Internal Audit Indonesia's

Juli 15, 2010

The COSO Internal Control – Integrated Framework

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

1. What is COSO?
2. What is the Internal Control – Integrated Framework?
3. How is the COSO framework applied at the entity level during the Section 404 assessment process?
4. How is the COSO framework applied at the activity or process level during the Section 404 assessment process?
5. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?
6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?
7. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?
8. Will the COSO framework on enterprise risk management affect the Section 404 assessment?

1. What is COSO?

The SEC ruled that the criteria on which management’s evaluation is based must be derived from a suitable, recognized control framework that is established by a body or group that has followed due process procedures, including the broad distribution of the framework for public comment. As defined in the Commission’s rules, a “suitable framework” must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting. The SEC points out in its rules that the COSO Internal Control – Integrated Framework satisfies this requirement. It acknowledges that frameworks other than COSO that satisfy the intent of the statute without diminishing the benefits to investors may be developed within the United States in the future. Other frameworks in other countries may also meet this requirement, e.g., CoCo, Turnbull, King or other country-specific authoritative frameworks.

COSO stands for “Committee of Sponsoring Organizations” and is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative often referred to as the Treadway Commission. The Commission studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The sponsoring organizations are the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA) and American Accounting Association (AAA). COSO so far has produced four documents, one in 1992 on the Internal Control – Integrated Framework, one in the mid-1990s on derivatives, one in 2004 on the Enterprise Risk Management – Integrated Framework and the most recent in 2005, which provides guidance to smaller public companies applying the integrated internal controls framework to report on internal control over financial reporting.

2. What is the Internal Control – Integrated Framework?

The COSO Internal Control – Integrated Framework defines internal control as a “process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations.” The Integrated Framework uses three dimensions, illustrated in the adjacent cube, that provide management with criteria by which to evaluate internal controls.

The first dimension is objectives. Internal controls are designed to provide reasonable assurance that objectives are achieved in the following categories: effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (left to right, across the top of the cube).


The second dimension required by COSO is an entity-level focus and an activity-level focus (front to back, across the right side of the cube). Internal controls must be evaluated at two levels: at the entity level, and at the activity or process level.

The third dimension includes the five components of internal controls (bottom to top, on the face of the cube):

  1. Control environment – Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  2. Risk assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
  3. Control activities – Includes the policies and procedures that help ensure management directives are carried out.
  4. Information and communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  5. Monitoring – Consists of the processes that assess the quality of internal control performance over time.

These five components provide the framework for effective internal control over financial reporting and, in similar fashion, provide a framework more generally for disclosure controls and procedures. They provide the context for evaluating internal control over financial reporting.

These three dimensions represent the Integrated Framework. The framework works in the following manner: For any given objective, such as reliability of financial reporting, management must evaluate the five components of internal control at both the entity level and at the activity (or process) level.

Management must decide on a control framework on which to base its assertions regarding – and its evaluation of – the effectiveness of internal control. We recommend the COSO framework. It meets the test of an authoritative framework as it is widely accepted and reasonably intuitive. The SEC’s rules and interpretive guidance for Section 404 refer to the COSO framework and define “internal control over financial reporting” consistently with the framework. The U.S. professional auditing literature historically has embraced the COSO framework since it was issued. When the PCAOB issued, and subsequently revised, its auditing standard for an audit of the effectiveness of internal control over financial reporting, the Board reaffirmed the COSO report as providing “a suitable and available framework for purposes of management’s assessment” in accordance with Section 404. Banks complying with FDICIA (see Questions 6 and 7) have also used COSO.

If management decides not to use COSO, an alternative framework must be selected. Any framework management chooses to use must meet the SEC’s criteria. If a company chooses to use a non-COSO framework, we suggest that management “map” the framework to COSO to demonstrate coverage of the key COSO components for the benefit of the external auditor and other parties who may challenge the use of the framework. For example, in its interpretive guidance to management, the SEC states the following: Both the COSO framework and the Turnbull Report state that determining whether a system of internal control is effective is a subjective judgment resulting from an assessment of whether the five components [as discussed above] … are present and functioning effectively. Although CoCo states that an assessment of effectiveness should be made against twenty specific criteria, it acknowledges that the criteria can be regrouped into the five-component structure of COSO.

3. How is the COSO framework applied at the entity level during the Section 404 assessment process?

COSO is applied at two levels – the entity level and the activity or process level. At the entity level, each of the five components is broken down into attributes to support the assessment. “Attributes” define the nature of a component. For example, as illustrated in the accompanying graphic, the control environment component is further defined using seven attributes. For each attribute, COSO provides appropriate “points of focus” representing some of the more important issues relevant to the attribute. Not all points of focus are necessarily relevant to every entity. Additional points of focus may be relevant to some entities. COSO recommends that, for purposes of a controls evaluation, every organization should tailor the points of focus to fit the organization’s facts and circumstances; e.g., smaller companies with management closer to the front lines and more knowledgeable of business realities will often have a different approach than larger companies with several layers of management and multiple operating units.

Both the SEC and PCAOB refer to these controls as “entity-level controls.” These are the controls that management relies on to establish the appropriate “tone at the top” relative to financial reporting. They often have a pervasive or indirect impact on the effectiveness of controls at the process, transaction or application level. At the entity level, management must address the various attributes COSO provides for each component. The following illustration shows the various attributes provided for each of the five components and illustrates points of focus for one attribute – human resource policies and procedures:


To continue with this illustration, human resource policies and procedures are designed to recruit and retain competent people who can achieve the entity’s stated objectives and execute its strategies successfully. The points of focus provided above for “human resource policies and practices” are illustrative and are not intended as a comprehensive list. As noted earlier, management may tailor them to the organization; i.e., management may add, delete and modify points of focus. Management may also add more specific granular questions or issues addressing each point of focus. For example, the first illustrative point of focus above is, “Are there policies, procedures and effective processes for hiring, compensating, promoting, training and terminating employees?” For this point of focus, more granular criteria (not intended as all-inclusive) might include:

To summarize the previous illustration as to how the COSO framework is applied at the entity level:

With respect to conducting the assessment at the entity level, there are several points to keep in mind:

Depending on how the reporting entity (the “issuer” for SEC reporting purposes) divides into control units (see Questions 54 and 55), the stated attributes and points of focus may apply to one unit but not to another. All assessments of the control environment for the various control units must be taken into account for management to reach an overall enterprisewide conclusion with respect to the control environment.

For example, consider a reporting entity with several highly autonomous operating units included in its consolidated statements. Assume that each of the operating units represents a control unit along with the reporting entity. For purposes of assessing the control environment:

In summary, the extent of top management’s control over the consolidated reporting entity, the diversity in the nature and types of operations and business units, the unique risks inherent in those operations and business units, and other factors impact the project team’s approach to assessing the entity-level controls.

4. How is the COSO framework applied at the activity or process level during the Section 404 assessment process?

Just as it is applied at the entity level, the COSO framework is also applied at the activity or process level. When assessing the “design effectiveness” of process-level controls over financial reporting and documenting that assessment, the five COSO components are considered, as shown in the following illustration:


From a practical standpoint, when performing a review of internal control over financial reporting, most of the attention at the process level focuses on control activities and the monitoring of those activities. Once the assertions related to reliability of financial reporting are generally understood and documented (see Questions 71and 72 for two illustrative groups of financial reporting assertions), control activities most directly address those assertions. Monitoring provides assurances that the control activities are performing as intended.

Control Activities
The control activities in place should provide reasonable assurance that management’s financial reporting objectives or assertions are met. It is important to note that the SEC’s interpretive guidance states that, through a top-down, risk-based approach, management focuses on those controls that are needed to prevent or detect a material misstatement in the financial statements. In this regard, management may identify controls for a financial reporting element that are preventive, detective or a combination of both. Management is not required to identify the entire population of controls, just those controls that adequately address the risk of a material misstatement. To illustrate, if a particular risk is addressed by an entity-level control or by a few controls within a process, the SEC’s interpretive guidance states that management is not required to identify and document all controls within the process.

The SEC states that “[e]ntity-level controls may be designed to operate at the process, application, transaction or account level and at a level of precision that would adequately prevent or detect on a timely basis misstatements in one or more financial reporting elements that could result in a material misstatement of the financial statements.” The Commission also states that other entity-level controls comprise the control environment (e.g., the “tone at the top” and entitywide programs, such as codes of conduct and fraud prevention) and “have an important, but indirect, effect on the likelihood that a misstatement will be prevented or detected on a timely basis.” Therefore, the so-called direct entity-level controls may be considered a “control activity” because they operate at a sufficient level of precision to support a conclusion that they are effective in preventing or detecting material misstatements and reduce financial reporting assertion risk to an acceptable level. The so-called indirect controls – those with an indirect effect on the likelihood a misstatement will be detected or prevented – are also important, because their absence increases the risk of a control failure. The existence of direct entity-level controls, along with controls that monitor the effectiveness of other controls, allow the evaluator to reduce the scope of testing process-level controls.

The distinction between direct and indirect entity-level controls is important from the standpoint of testing process-level controls. An entity-level control to monitor the results of operations may be designed to detect potential misstatements and investigate whether a breakdown in lower-level controls occurred. In these instances the SEC states: “If the amount of potential misstatement that could exist before being detected by the monitoring control is too high, then the control may not adequately address the financial reporting risks of a financial reporting element.” Therefore, the control is indirect in nature.

Once the key control activities are identified, management must evaluate their design and operational effectiveness:

There are many examples of control activities applied at the process level. Illustrative examples of control activities are provided in our response to Question 93.

Monitoring Activities
At the process level, monitoring activities address the effectiveness of the key control activities built into the process, as well as the effectiveness of the control environment, risk assessment and information/communication components. Monitoring activities consist of both ongoing monitoring and separate evaluations. Ongoing monitoring arises from regular management and supervisory activities, comparisons, reconciliations, and other formal and informal mechanisms in the ordinary course of business that provide continuous feedback as to the effectiveness of internal controls. Examples of ongoing monitoring activities include:

Senior and unit management, process owners and internal audit periodically take a fresh look at the components of internal controls (including the ongoing monitoring procedures) to evaluate their effectiveness. These initiatives are called “separate evaluations.” Internal audit reviews are a common example.

Monitoring requires protocols and processes for capturing, reporting and following up on deficiencies to ensure all significant deficiencies, or deficiencies that could eventually become significant, are considered and resolved in a timely manner.

The preceding discussion has focused on the two COSO components that are most prevalent at the activity or process level – control activities and monitoring. With respect to the risk assessment, control environment and information/communication COSO components, generic questions may be developed for application at the activity or process level to facilitate evaluation of those components at that level. To illustrate, following are examples of generic questions applicable to each of these three components that may be customized to virtually any significant process.

Risk Assessment
Business processes are exposed to risk from external and internal sources. These risks must be assessed in terms of their impact on the achievement of process objectives. Process owners must either establish a process or be part of an established process to effectively identify and evaluate the risks in the external and internal environment that present threats to the achievement of process objectives.

Following are appropriate questions pertaining to the risk assessment component at the activity or process level:

Control Environment
Process owners must establish an effective control environment to provide discipline, structure and a strong foundation for control within the process. The control environment consists of the control owners and other personnel responsible for executing the process and the environment in which they operate. It sets the tone for the effective functioning of the process, influencing the control consciousness of everyone involved in making the process work. It is the foundation for all other components of internal control within the process.

Following are appropriate questions pertaining to the control environment at the activity or process level:

Information/Communication
Relevant and reliable information is essential to understanding what is really happening in the external environment and in the entity’s business processes. The right performance measures and effective communication processes are essential to ensure that important messages relating to internal control are communicated and managed within a process.

Following are appropriate questions pertaining to the information/communication component at the activity or process level:

5. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?

At the process level, most of the controls will consist of control activities and monitoring. The remaining three COSO components – control environment, risk assessment and information/communication – can be addressed by tailoring relevant questions listed in Question 42 to the appropriate processes. There are a variety of ways these three components can be documented at the process level. Some auditors have insisted that all five components be addressed for each critical process. Others point out that the risk assessment component is generally applied at the entity and business-unit levels. Elements of the control environment and information/communication clearly apply to the processes because process owners set the tone for their subordinates, and must have information with which to manage the process and communicate with others on important topics. Monitoring at the process level often includes ongoing supervisory activities by process owners, including review and follow-up on exceptions and issues identified through reports, reconciliations, comparisons, confirmations and other sources of process performance information (see Question 42 for other examples). Monitoring also includes separate evaluations by internal auditors and others.

6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?

Section 404 does not require management to evaluate internal controls over operations, except to the extent that such controls may overlap with financial controls (see illustration). For example, defining processes, documenting procedures, analyzing root causes and supervising activities are examples of operational controls that may also be relevant to financial reporting activities.

There are potentially strong sources of value extending beyond mere compliance with Section 404. Sections 302 and 404 of Sarbanes-Oxley provide the “launching pad” to improve processes and the internal control structure and enhance entity-level and process-level monitoring of financial reporting processes. Because Sarbanes-Oxley forces public companies to assess weaknesses in their business processes, including their controls over processing information, the line between reliable financial reporting and operational effectiveness and efficiency can be a blurry one. Financial reporting processes for many companies are often dependent on people and manually intensive detective controls and are sometimes inadequately defined. Because this dependency leads to a focus on detecting and correcting errors leading to costly rework, it provides a significant opportunity to “build in” (versus “inspect in”) quality, optimize costs and compress time within the organization’s processes while simultaneously reducing its financial reporting risks. Compressing time in the close process can be especially important due to the accelerated SEC filing deadlines for Forms 10-K and 10-Q of large accelerated filers and accelerated filers (see Question 242). In today’s environment, it is impossible to improve cost, quality and time process performance without also automating controls and improving the balance of preventive and detective controls.

With respect to compliance with laws and regulations, financial reports issued to the public are governed by SEC rules and regulations with which companies must comply. Thus, some compliance controls may be germane to financial reporting, e.g., monitor the SEC regulatory environment, assess impact of changes, clearly articulate company reporting policies and communicate such policies throughout the organization. In the final Section 404 rule, the SEC said that Section 404, in general, does not cover compliance with laws and regulations. Notwithstanding the SEC’s statement, if a company is NOT complying with specific laws and regulations, the question arises as to whether that noncompliance must be identified and assessed by the company’s disclosure controls to determine whether there is a possible impact on the financial statements or on other disclosures in the company’s current or periodic public reports.

Management always has the option to expand the review of its processes, risks and controls to other categories of objectives, e.g., operational effectiveness and efficiency, and compliance with applicable laws and regulations. If management chooses to do so, however, that action is a business decision and not a Sarbanes-Oxley-driven initiative. (See Question 22.)

7. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?

The COSO framework has been available for companies to use since the early 1990s. Many internal audit departments use it in organizing and documenting assessments of internal controls. However, just because the framework has been used by internal auditors or by anyone else does not mean a company is prepared to demonstrate compliance with Section 404. Use of the COSO framework in the past does mean that the documentation available will be more useful and comprehensive for purposes of preparing Section 404 documentation.

8. Will the COSO framework on enterprise risk management affect the Section 404 assessment?

No. When COSO released the Enterprise Risk Management Conceptual Framework and the accompanying Application Techniques in September 2004, it made clear that this framework would not replace the Internal Control – Integrated Framework. The Integrated Framework will continue as a viable and authoritative framework for companies to use when evaluating the effectiveness of internal controls.

Tinggalkan sebuah Komentar »

Belum ada komentar.

RSS feed for comments on this post. TrackBack URI

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

Blog di WordPress.com.

%d blogger menyukai ini: