In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the standard against which organizations measure the effectiveness of their internal control systems.
According to the COSO model internal control is “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
In an effective internal control system, the following 5 components work to support the achievement of a business entity’s mission, strategies and related business objectives:
- Control Environment
Control environment is the basis of other elements of all other components of the internal control system. comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance.
- Risk Assessment
After setting up the objective of business, external and internal risks are to be assessed. Every business entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Management determines risk controlling means after examining the risks related to every objective.
- Control Activities
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities.
- Information and Communication
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information.
Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. External communication is 2-fold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.
- Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
Internal Control is like building a home; the foundation is the control environment; risk assessment is setting up the perimeter fence (deciding on the materials/type of fence); control activities are the doors, windows and locks; information and communication/monitoring is like setting up CCTV.
Which type of controls do you have in your business and how do you evaluate their effectiveness? Let’s hear your thoughts… leave a comment and share with a fellow business owner