ENSHRINING AN EFFECTIVE INTERNAL CONTROL SYSTEM – THE COSO FRAMEWORK (PART 2) 

To design and implement an effective internal control system, the Committee of Sponsoring Organisation of the Treadway Commission (COSO) identified five components which must be present and functioning. The five components support the organisation in its efforts to achieve its objectives – operations, compliance, and reporting. The five components are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. They are relevant at all levels of an entity; entity level, divisions, operating units and functions. In the Part 1 of this series, we have learnt the definition and meaning of internal control and its objectives according to the COSO framework. In this second part, we will take a full dive into the components of internal control and the other changes in the new internal control framework of 2013.

THE FIVE COMPONENTS

a. Control Environment

The control environment serves as the basis for the other four components as it refers to the attitude of the board of directors and the top management to internal control. It refers to the tone set at the top of an entity by the senior management and the board of directors about the importance of internal control. Where ethical values are not revered by the top management, then the subordinates will act in detriment of the organisation. 

It comprises the values, standards, policies, procedures and structures that provide the basis for implementing internal control in an entity. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational struc¬ture and assignment of authority and responsibility; the process for attracting, develop¬ing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. 

b. Risk Assessment

Risk is the probability of a negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided or minimized through premptive action. Every organisation faces a myriad of risks from internal or external sources. An organisation is expected to perform risk assessment in order to identify and assess probable risks and to devise action plans to mitigate or eliminate such risks.

Every organisation is required to be pro-active and to continuously scan its environment – internal and external, to identify those risks that may affect it achieving its objectives – operations, compliance and reporting objectives.

c. Control Activities

Control activities refer to those actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. It encompasses segregation of duties, authorization and approval of transactions and activities, physical control over assets, and other control activities over technology.

d. Information and Communication

Information is vital for the entity to carry out internal control responsibilities to support the achievement of its objectives. Communication is the process of providing, sharing, and obtaining information. It could be internal or external communication. Management should ensure that there are well defined lines of communication within the entity – between top management and staff, and without the entity – between the entity and the various stakeholders.

e. Monitoring Activities

This refers to ongoing or separate evaluation of an entity’s internal control system to ascertain whether the other components of internal control are present and functioning. Monitoring activities are designed to provide management with feedback on the internal control system so as to aid management in making corrective actions where necessary.

The five components of internal control, as identified by COSO, are interdependent and must operate together to collectively reduce, to an acceptable level, the risk of not achieving the objectives of an entity. 

One component that I find deficient in most entities is the monitoring activity. Most entities wait till there is a major internal control failure before evaluating and taking corrective actions. Proper evaluations should be done regularly or at periodic intervals by a unit (internal audit unit) in the entity or by an external consultant.

WHAT HAS CHANGED?

One major change brought by the 2013 internal control framework is the codification of 17 principles that support the five components. The 2013 internal control framework expressly states 17 principles representing fundamental concepts associated with the five components of internal control. These principles are further supported by 77 point of focus. The principles and the point of focus are designed to increase management’s understanding of what constitute an effective internal control.

WHAT MUST BE DONE?

In this era where business complexities are growing daily, making it hard for management to effectively manage an entity, enshrining an effective internal control system is a MUST. Every entity must understand the new COSO control framework and apply it in designing and implementing a sound internal control system. Continuous monitoring should be done to ensure that loopholes are blocked and the system is operating effectively. The services of a consultant can be sought in this regard. 

Do you enjoy this article? Kindly share and comment. Do not forget to send in your questions,views, suggestions and queries.

Written by Abayomi Samuel.