Under the COSO model a system of internal controls is a process that is made up of five interrelated components. All are applicable to organizations of any size or type, but organizations can apply them in different ways. The five components are aimed at achieving one or more of the objectives listed above. The five components are:
Control Environment
The control environment is the “tone” of the organization and is the foundation for all other controls. Some of the factors that affect the control environment are the integrity, ethical values, morale, and competence of the entity’s employees; style of management; organizational structure; clear assignment of authorities, duties and responsibilities; the industry and business environment in which the organization operates; economic and regulatory events; and the attentiveness of governing bodies. One of the largest factors influencing the control environment in an organization is the “tone at the top”. This is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior.
Risk Assessment
All organizations and levels within an organization face a myriad of operating risks. Risks affect the organization’s ability to survive, successfully compete, maintain financial strength and positive public image, and to maintain the quality of services and products. This component therefore, deals with the organizations ability to set clear operating goals and objectives, identify risks that could impede achievement of those objectives, and to mitigate exposure to those risks to acceptable levels.
Control Activities
These are policies and procedures that have been put in place to ensure that management’s directives are carried out. This is the component that most people consider when they think of “internal controls”. Examples of control activities include reviews of performance and exception reports, approvals and authorizations of transactions, proper segregation of duties, physical safeguards, maintaining proper documentation to support financial transactions, reconciliations, IT Access and Security Controls, and information system controls (logs, check totals, etc.) Control activities should be established so as to mitigate identified risks as well as to achieve one of the three objectives under the COSO framework.
Information and Communication
This component concerns the way in which information is communicated throughout the organization. Communication is essential for achieving all three of the objectives outlined in the COSO framework.
Monitoring
All internal control systems and processes change over time. Some controls continue to evolve. However, some may lose effectiveness because they are no longer performed, are not consistently applied, or are applied incorrectly. This may be the result of training, staff turnover, lack of management response and attention to violations of control, time or resource constraints, or any number of other reasons. Because of this, controls must be monitored. This is typically done in two ways, on an ongoing basis and on a periodic basis. Ongoing monitoring is typically done during regular operations. Separate monitoring is typically performed by auditors, peer reviewers, or through self-assessments.