COSO is an organization that is dedicated to ensuring that there is thorough leadership. It does this by providing internal control and risk management guidance and framework in order to improve the performance of organizations and reduce fraud. COSO is sponsored by, “American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and The Institute of Internal Auditors” (COSO i).
Internal control can be defined as a process that the management and the board of directors of a company design with the ultimate aim of providing assurance on the objectives of the organization in operations effectiveness, transparency, and reliability of reporting. The process also looks into whether the operations are in line with the set laws and regulations. Internal control should be taken as a continuous undertaking that aims at achieving given objectives. Internal control has to be implemented by people, not systems and policy manuals. It is important to note that every member of the organization has to contribute to making internal control a success. The internal control process is geared towards the achievement of organizational objectives.
The success of an organization is highly dependent on its internal control. The process of internal control helps the management to gain better control of the organization. The internal control also enables the board of directors to have the ability to oversee internal control. When an organization has proper internal control, the management and the organizational leaders can be able to maintain the focus on goal achievement by improving the organization’s operations efficiency and effectiveness. The current business environment is dynamic and changes are occurring rapidly.
This means that internal control should be embraced since it helps the organization to be more effective in coping with the changing environment, as well as maintaining the organization’s competitive advantage. Every organization has its own established mission, strategies, and objectives that it needs to achieve. An organization can have a general objective that it has to achieve or the objectives can be set for various departments within it. Below are the five elements that make up the internal control process: “control environment, risk assessment, control activities, information and communication, and monitoring activities” (COSO 5).
This is a set of structures that are put in order to help in conducting internal control within and across the organization. The leaders of the organization have the responsibility of creating this environment. To do this, they should first recognize the importance of internal control and then acknowledge the expected standards. The managers have to prepare the entire organization for the internal control process. The work of leaders is to embolden the workers in the organization. This way, each department is aware of the objectives it is supposed to achieve, and workers in that department work towards these objectives.
The organization ought to uphold ethical values and insist on integrity. These two factors make up the control environment. With the environment set, the board of directors is able to execute their governance duties as well as take responsibility for the organizational structure and authority. The importance of setting up a controlled environment is that the organization is able to attract more individuals who are willing to work for it. It is, therefore, easy for the firm to get the best talents that can assist in developing the organization in achieving its financial and operational objectives. Workers provide the innovation that is required to maintain the competitiveness of the organization in the current business environment.
It is imperative to note that setting the control environment might include motivating employees through incentives, rewards, and other means of rewarding employees. This maintains employees’ drive to improve on their performance and, in turn, the performance of the organization.
The control environment tenet is guided by 5 principles:
- There should be an assurance that the firm observes ethics and issues of integrity
- Secondly, the board of directors should show their ability to manage the organization independently and at the same time oversee the development of internal control.
- Thirdly, the management should establish structures and strategies that will be followed by the organization in pursuing its objectives.
- Fourth, the organization should indicate its commitment and willingness to attract people who are competent to work in it and who have the ability to move the organization towards the achievement of its set objectives.
- Workers who are mandated to do internal control and fulfill various objectives should be fully accountable.
Risk is inevitable in any business entity. Risks are either external or internal. Risks can be defined as events that may occur and have the ability to affect the performance of the organization negatively. These events are unpredictable in most cases, thus every organization is vulnerable to risk. It is important to carry out a risk assessment. This is the process of identifying risks that can be incurred during the pursuit of organizational objectives. It is easy for organizational managers to devise ways that can be used to manage any potential risks once a thorough assessment has been conducted. This reduces the losses that might result in an event of a risk. The management should be considerate of the effects that might result from any changes that might occur in the external environment as well as from within the organization while assessing risks. These effects can make the internal controls become ineffective.
Four principles form the core of this component as outlined below:
- The objectives of the firm should be clearly identified.
- Secondly, the organization should identify the risks that are associated with its objectives’ achievement, analyze the risks, and then come up with ways in which the risks can be managed.
- Thirdly, the firm ought to evaluate the possibility of fraud occurring.
- Fourth, the organization should identify any changes that are likely to have a significant effect on the system of internal control.
These entail the activities that are part of the policies that are used to curb risks that may result in the process of internal control. The activities have to be exercised at all levels of the organization to increase the chances of achieving the organizational objectives. The activities take place in every process in the business. The activities also occur at the level of the technological environment. These activities are mostly preventive. Nevertheless, it is also possible to have detective control activities.
The following are the principles that relate to the control activities’ component:
- Firstly, the organization has to develop control activities that help in risk mitigation to achieve the set objectives.
- The firm ought to have technological control measures in place to help in the attainment of the objectives.
- Finally, the organization should deploy these activities in relation to set procedures that can implement the policies.
Information and communication
Communication and information are two very important components in any organization. For an organization to achieve its objectives, it should ensure that it has effective internal sources of information and communication. The management should be able to use information from both within and without the organization. The information should be relevant to facilitate the achievement of organizational goals. Communication is important since it facilitates the process of obtaining the necessary information. While internal communication is where the organization gets information from within, external communication is where information is received from outside the organization.
The following are the principles that relate to the information and communication component:
- In the first place, the organization has to use relevant information in order to support the functioning of other components of internal control.
- Secondly, the organization makes internal communication on the information regarding the goals and responsibilities for internal controls.
- Finally, the organization should communicate to the external parties on issues that might affect its goal achievement process.
These are the evaluations that are followed up by the management in order to ensure that all the components of internal control are working as expected and assess whether the components are having a positive impact on the organization. The evaluations ought to be integrated within the business processes. Moreover, these evaluations should be conducted at the various levels in the firm. It is also emphasized that the evaluations should be done in a scheduled manner. Nevertheless, these evaluations should be varied in terms of frequency and scale. Below are the tenets that form the monitoring pillar:
- The organization has to select, develop, and then perform separate evaluations to ensure that the internal controls are in place and functioning.
- Secondly, the organization should communicate internal control deficiencies in time to allow corrective measures to be taken in time by the senior management and the rest of the organizational leaders.
COSO. Internal Control-Integrated Framework. American Institute of Certified Public Accountants, 2011. Print.