COSO Committee of Sponsoring Organizations of the Treadway Commission
Every individual within an entity has a role in effecting internal control. Roles vary in responsibility and level of involvement, as discussed below.
Depending on the jurisdiction and nature of the organization, different governance structures may be established, such as a board of directors, supervisory board, trustees, and/or general partners, with committees as appropriate. In the Framework, these governance structures are commonly referred to as the board of directors.
The board is responsible for overseeing the system of internal control. With the power to engage or terminate the chief executive officer, the board has a key role in defining expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. Board members are objective, capable, and inquisitive. They have a working knowledge of the entity's activities and environment, and they commit the time necessary to fulfill their governance responsibilities. They utilize resources as needed to investigate any issues, and they have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.
Boards of directors often carry out certain duties through committees, whose use varies depending on regulatory requirements and other considerations. Board committees may be used for oversight of audit, compensation, nominations and governance, risk, and other topics significant for the organization. Each committee can bring specific emphasis to certain components of internal control. Where a particular committee has not been established, the related functions are carried out by the board itself.
Board-level committees can include the following:
-
Audit Committee—Regulatory and professional standard-setting bodies often require the use of audit committees. The role and scope of authority of an audit committee can vary depending on the organization's regulatory jurisdiction, industry norm, or other variables. This is sometimes also called the audit and risk committee to emphasize the importance of risk oversight. Management is responsible for the reliability of the financial statements, but an effective audit committee plays a critical oversight role. The board of directors, often through its audit committee, has the authority and responsibility to question senior management regarding how it is carrying out its internal and external reporting responsibilities and to verify that timely corrective actions are taken, as necessary.
As a result of its independence the audit committee, along with a strong internal audit function as applicable, is often best positioned to identify and promptly act in situations where senior management overrides controls or deviates from expected standards of conduct. The audit committee interacts with external auditors, meeting regularly to discuss the scope of planned audit procedures and results of audit procedures. Meetings with external auditors include executive sessions without management present to provide a forum for further dialogue between external auditors and audit committees. While board composition requirements vary, independent directors are important as they can provide an objective perspective. For example, the UK, German, and other corporate governance codes, and the New York Stock Exchange (NYSE) and NASDAQ listing requirements define the number and criteria for audit committee members to be independent from management and financially literate (e.g., at least one member with accounting or financial management expertise).
-
Compensation Committee—Establishes the compensation for the chief executive officer or equivalent and provides oversight of compensation arrangements to motivate without providing incentives for undue risk-taking so as to ultimately protect and promote the interest of shareholders or other owners of the entity. It oversees senior management in its role to balance performance measures, incentives, and rewards with the pressures created by the entity's objectives, and helps structure compensation practices to support the achievement of the entity's objectives without unduly emphasizing short-term results over long-term performance.
-
Nomination/Governance Committee—Provides control over the selection of candidates for directors and senior management. It regularly assesses and nominates members of the board of directors; makes recommendations regarding the board's composition, operations, and performance; oversees the succession planning process for the chief executive officer and other key executives; and develops oversight discipline, processes, and structures. It promotes director orientations and training and evaluates oversight structures and processes (e.g., board/committee evaluations).
-
Other Committees—Other committees of the board of directors that oversee specific areas. These committees are often established in large organizations or due to particular circumstances of the entity. For example, in an industry where compliance with certain laws and regulations is fundamental to the survival or development of the organization, a board-level compliance committee may be necessary. Risk committees are formed to focus on changes in risk levels and related impacts, and oversight of risk responses. Further to board committees that provide oversight, management-level committees often exist to provide guidance in the execution of specific areas, such as compliance committees, new product committees, and others.
The chief executive officer (CEO) is accountable to the board of directors and is responsible for designing, implementing, and conducting an effective system of internal control. In privately owned, not-for-profit, or other entities, the equivalent role may have a different title but generally covers the same responsibilities as described below. More than any other individual, the CEO sets the tone at the top that affects the control environment and all other components of internal control.
The CEO's responsibilities relating to internal control include:
-
With the support of management, providing leadership and direction to senior management, shaping entity values, standards, expectations of competence, organizational structure, and accountability that form the foundation of the entity's internal control system (e.g. specifying entity-wide objectives and policies)
-
Maintaining oversight and control over the risks facing the entity (e.g., directing all management and other personnel to proactively identify risks to the system of internal control, considering the ever-increasing pace of change and networked interactions of business partners, outsourced service providers, customers, employees, and others and resulting risk factors)
-
Guiding the development and performance of control activities at the entity level, and delegating to various levels of management the design, implementation, conduct, and assessment of internal control at different levels of the entity (e.g., processes and controls to be established)
-
Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the type of planning and reporting systems the entity will use)
-
Evaluating control deficiencies and the impact on the ongoing and long-term effectiveness of the system of internal control (e.g., meeting regularly with senior management from each of the operating units such as research and development, production, marketing, sales, and major business-enabling functions such as finance, human resources, legal, compliance, risk management to evaluate how they are carrying out their internal control responsibilities)
Senior management comprises not only the CEO but also other senior executives leading the key operating units and business-enabling functions. Examples include:
-
Chief administrative officer
-
Chief audit executive
-
Chief compliance officer
-
Chief financial officer
-
Chief information officer
-
Chief legal officer
-
Chief operating officer
-
Chief risk officer
-
Other senior leadership roles, depending on the nature of the business
These senior management roles support the CEO with respect to internal control, specifically by:
-
Providing leadership and direction to management in terms of shaping entity values, standards, expectations of competence, organizational structure, and accountability that form the foundation of the entity's internal control system (e.g. specifying entity-wide objectives and policies)
-
Maintaining oversight over the risks facing the entity (e.g., directing all management and other personnel to proactively identify risks to the system of internal control, considering the ever-increasing pace of change and networked interactions of business partners, outsourced service providers, customers, employees, and others and resulting risk factors)
-
Guiding the development and performance of controls at the entity level, and delegating to various levels of management the design, implementation, conduct, and assessment of internal control at different levels of the entity (e.g., processes and controls to be established)
-
Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the type of planning and reporting systems the entity will use)
-
Evaluating internal control deficiencies and the impact on the ongoing and long-term effectiveness of the system of internal control (e.g., meeting regularly with finance, controllership, risk management, information technology, human resources, and business management from each of the operating units to evaluate how they are carrying out their internal control responsibilities)
Senior management guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives. They provide direction, for example, on a unit's organizational structure and personnel hiring and training practices, as well as budgeting and other information systems that promote control over the unit's activities. As such, through a cascading responsibility structure, each executive is a CEO for his or her sphere of responsibility.
Senior management assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit's functions or departments. These subunit managers can play a more hands-on role in devising and executing particular internal control procedures. Often, these managers are directly responsible for determining resource requirements, training needs, and internal control procedures that address unit objectives, such as developing authorization procedures for purchasing raw materials, accepting new customers, or reviewing production reports to monitor product output. They also make recommendations on the controls, monitor their application within processes, and meet with upper-level managers to report on the operation of controls.
Depending on how many layers of management exist, these subunit managers, or lower-level supervisory personnel, are directly involved in executing policies and procedures at a detailed level. It is their responsibility to execute remedial actions as control exceptions or other issues arise. This may involve investigating data-entry errors, transactions flagged on exception reports, departmental expense budget variances, or customer back orders or product inventory positions. Issues are communicated up the organization's reporting structure according to the level of severity. Issues requiring senior management oversight include financial performance, product quality, product safety, workplace safety, community involvement, compliance with emission targets, or other areas related to the achievement of the entity's objectives.
Management's responsibilities come with specific authority and accountability. Each manager is accountable to the next higher level for his or her portion of the internal control system, with the CEO being ultimately accountable to the board of directors, and the board being accountable to shareholders or other owners of the entity.
The chief financial officer (CFO) supports the CEO in front-line responsibilities, including internal control over financial reporting. In certain reporting jurisdictions, the CFO is required by law to certify to the effectiveness of internal control over financial reporting, alongside the CEO.
Various organizational functions or operating units support the entity through specialized skills, such as risk management, finance, product/service quality management, technology, compliance, legal, human resources, and others. They provide guidance and assessment of internal control related to their areas of expertise, and it is incumbent on them to share and evaluate issues and trends that transcend organizational units or functions. They keep the organization informed of relevant requirements as they evolve over time (e.g., new or changing laws and regulations across a multitude of jurisdictions). Such business-enabling functions are referred to as the second line of defense, while front-line personnel execute their control activities.
While all controls function to serve a purpose, their efforts are coordinated and integrated as appropriate. For example, a company's new customer acceptance process may be reviewed by the compliance function from a regulatory perspective, by the risk management function from a concentration risk perspective, and by the internal audit function to assess the design and effectiveness of controls. Disruptions to the business process are minimized when the timing and approach to reviews and management of issues are coordinated to the extent possible. Integration of efforts helps create a common language and platform for evaluating and addressing internal control matters, as business-enabling functions guide the organization in achieving its objectives.
Risk and control functions are part of the second line of defense. Depending on the size and complexity of the organization, dedicated risk and control personnel may support functional management to manage different risk types (e.g., operational, financial, quantitative, qualitative) by providing specialized skills and guidance to front-line management and other personnel and evaluating internal control. These activities can be part of an entity's centralized or corporate organization or they can be set up with "dotted line" reporting to functional heads. Risk and control functions are central to the way management maintains control over business activities.
Responsibilities of risk and control personnel include identifying known and emerging risks, helping management develop processes to manage such relevant risks, communicating and providing education on these processes across the organization, and evaluating and reporting on the effectiveness of such processes. The chief risk/control officer is responsible for reporting to senior management and the board on significant risks to the business and whether these risks are managed within the entity's established tolerance levels, with adequate internal control in place. Despite such significant responsibilities, risk and control personnel are not responsible for executing controls, but support overall the achievement of internal control.
Counsel from legal professionals is key to defining effective controls for compliance with regulations and managing the possibility of lawsuits. In large and complex organizations, specialized compliance professionals can be helpful in defining and assessing controls for adherence to both external and internal requirements. The chief legal/compliance officer is responsible for ensuring that legal, regulatory, and other requirements are understood and communicated to those responsible for effecting compliance.
A close working relationship between business management and legal and compliance personnel provides a strong basis for designing, implementing, and conducting internal control to manage adverse outcomes such as regulatory sanctions, legal liability, and failure to adhere to internal compliance policies and procedures. At smaller organizations, legal and compliance roles may be shared by the same professional, or one of these roles can be outsourced with close oversight by management.
Internal control is the responsibility of everyone in an entity and therefore constitutes an explicit or implicit part of everyone's job description. Front-line personnel constitute the first line of defense in the performance of internal control responsibilities. Examples include:
-
Control Environment—Reading, understanding, and applying the standards of conduct of the organization
-
Risk Assessment—Identifying and evaluating risks to the achievement of objectives and understanding established risk tolerances relating to their areas of responsibility
-
Control Activities—Performing reconciliations, following up on exception reports, performing physical inspections, and investigating reasons for cost variances or other performance indicators
-
Information and Communication—Producing and sharing information used in the internal control system (e.g., inventory records, work-in-process data, sales or expense reports) or taking other actions needed to effect control
-
Monitoring Activities—Supporting efforts to identify and communicate to higher-level management issues in operations, non-compliance with the code of conduct, or other violations of policy or illegal actions
The care with which those activities are performed directly affects the effectiveness of the internal control system. Internal control relies on checks and balances, including segregation of duties, and on employees not "looking the other way." Personnel understands the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines are available to permit reporting of such circumstances.
As the third line of defense, internal auditors provide assurance and advisory support to management on internal control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to be carried out by competent and professional resources aligned to the risks relevant to the entity.
The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks within the organization's oversight, operations, and information systems regarding. For example:
-
Reliability and integrity of financial and operational information
-
Effectiveness and efficiency of operations and programs
-
Safeguarding of assets
-
Compliance with laws, rules, regulations, standards, policies, procedures, and contracts
All activities within an organization are potentially within the scope of the internal auditor's responsibility. In some entities, the internal audit function is heavily involved with controls over operations. For example, internal auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance or financial reporting–related activities. In all cases, they demonstrate the necessary knowledge of the business and independence to provide a meaningful evaluation of internal control.
The scope of internal auditing is typically expected to include oversight, risk management, and internal control, and assist the organization in maintaining effective control by evaluating its effectiveness and efficiency and by promoting continual improvement. Internal audit communicates findings and interacts directly with management, the audit committee, and/or the board of directors.
Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and administrative reporting to the chief executive officer or other members of senior management.
Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to that of others and when protected from other threats to their objectivity. The primary protection against these threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating responsibilities, nor are they assigned to audit activities with which they were involved recently in connection with prior operating assignments.
Generated November 9, 2014 22:46:48 |