COMPONENTS OF INTERNAL CONTROL
Under the COSO framework, internal control has five components —
1. Control Environment — The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the foundation
for all other components of internal control, providing discipline and structure.
Control environment factors include the integrity, ethical values and competence
of the entity’s people; management’s philosophy and operating style;
the way management assigns authority and responsibility, and organizes and
develops its people; and the attention and direction provided by the board of
directors.
2. Risk Assessment — Every entity faces a variety of risks from external and
internal sources that must be assessed. A precondition to risk assessment is
the establishment of objectives, linked at different levels and internally consistent.
Risk assessment is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for determining how the risks
should be managed. Because economic, industry, regulatory and operating
conditions will continue to change, mechanisms are needed to identify and
deal with the special risks associated with change.
3. Control Activities — Control activities are the policies and procedures that
help ensure management directives are carried out and that necessary actions
are taken to address risks to achievement of the entity’s objectives. Control
activities occur throughout the organization, at all levels and in all functions.
They include a range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
4. Information and Communication — Pertinent information must be
identified, captured and communicated in a form and timeframe that
enable people to carry out their responsibilities. Information systems
produce reports, containing operational, financial and compliancerelated
information, that make it possible to run and control the business.
They deal not only with internally generated data, but also
information about external events, activities and conditions necessary
to informed business decision-making and external reporting.
5. Monitoring Activities — Internal control systems need to be monitored — a
process that assesses the quality of the system’s performance over time. This
is accomplished through ongoing monitoring activities, separate evaluations
or a combination of the two. Ongoing monitoring occurs in the course of operations.
It includes regular management and supervisory activities, and other
actions personnel take in performing their duties.
Source: COSO, Internal Control — Integrated Framework (Executive Summary)
4 • GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING
SEC DEFINITION OF ICFR
The U.S. Securities and Exchange Commission’s (SEC) rules define internal control
over financial reporting as “a process designed by, or under the supervision
of, the [company’s] principal executive and principal financial officers, or persons
performing similar functions, and effected by the registrant’s board of directors,
management and other personnel, to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements
for external purposes in accordance with GAAP and includes those policies and
procedures that —
1) Pertain to the maintenance of records that, in reasonable detail, accurately and
fairly reflect the transactions and dispositions of the assets of the company;
2) Provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with GAAP, and that
receipts and expenditures of the company are being made only in accordance
with authorizations of management and directors of the company; and
3) Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could
have a material effect on the financial statements.”
Source: Securities Exchange Act Rule 13a-15(f)
Financial reporting often requires sophisticated decision-making and the
application of informed judgment. For example, accounting areas such as
estimating allowances for loan losses, valuing illiquid securities, and determining
whether intangible assets are impaired require management to make
judgments regarding such things as the use of assumptions and the likelihood
of future events. In these kinds of reporting areas, there is typically a range of
acceptable outcomes, rather than a single “correct” result.
Controls cannot remove the need for judgment or eliminate the variations in
reporting inherent in situations in which a range of acceptable judgments is
possible. Controls can, however, be designed and implemented to address the
process by which accounting judgments are made and thereby, help provide
reasonable assuranc