1.1 COSO

Question 1

The (COSO) Integrated Framework “Cube” Model for Internal Control
The COSO integrated framework for designing, implementing and evaluating internal control (2011) is a cube, i.e., it has three dimensions.

Answer 1

1. What is internal control, i.e., its fundamental components;
2. Why we have internal control, i.e., its goals or objectives;
3. Where we have internal control, i.e., the units of analysis where we will design, implement, and test internal control.

Question 2

What is Internal Control? The Five Components – The first dimension identifies five fundamental components of an internal control system:

Answer 2

1. Control environment – Management’s philosophy toward controls, organizational structure, system of authority and responsibility, personnel practices, policies, and procedures. This component is the core or foundation of any system of internal control.
2. Risk assessment – The process of identifying, analyzing, and managing the risks involved in achieving the organization’s objectives.
3. Information and communication – The information and communication systems that enable an organization’s people to identify, process, and exchange the information needed to manage and control operations.
4. Monitoring – In order to ensure the ongoing reliability of information, it is necessary to monitor and test the system and its data.
5. Control activities – The policies and procedures that ensure that actions are taken to address the risks related to the achievement of management’s objectives.

Question 3

Why do we have internal control? The three objectives – The second dimension of the cube (horizontal space in the first diagram in this lesson) identifies the three fundamental objectives of a system of internal control. These are:

Answer 3

1. Operations – The effective and efficient use of an organization’s resources in pursuit of its core mission.
2. Reporting – Preparing and disseminating timely and reliable information, including financial and nonfinancial information, and internal and external reports;
3. Compliance – Complying with applicable laws and regulations.

Question 4

Where do we have internal control? Units and activities – The third dimension of the cube (depth in the first diagram in this lesson) specifies the units and activities that must be controlled within the organization.

Answer 4

For example, in a business organization, accounting controls are likely to be necessary in relation to sales, production, marketing, finance, and IT.

Question 5

COSO Internal Control Principles

Answer 5

The most recent COSO model (released as an exposure draft in 2011) includes 17 control principles that are organized around the five fundamental components (i.e., the “what”) of an internal control system.

Question 6

Control Environment—Five Principles –

Answer 6

1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence of management, and oversees the development and monitoring of internal control
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives, including integrating organizational structures and services including outsourced service providers.
4. Competence – The organization demonstrates a commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives
5. Accountability – The organization holds individuals accountable for their internal control responsibilities

Question 7

Risk Assessment—Four Objectives –

Answer 7

1. Objectives – The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks that threaten the achievement of objectives.
2. Assessment – The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risk should be managed.
3. Fraud – The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. Change management – The organization identifies and assesses changes in the external environment, business model and organizational leadership that could impact the system of internal control.

Question 8

Control Activities—Three Principles –

Answer 8

1. Risk reduction – Organizational control activities mitigate (i.e., reduce) the risks to the achievement of objectives to acceptable levels.
2. Technology controls – The organization selects and implements general controls over technology which support the achievement of its objectives.
3. Policies – The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure the implementation of these policies.

Question 9

Information and Communication—Three Principles –

Answer 9

1. Quality – Relevant, high-quality information supports the internal control processes.
2. Internal – Internal communication supports internal control processes.
3. External – Communication with outsiders supports internal control processes.

Question 10

Monitoring Activities—Two Principles –

Answer 10

1. Ongoing and periodic – Ongoing and separate evaluations evaluate internal control functioning.
2. Address deficiencies – Parties responsible for taking corrective action, including senior management and the board of directors, receive timely communication of internal control deficiencies.

Question 11

The COSO ERM Model (ERM = Enterprise Risk Management)
Following the high-profile business scandals and failures in the early 2000s, In 2004, COSO created a model was expanded to facilitate a broader understanding of the entity’s overall strategies and goals, and the threats to those strategies and goals.

Answer 11

The resulting ERM model expands upon, rather than replaces, the earlier integrated framework for internal control. Similar to the integrated framework model, the ERM model is concerned with “what,” “why,” and “where” questions related to ERM.

Question 12

The COSO ERM model has the following components:

Answer 12

a. Why manage risk? Four elements on the horizontal, representing the objectives of managing enterprise risk: strategic, operations, reporting, and compliance
b. What will we manage? Eight control components (expanded from five in the original COSO model)—shown in rows
c. Where will we manage risk? Four organizational levels, indicated in the third dimension (depth)

Question 13

Why manage risk? Risk management objectives – Organizational objectives impact the design and implementation of control systems. For example, an organization that wants to foster creativity and independence may not want to implement rigid work schedules.

Answer 13

a. Strategic objectives – High-level goals that support the overall mission of the organization
b. Operations objectives – Goals that deal with the day-to-day operating activities of the organization (sales activities, warehousing, manufacturing, etc.)
c. Reporting objectives – Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting
d. Compliance objectives – Goals designed to ensure that the organization meets all legal and regulatory requirements

Question 14

Where will we manage risk? Organizational levels

Answer 14

Risks and objectives differ depending on the specified organizational level; accordingly, four business levels are included in the model: entity-level, division, subsidiary, and business unit.

Question 15

What will we manage? Additional control components – The ERM model adds three components to the five components of internal control specified by the integrated framework model. A reminder: the five components in the integrated framework model are: control environment (called “internal” environment in the ERM model), risk assessment, information and communication, monitoring, and control activities:

Answer 15

1. Objective setting – Ensures that the company establishes objectives at each of the four specified levels (strategic, operational, reporting, and compliance)
2. Event identification – Events that might affect - either positively or negatively - the organization’s ability to meet its objectives
3. Risk response – Depending on management’s appetite for risk, observed risks may be avoided, reduced, shared, or accepted

Question 16

Analyzing and Decomposing Risk

Risk can be usefully analyzed, or decomposed, into its constituent elements or parts. These elements or parts include:

Answer 16

1. The likelihood of a loss. How likely is a loss?
2. The amount of a loss, should one occur.

The expected value of a loss is the likelihood of the loss, multiplied by the amount of a loss, should one occur.

Question 17

How Does Monitoring Benefit Corporate Governance?

Monitoring is the core, underlying control component in the COSO ERM model. Its position at the foundation is not accidental and reflects the importance of monitoring to achieving strong internal control and effective risk management.

Answer 17

Why is control monitoring important?

1. People forget, quit jobs, get lazy, or come to work hung over; machines fail. Over time, controls deteriorate. This deterioration is called “entropy.”
2. Advancements in technology and management techniques demand that internal control and related monitoring processes continually evolve and improve.

Question 18

Monitoring evaluates the internal control system’s ability to manage or mitigate “meaningful risks” to organizational objectives. A meaningful risk is one with potential consequences for organizational objectives.

Answer 18

Monitoring should be both

(a) ongoing and continuous, and
(b) periodic, i.e., through separate, formally designed and designated evaluation processes.

Question 19

Methods for reviewing control processes may include:

Answer 19

1. Reviewing process incorporating reviews of flowcharts, and risk and control documentation
2. Benchmarking assessments comparing organizational controls and processes with best practices in comparable functions
3. Questionnaires that assess the extent to which controls are operating as stipulated
4. Focus groups and interviews to identify concerns and surprises related to changes in the system of internal control

Question 20

COSO Model of Control Monitoring

Answer 20

A. Establish a foundation for monitoring, including (1) a positive tone at the top; (2) an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity, and authority; and (3) a starting point or “baseline” of known effective internal control from which ongoing monitoring and separate evaluations can be implemented;
B. Design and execute monitoring procedures focused on persuasive information about the operation of key controls that address meaningful risks to organizational objectives; and
C. Assess and report control evaluation results, which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if needed.

Question 21

Baseline Understanding of Internal Control Effectiveness

As part of establishing a foundation for monitoring, COSO specifies a four-stage process for moving from an initial understanding of control effectiveness to a revised and enhanced understanding of control effectiveness, including an assessment of the presence and effects of changes in controls or risks. The following figure illustrates this process, which is called the “monitoring-for-change continuum.”

Answer 21

1. Establish a control baseline – Begin with an area in which controls on risk are well understood, or do extensive initial assessment to gain an understanding of controls and risk within a specific area of the organization. This baseline understanding of control effectiveness provides a starting point for enhanced monitoring.
2. Identify changes – Identify changes in the operations or design of controls or in related risks. Often includes ongoing and separate evaluations to identify, and address the potential changes in, internal control effectiveness.
3. Manage changes – When changes occur, verify that controls remain effective despite identified changes in controls and/or risks. Establishes a new control baseline for the modified controls.
4. Revalidate control baseline –
   a. Ideally, ongoing monitoring procedures will use highly persuasive information. If this is the case, they can routinely revalidate the conclusion that controls are effective, thus maintaining a continuous control baseline.
   b. When ongoing monitoring uses less-persuasive information, or when the level of risk warrants, monitoring will need to revalidate control operation through separate evaluations using appropriately persuasive information.