COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Chapter Summary
Internal control, no matter how well designed, implemented and conducted, can provide only reasonable assurance to management and the board of directors of the achievement of an entity's objectives. The likelihood of achievement is affected by limitations inherent in all systems of internal control. These include the realities that human judgment in decision making can be faulty, external events outside the organization's control may arise, and breakdowns can occur because of human failures such as making errors. Additionally, controls can be circumvented by two or more people colluding, and because management can override the system of internal control.
Internal control has been viewed by some observers as ensuring that an entity will not fail—that is, the entity will always achieve its operations, reporting, and compliance objectives. In this sense, internal control sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal control is not a panacea.
In considering limitations of internal control, two distinct concepts must be recognized. The first set of limitations acknowledges that certain events or conditions are simply beyond management's control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any system of internal control is that reasonable assurance be obtained, which is the focus of this chapter. Second, internal control cannot provide absolute assurance for any of the objective categories.
Reasonable assurance does not imply that systems of internal control will frequently fail. Many factors, individually and collectively, serve to strengthen the concept of reasonable assurance. Controls that support multiple objectives or that effect multiple principles within or across components reduce the risk that an entity may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity's objectives. Indeed, it is likely that these activities often apprise management about the process toward the entity's operations objectives, and also support the achievement of compliance and reporting objectives. However, because of the inherent limitations discussed here, there is no guarantee that, for example, an uncontrollable event, mistake, or improper incident could never occur. In other words, even an effective system of internal control may experience failures. Reasonable assurance is not absolute assurance.
Notwithstanding these inherent limitations, management should be aware of them when selecting, developing, and deploying controls that can, to the extent practical, minimize them.
The Framework specifies several areas that are part of the management process but not part of internal control. Two such areas relate to the governance process that extends the board's role beyond internal control and establishing objectives as a precondition to internal control. There is a dependency established on these areas, among others, to also be effective. For example, an entity's weak governance processes for selecting, developing, and evaluating board members may limit its ability to provide appropriate oversight of internal control. Similarly, ineffective strategy-setting or objective-setting processes would challenge the entity's ability to identify poorly specified, unrealistic, or unsuitable objectives. A system of internal control cannot encompass all activities undertaken by the entity, and weaknesses in these areas may impede the organization from having effective internal control.
| Generated November 9, 2014 22:46:48 |