COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Internal control helps entities achieve important objectives and sustain and improve performance. COSO's Internal Control—Integrated Framework (Framework) enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.
Designing and implementing an effective system of internal control can be challenging; operating that system effectively and efficiently every day can be daunting. New and rapidly changing business models, greater use and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and other challenges demand any system of internal control to be agile in adapting to changes in business, operating and regulatory environments.
An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of directors fn 1 use judgment to determine how much control is enough. Management and other personnel use judgment every day to select, develop, and deploy controls across the entity. Management and internal auditors, among other personnel, apply judgment as they monitor and assess the effectiveness of the system of internal control.
The Framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. It does so by providing both understanding of what constitutes a system of internal control and insight into when internal control is being applied effectively.
For management and boards of directors, the Framework provides:
-
A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of entity, operating unit, or function
-
A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal control—principles that can be applied at the entity, operating, and functional levels
-
Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate together
-
A means to identify and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures
-
An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives
-
An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity's objectives
For external stakeholders of an entity and others that interact with the entity, application of this Framework provides:
-
Greater confidence in the board of directors’ oversight of internal control systems
-
Greater confidence regarding the achievement of entity objectives
-
Greater confidence in the organization's ability to identify, analyze, and respond to risk and changes in the business and operating environments
-
Greater understanding of the requirement of an effective system of internal control
-
Greater understanding that through the use of judgment, management may be able to eliminate ineffective, redundant, or inefficient controls
Internal control is not a serial process but a dynamic and integrated process. The Framework applies to all entities: large, mid-size, small, for-profit and not-for-profit, and government bodies. However, each organization may choose to implement internal control differently. For instance, a smaller entity's system of internal control may be less formal and less structured, yet still have effective internal control.
The remainder of this Executive Summary provides an overview of internal control, including a definition, categories of objective, description of the requisite components and associated principles, and requirement of an effective system of internal control. It also includes a discussion of limitations—the reasons why no system of internal control can be perfect. Finally, it offers considerations on how various parties may use the Framework.
Internal control is defined as follows:
Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
This definition reflects certain fundamental concepts. Internal control is:
-
Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance
-
A process consisting of ongoing tasks and activities—a means to an end, not an end in itself
-
Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
-
Able to provide reasonable assurance—but not absolute assurance, to an entity's senior management and board of directors
-
Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process
This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.
| Generated November 9, 2014 22:44:53 |
To access this page, please login with your COSO credentials using the button below:
Login to COSOPlease enter your COSO login credentials below
Please contact marybeth.gripshover@aaahq.org with any questions