Executive Summary
Internal control helps entities achieve important objectives and sustain and improve
performance. COSO’s
Internal Control—Integrated Framework (Framework)
enables
organizations to effectively and efficiently develop systems of internal control that adapt
to changing business and operating environments, mitigate risks to acceptable levels,
and support sound decision making and governance of the organization.
Designing and implementing an effective system of internal control can be challenging;
operating that system effectively and efficiently every day can be daunting. New and
rapidly changing business models, greater use and dependence on technology, increas
-
ing regulatory requirements and scrutiny, globalization, and other challenges demand
any system of internal control to be agile in adapting to changes in business, operating
and regulatory environments.
An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of directors
1
use judgment to determine how much control is enough. Management and other
personnel use judgment every day to select, develop, and deploy controls across the
entity. Management and internal auditors, among other personnel, apply judgment as
they monitor and assess the effectiveness of the system of internal control.
The
Framework
assists management, boards of directors, external stakeholders, and
others interacting with the entity in their respective duties regarding internal control
without being overly prescriptive. It does so by providing both understanding of what
constitutes a system of internal control and insight into when internal control is being
applied effectively.
For management and boards of directors, the
Framework
provides:
•
A means to apply internal control to any type of entity, regardless of industry
or legal structure, at the levels of entity, operating unit, or function
•
A principles-based approach that provides flexibility and allows for judgment
in designing, implementing, and conducting internal control—principles that
can be applied at the entity, operating, and functional levels
•
Requirements for an effective system of internal control by considering how
components and principles are present and functioning and how components
operate together
•
A means to identify and analyze risks, and to develop and manage appropri
-
ate responses to risks within acceptable levels and with a greater focus on
anti-fraud measures
1
The
Framework
uses the term “board of directors,” which encompasses the governing body, including
board, board of trustees, general partners, owner, or supervisory board.
Internal Control — Integrated Framework • May 2013
1
Internal Control—Integrated Framework
•
An opportunity to expand the application of internal control beyond financial
reporting to other forms of reporting, operations, and compliance objectives
•
An opportunity to eliminate ineffective, redundant, or inefficient controls
that provide minimal value in reducing risks to the achievement of the
entity’s
objectives
For external stakeholders of an entity and others that interact with the entity, application
of this
Framework
provides:
•
Greater confidence in the board of directors’ oversight of internal
control
systems
•
Greater confidence regarding the achievement of entity objectives
•
Greater confidence in the organization’s ability to identify, analyze, and
respond to risk and changes in the business and operating environments
•
Greater understanding of the requirement of an effective system of
internal
control
•
Greater understanding that through the use of judgment, management may be
able to eliminate ineffective, redundant, or inefficient controls
Internal control is not a serial process but a dynamic and integrated process. The
Framework
applies to all entities: large, mid-size, small, for-profit and not-for-profit,
and government bodies. However, each organization may choose to implement internal
control differently. For instance, a smaller entity’s system of internal control may be less
formal and less structured, yet still have effective internal control.
The remainder of this Executive Summary provides an overview of internal control,
including a definition, categories of objective, description of the requisite components
and associated principles, and requirement of an effective system of internal control.
It also includes a discussion of limitations—the reasons why no system of internal
control can be perfect. Finally, it offers considerations on how various parties may use
the
Framework