Assurance – Coso Model of Internal Control

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) was established in the United States after the excesses of the 1980s and the associated corporate collapses. Its role was to research the causes of these collapses and recommend improvements in governance and control systems for corporations. The Treadway Commission released the Internal Control – Integrated Framework in July 1994 and this is known as the COSO model of internal control.

According to COSO, ‘internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives’[1]. These objectives relate to effectiveness and efficiency of operations, reliability in financial reporting and compliance with relevant laws and regulations.

A number of characteristics of internal control emerge from this definition. Internal control is clearly a process produced by people and designed to achieve certain objectives. Further, internal control can provide reasonable assurance to management in relation to these objectives.

Internal control comprises five overlapping components. These components are: control environment, risk assessment, control activities, information and communication, and monitoring. Each category is outlined below.

Control Environment

The control environment has a pervasive influence on an organisation, including its objectives, business activities and the control consciousness of its people. There are a number of factors that affect the control environment. These include the integrity, ethical values and competence of the organisation’s people; management’s philosophy and operating style; the way authority and responsibility are assigned; human resources policies and practices; the attention and direction provided by the Board of Directors.

Risk Assessment

Risk assessment is the identification and analysis of risks to achieve organisational goals and objectives. Management is to determine how much risk is prudently acceptable and manage risks within these levels. As the economy, industry and operating conditions are constantly changing, the organisation is to ensure there are processes in place to identify, control and finance risks.

Control Activity

Control policies and procedures help to ensure that actions are taken to address the risks facing an organisation and to ensure management directives are carried out. Control measures are implemented at all levels and in all functions of an organisation. They include approvals, authorisations, verifications, reconciliations and segregation of duties.

Monitoring

The internal control systems of an organisation need to be monitored. The monitoring process assesses the quality of a system’s performance over time. This process involves ongoing monitoring activities during the course of operations and separate evaluations. It also includes regular management and supervisory activities, and other actions taken during performance of duties. The regularity and scale of monitoring should depend on the magnitude of risks and the effectiveness of ongoing monitoring procedures.

[1] Committee of Sponsoring Organisation of the Treadway Commission, Internal Control – Integrated Framework, July 1994, p 3.