors should be aware the SOX rules have tightened
up this COSO internal controls reporting guidance. Matters that
appear to be of a material nature become an almost immediate
CFO and audit committee reporting issue.

• The enterprise should also develop reporting procedures such

that all internal financial control deficiencies, whether
encountered through a SOX Section 404 review or an internal
audit review of ongoing operations, are reported to
appropriate levels of the enterprise.

Ch 3 Internal Control Framework - COSO Standard 60

The 2013 COSO Framework

• The 2013 Framework is a flexible, reliable, and cost-effective

approach to the design and evaluation of internal control
systems for organizations looking to achieve operational,
compliance, and reporting objectives.

• The 2013 Framework can be applied regardless of

organization size or type: public companies, privately held
companies, not-for-profit entities, and governmental entities.

Ch 3 Internal Control Framework - COSO Standard 61

 The 2013 COSO Framework
5 components and 17 principles of internal control
Control environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability.
Risk assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Ch 3 Internal Control Framework - COSO Standard 62

 The 2013 COSO Framework
5 components and 17 principles of internal control
Control activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
Information and communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally
Monitoring activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Ch 3 Internal Control Framework - COSO Standard 63
 3.5 Other Dimensions of the COSO
Internal Controls Framework

Second Dimension for the Framework

• With consideration given to the right-side dimension, internal controls
should be installed and evaluated across all units in the enterprise.

• However, there should be a consistent set of control processes

throughout the enterprise with consideration given to the relative risks
and scope of operations. Internal controls should be consistent, but
they should be applied appropriately in individual operating units.

Ch 3 Internal Control Framework - COSO Standard 64

• The third or top dimension of the COSO
internal controls framework is even more
significant. It says that internal control activities should be
installed in all operating units and should include the three factors of
internal controls: effectiveness, financial reporting reliability, and
regulatory compliance.
• Those internal controls still should be implemented in a manner that
ensures reliability in financial reporting as results are reported up to
corporate headquarters.

all COSO
• No matter where they are installed in an enterprise,

internal controls should be considered in

terms of the COSO three-dimensional cube.

Ch 3 Internal Control Framework - COSO Standard 65

• The COSO internal controls framework continues to be an
important standard and set of guidance materials for
measuring and evaluating internal controls.

• Processes are in place all the way down the internal

control environment foundation.

• Similarly, effective internal controls must be installed in

all levels of organizational units, and each of those
controls must be sensitive to the three top-facing internal
control elements.
Ch 3 Internal Control Framework - COSO Standard 66
 3.6 Internal Audit CBOK Needs
COSO internal control is different from an internal
audit CBOK perspective.
• This framework is becoming the worldwide standard for
building and evaluating all levels of internal controls.
• All internal auditors should understand this three-
dimensional approach to looking at and evaluating
internal controls.
Ch 3 Internal Control Framework - COSO Standard 67
End of Chapter 3

Ch 3 Internal Control Framework - COSO Standard 68