COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
A number of external parties can contribute to the achievement of the entity's objectives, whether by performing activities as outsourced service providers or by providing data or analysis to functional/operational personnel. In both cases, functional/operational management always retains full responsibility for internal control.
Many organizations outsource business functions, delegating their roles and responsibilities for day-to-day management to outside service providers. Administrative, finance, human resources, technology, legal, and even select internal operations can be executed by parties outside the organization, with the objective of obtaining access to enhanced capabilities at a lower cost. For example, a financial institution may outsource its loan review process to a third party, a technology company may outsource the operation and maintenance of its information technology processing, and a retail company may outsource its internal audit function. While these external parties execute activities for or on behalf of the organization, management cannot abdicate its responsibility to manage the associated risks. It must implement a program to evaluate those activities performed by others on their behalf to assess the effectiveness of the system of internal control over the activities performed by outsourced service providers.
Customers, vendors, and others transacting business with the entity are an important source of information used in conducting control activities. For example:
-
A customer can inform a company about shipping delays, inferior product quality, or failure to otherwise meet the customer's needs for product or service. Or a customer may be more proactive and work with an entity in developing needed product enhancements.
-
A vendor can provide statements or information regarding completed or open shipments and billings, which may be used to identify and correct discrepancies and to reconcile balances.
-
A potential supplier can notify senior management of an employee's request for a kickback.
-
Experts can provide market data to help the organization adapt its business model and supporting processes and controls to new challenges and opportunities.
-
A non-governmental organization or newspaper may publish reports on working or environmental conditions at a supplier or sub-supplier.
Such information sharing between management and external parties can be important to the entity in achieving its operations, reporting, and compliance objectives. The entity has mechanisms in place with which to receive such information and to take appropriate action on a timely basis—that is, it not only addresses the particular situation reported, but also investigates the underlying source of an issue and fixes it.
In addition to customers and vendors, other parties, such as creditors, can provide insight on the achievement of an entity's objectives. A bank, for example, may request reports on an entity's compliance with certain debt covenants and recommend performance indicators or other desired targets or controls.
In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of internal control over external financial reporting in addition to auditing the entity's financial statements. (In some jurisdictions, the auditor is also legally required to express an opinion on the effectiveness of the internal control over external financial reporting in addition to his or her opinion on the financial statements.) Results of these audits enable the auditor to provide information to management that will be useful in conducting its oversight responsibilities. These reports and communications may include:
-
Observations including analytical information and recommendations for use in taking actions necessary to achieve established objectives
-
Findings of internal control deficiencies that come to attention of the auditor, and recommendations for improvement
Notwithstanding the depth and nature of the independent auditor's work, this is not a replacement or a supplement to an adequate system of internal control, which remains the full responsibility of management.
Such information frequently relates not only to financial reporting but to operations and compliance activities as well. The information is reported to and acted upon by management and, depending on its significance, to the board of directors or audit committee.
Subject matter specialists can be solicited or mandated to review specific areas of the organization's internal control. Recognizing the various requirements or expectations of its stakeholders, an organization often seeks expert advice to translate these into policies and procedures, as well as communications and training, and evaluation of adherence to such requirements and standards. Workplace safety, environmental concerns, and fair trade practices are some examples of areas where an organization proactively seeks to ensure that it is complying with governing rules and standards. Certain functional areas may also be reviewed to promote greater effectiveness and efficiency of operations, such as compliance reviews, information systems penetration testing, and employment practices assessments.
Legislators and regulators can affect the internal control systems through specific requirements to establish internal control across the organization and/or through examinations of particular operating units. Many entities have long been subject to legal requirements for internal control. For example, companies listed on a US stock exchange are expected to establish and maintain a system of internal control, and legislation requires that senior executives of publicly listed companies certify to the effectiveness of their company's internal control over financial reporting.
Various regulations require that public companies establish and maintain internal accounting control systems that satisfy specified objectives. Various laws and regulations apply to financial assistance programs, which address a variety of activities ranging from civil rights to cash management, and specify required internal control procedures or practices. Several regulatory agencies directly examine entities for which they have oversight responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on certain aspects of the banks’ internal control systems. These agencies make recommendations and are frequently empowered to take enforcement action. Thus, legislators and regulators affect the internal control systems in several ways:
-
They establish rules that provide the impetus for management to establish an internal control system that meets statutory and regulatory requirements.
-
Through examination of a particular entity, they provide information used by the entity's internal control system and provide comment letters, recommendations, and sometimes directives to management on needed internal control system improvements.
-
They may receive and, in turn, investigate whistle-blower allegations.
Financial analysts, bond rating agencies, and news media personnel analyze management's performance against strategies and objectives by considering historical financial statements and prospective financial information, actions taken in response to conditions in the economy and marketplace, potential for success in the short and long term, and industry performance and peer-group comparisons, among other factors. Such investigative activities can provide insights, among many other outcomes, into the state of internal control and how management is responding to enhancing internal control.
| Generated November 9, 2014 22:46:48 |