The Fundamentals of COSO Internal Control
According to COSO, internal control is a process designed to provide reasonable assurance of the effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. These relate to the business’s objectives, performance, profitability and resources; its financial health; and its compliance with the laws of the jurisdiction in which it operates. COSO defines internal control as a process but these processes are not an end in themselves; they are a means to an end. A bit of COSO history, and how its internal control processes have become the choice of some businesses, may provide some clarity.
COSO, which is the acronym of the Committee of Sponsoring Organisations of the Treadway Commission, was originally established in the US in 1985. It was founded by five major professional associations: the American Accounting Organization (AAA); American Institute of Certified Public Accountants (AICPA); Financial Executives International (FEI); the Institute of Internal Auditors (IIA); and the Institute of Management Accountants (IMA). COSO oversaw the National Commission on Fraudulent Financial Reporting, which was known as the Treadway Commission (named after the original president of the Commission, James C Treadway Jr).
Fraudulent financial reporting is intentional activity or omissions that result in misleading financial statements. In the US in the mid-1980s, the failure of several financial institutions was attributed in large part to fraudulent financial reporting, leading to the establishment of the Treadway Commission to identify factors contributing to these failures, and make recommendations that would reduce future incidents. The Treadway Commission issued its report in 1987. As part of its recommendations to prevent fraud, COSO released its Internal Control – Integrated Framework in 1992, to help organisations assess and improve their internal control systems.
Five interrelated components – control environment, risk assessment, control activities, information & communication, and monitoring – are the basis of internal control under this framework. However, the companies using it found that there was a gap in the internal control framework; they could not identify or assess which risks needed to have controls. To address these needs, COSO created its Enterprise Risk Management – Integrated Framework in 2004, which went beyond financial statements and included reporting throughout the organisation as well as strategy-setting. But the initial standard still emphasised audit as the driving force behind enterprise risk management.
However, in May 2013, COSO released a revision of the 1992 “Internal Control – Integrated Framework.”. The 2013 revision addressed changes in the business, operating and regulatory environment since the original 1992 release. Under the Sarbanes Oxley Act (SOX), it became mandatory for listed companies in the US to report on the effectiveness of their internal control over financial reporting. Many firms turned to the COSO 2013 framework to help them comply. Some countries like Japan, China and South Korea also started using the framework concepts.
While the five main components of the original (1992) model remained the same, 17 principles were now included as support for these five components. Each of these 17 principles was supported by ‘Points of Focus’ which were intended to help the firm applying COSO 2013 design, implement, conduct and assess whether the principles were present and functioning. Firms were required to show that each of the principles was addressed. For their internal control to be effective, therefore, they had to demonstrate that the five components and 17 principles were present and functioning.
The five components also had to be operating in an integrated manner. The 2013 framework was intended to provide support for the organisation’s ability to cope with change, and a strong foundation for the achievement of its goals and objectives. Robust internal control functions were seen as the basis of mitigation of most of the risks affecting the firm. As in the 1992 framework, the 2013 framework stressed the commitment of management, through appropriate messaging and a strong tone from the top to encourage full participation of all sectors of the organisation. The emphasis continued on an increased understanding of the existing internal controls before making improvements.
What started out as a means to help curb fraudulent financial reporting through more stringent internal controls, has grown to address the changes in business environment, the complexity of regulations and constantly-evolving technology. This is also in recognition of the increasingly higher expectations of the various stakeholder groups. The original framework proffered internal control concepts that have since become institutional knowledge. Thus, more than three decades on, COSO holds that its key concepts and principles can still be applied to the design, implementation, maintenance and assessment of internal control systems.