COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
| Prev | Next | |
Because internal control is a part of management's overall responsibility, the five components are discussed in the context of the management of the entity. Not every decision or action of management, however, is part of internal control:
-
Having a board that comprises directors with sufficient independence from management and that carries out its oversight role is part of internal control. However, many decisions reached by the board are not part of internal control; for example approving a particular mission or vision. The board also fulfills a variety of governance responsibilities in addition to its responsibilities for oversight of internal control.
-
Making strategic decisions impacting the entity's objectives is not part of internal control. An organization may apply enterprise risk management approaches or other approaches in setting objectives.
-
Setting the overall level of acceptable risk and associated risk appetite fn 5 is part of strategic planning and enterprise risk management, not part of internal control. Similarly, setting risk tolerance levels in relation to specific objectives is also not part of internal control.
-
Selecting and developing controls designed to mitigate risks based on the organization's risk assessment process is a part of internal control; however, choosing which risk response is preferred to address specific risks is not part of internal control.
It is not practical to design and implement a system of internal control unless the entity's objectives are established, set, and specified for the organization. Establishing and setting objectives and related sub-objectives are parts of or flow from the strategic-planning process, with consideration given to laws, rules, regulations, and standards as well as management's own choices. However, internal control cannot dictate or establish what an entity's objectives should be.
As part of internal control, an organization specifies objectives by:
-
Articulating and codifying specific, measurable or observable, attainable, relevant and time-based objectives
-
Assessing suitability of objectives and sub-objectives for internal control based on facts, circumstances, and established laws, rules, regulations, and standards
-
Communicating objectives and sub-objectives throughout the entity
The following diagram illustrates establishing and setting objectives as part of the management process outside of internal control, and specifying and using objectives as part of internal control in the context of an external financial reporting and an operations objective.
| External Parties | Part of the Management Process | Part of Internal Control | |
|---|---|---|---|
| Establish | Set | Specify | Use |
| External parties establish laws, rules, and standards (where applicable) relating to compliance and external financial reporting objectives. | Set strategic objectives and select strategy within the context of an entity's established mission or vision. Set entity-wide objectives and develop risk tolerances based on entity requirements suitable in the circumstances. Align objectives with entity strategy and overall risk appetite. Set objectives and subobjectives for the entity and its subunits suitable in those circumstances. | Articulate specific, measurable or observable, attainable, relevant and time-based objectives and sub-objectives. Assess and affirm suitability of objectives and sub-objectives for internal control based on facts, circumstances, and established laws, rules, and standards. Communicate objectives and sub-objectives throughout the entity and its subunits. | Use specified objectives and sub-objectives as the basis for risk assessment. |
| Examples of Financial Reporting Objectives and Sub-Objectives | |||
| The Financial Accounting Standards Board (FASB) established accounting principles generally accepted in the United States of America (US GAAP). A regulatory body establishes an accounting standard on revenue recognition. | Our company prepares reliable financial statements reflecting transactions and events in accordance with US GAAP. Our company recognizes sales revenue upon installation of equipment for sales-type capital leases or recognizes rental revenue over the operating lease term. | Management assesses and affirms that US GAAP is suitable in the circumstances. If not, management provides feedback to the objective-setting process. Operating unit financial management assesses and affirms suitability of applicable accounting standards relating to all equipment sales. If not, operating unit financial management provides feedback to the objective-setting process. | Management identifies and assesses risk to preparing reliable financial statements reflecting activities in accordance with US GAAP. Operating unit financial management identifies and assesses risk to recording revenue on equipment sales in accordance with US GAAP. |
| Example of Operations Objectives | |||
| Not applicable for operations objectives. | Our company seeks to improve performance by increasing inventory turnover ratio to twelve times per year, recognizing that lower inventory levels may result in more backorder items for customers. | Operating unit management assesses suitability of operations objectives relating to inventory turnover and customer back-order goals. If not, operating unit financial management provides feedback to the objective-setting process. | Operating unit management identifies and assesses risk to the achievement of an inventory turnover ratio of twelve times per year. |
fn 5 "Risk appetite" is defined as the amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission/vision.
| Prev | Up | Next |
| Home | ||
Copyright © 2013 – 2016 Committee of Sponsoring Organizations of the Treadway Commission and the American Accounting Association. All Rights Reserved. Use of materials is subject to COSO's Policy of Acceptable Use.
To access this page, please login with your COSO credentials using the button below:
Login to COSOPlease enter your COSO login credentials below
Please contact marybeth.gripshover@aaahq.org with any questions