The new draft internal control framework (ICF) from COSO includes guidance on how to assess whether the system of internal control is effective.
In this post, I am going to try to summarize what the document says. I then will ask your views on whether you agree with this way of assessing the adequacy of internal control. (BTW, I am going to limit the discussion to COSO lingo and not introduce any ISO or other terms.)
We have to start with the definition of internal control, which is unchanged from the 1992 edition:
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Before taking on the issue of evaluation, let’s look at two key phrases in the definition above: “reasonable assurance” and “objectives”:
Reasonable assurance
The discussion in the draft of “reasonable assurance” (in paragraphs 21-22) does not use risk management terms. (What I mean by that is that it doesn’t talk about ensuring the risk to the achievement of objectives is acceptable, within organizational tolerances). It simply acknowledges that factors outside the system of internal control (such as human error or judgment) can affect achievement of objectives. As a reminder, here is the definition of enterprise risk management from the COSO ERM framework:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Objectives
In paragraph 30, the ICF draft provides a nice summary:
“An organization establishes a mission, sets strategies, establishes the objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity.”
It is arguable whether objectives such as obtaining a 30% operating margin, growing revenue by 10%, or improving customer satisfaction by 10% can be readily placed within the three categories of objectives identified in the draft.
The COSO ERM framework adds a fourth category of objectives to the three in the ICF. It describes the four as:
The examples of business objectives I listed earlier would presumably fit under “Strategic”. I can’t explain why the ICF draft does not include this category. In lieu of a Strategic category, they would have to fit in the Operations group.
Assessing internal control effectiveness
The draft ICF starts the discussion at paragraph 71:
“An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. To have an effective system of internal control relating to one, two, or all three categories of objectives each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective.”
As a reminder, the three categories of objectives are Operations, Reporting, and Compliance. The five components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
The assessment flow continues at paragraph 76:
“In assessing whether the system of internal control is effective, senior management and the board of directors determine to what extent the principles and, in turn, the corresponding attributes associated with each component are present and functioning.”
For each of the five components, the draft ICF describes principles: 5 for Control Environment, 4 for Risk Assessment, 3 for Control Activities, 3 for Information and Communication, and 2 for Monitoring – a total of 17.
Moving to 78:
“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning.”
The key
As I read it, the draft is saying:
The issues
My major issues are:
My preference
In other words, simplify the assessment flow to answering one question:
Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?
This question can be applied to the strategies and objectives for creating value – as a whole, for a group of strategies/objectives, or for individual strategies/objectives.
Do you agree? If not, please share your views.
I have a poll where I would appreciate your voting your views. Unfortunately, due to limitations of the polling software I can only put it in one place. So please visit this site to vote.