How is internal control best described as per the Committee of Sponsoring Organizations of the Treadway Commission?

What are Internal Controls?

Internal control as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a process, affected by an entity's board of directors (trustees), management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

They include a wide range of activities that occur throughout the organization, by supervisory and front-line personnel.   Typically, management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices.

Examples of Internal Controls

Segregation of Duties

When work duties are divided or segregated among different people to reduce the risk of error or inappropriate actions.

Physical Controls

When equipment, inventories, securities, cash and other assets are secured physically.  This can occur through the use of locks, safes, or other environmental controls. Access is restricted to those with authority to handle them.

Reconciliations

Comparisons are made between similar records maintained by different people to verify transaction details are accurate and that all transactions are properly recorded.  Specific examples would include:  Performing a reconciliation from bank statements to check register/records.  Balancing/reconciling cash on hand to sales or transaction activity on the cash register totals.

Policies and Procedures

Established policies, procedures, and documentation that provide guidance and training to ensure consistent performance at a required level of quality.  These should be available at all levels of the organization.  Departmental and University/Organization wide.

Transaction and Activity Reviews

Management reviews of transaction, operating, and summary reports help to monitor performance against goals and objectives, spot problems, identify trends, etc. Specific examples include:  Monthly review of budget statements to actual expenses.  Review of telecommunication call activity reports for personal or non-business related phone calls.  Review of timecards and overtime hours by employees.

Information Processing Controls

When data is processed, a variety of internal controls are performed to check the accuracy, completeness and authorization of transactions. Data entered is subject to edit checks or matching to approved control files or totals. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.

The Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (originally published in 1992) has done more to improve organisational accountability than anything since Luca Pacioli invented double-entry bookkeeping in the early 1500s.

In 2013, COSO updated its Internal Control – Integrated Framework. As a result, there is a renewed focus on deterring, preventing and detecting fraud by organisations around the globe.

The Treadway Commission issued its groundbreaking report – Report of the National Commission on Fraudulent Financial Reporting – in October 1987 following a two year study. The Commission was chaired by James C. Treadway, Jr., a former Commissioner of the Securities and Exchange Commission (SEC), and sponsored and funded by the American Institute of Certified Public Accountants (AICPA), the American Accounting Association (AAA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA) and the National Association of Accountants (now the Institute of Management Accountants (IMA)).

The Treadway Commission’s focus was on fraudulent financial reporting, as opposed to “unintentional errors” and “other corporate improprieties, such as employee embezzlements, violations of environmental or product safety regulations, and tax fraud, which do not necessarily cause the financial statements to be materially inaccurate”. This narrower focus was, in fact, justified, because, with very few exceptions (such as the 1995 collapse of the more than 200 year-old Barings Bank, caused by a mid-level derivatives trader named Nick Leeson) catastrophic frauds (frauds resulting in massive stakeholder losses and the demise of the organisation) in the 20th century resulted from fraudulent financial reporting rather than “other corporate improprieties”.

The Treadway Commission made 49 recommendations. These were grouped into four major categories. First were several recommendations for the public company (the tone at the top, internal accounting and audit functions, the audit committee, management and audit committee reports, the practice of seeking second opinions from independent public accountants and quarterly reporting). Next were recommendations for independent public accountants (fraud detection responsibilities, audit quality, communications and changing the process of setting audit standards). The Commission also made recommendations for the SEC and others to improve the regulatory environment (better sanctions and greater criminal prosecution, improved regulation of the public accounting profession, SEC resources, improved regulation of financial institutions, better oversight by state boards of accountancy and insurance and liability crises). The final group of recommendations was related to education (business and accounting curricula, professional certification examinations, continuing professional education, and five-year accounting programmes and corporate initiatives).

Most of the Commission’s recommendations have been implemented, although some were not addressed in earnest until after the unfortunate spate of major financial statement fraud cases in 2000 to 2002.

With the issuance of its report in October 1987, the Treadway Commission disbanded. COSO itself, however, carried on, and in 1992 published Internal Control – Integrated Framework (1992 Framework). The 1992 Framework’s focus was on the first set of Treadway recommendations related to tone at the top and better controls over accounting and financial reporting. The 1992 Framework fairly quickly became the globally recognised set of best practices for internal control. Every publicly traded company in the US and most other organisations around the world have embraced and adopted these COSO best practices.

Whether intentional or not, the emphasis of the 1992 Framework generally became accuracy in accounting and financial reporting, rather than fraud in accounting and financial reporting, per se. (The word ‘fraud’ appears just a few times in the several-hundred-page document.) In 2013 the COSO revamped and updated the Internal Control – Integrated Framework (2013 Framework), adding 17 principles to COSO’s five components of internal control. Principle 8 caught at least some COSO users by surprise – the organisation considers the potential for fraud in assessing risks to the achievement of objectives.

Some COSO users had already addressed fraud risk when designing internal controls. Many organisations, however, put basic controls in place without considering in very much detail how those controls could be intentionally circumvented. This new, explicit requirement pertaining to fraud created a demand for more guidance on how to proactively manage fraud risk. In response, COSO and the Association of Certified Fraud Examiners (ACFE) established a task force in 2015 to develop more detailed fraud risk management guidance. The task force used an earlier AICPA, IIA, and ACFE publication – Managing the Business Risk of Fraud, A Practical Guide – as its starting point. In September 2016, COSO and ACFE published the results of the task force’s efforts: the Fraud Risk Management Guide (FRMG).

The FRMG contains five principles, numerous appendices and links to practical fraud risk management tools. Principle one pertains to the control environment and governance: the organisation establishes and communicates a fraud risk management programme that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Appendices include sample materials that can be used to implement this baseline governance principle.

Principle two deals with the actual assessment of fraud risk: the organisation performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities and implement actions to mitigate residual fraud risks. The chapter on principle two explains how the comprehensive fraud risk assessment is carried out and documented.

Principle three focuses directly on how to design and implement fraud control activities: the organisation selects, develops and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Heavy emphasis is placed on using data analytics to prevent or quickly detect fraudulent transactions and activities.

Principle four addresses information and communication:  the organisation establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. Two key components of fraud risk management involve, firstly, establishing a robust system enabling and encouraging suspicions about fraud to be reported and secondly, being ready to carry out a rigorous investigation of suspected fraud.

The final principle involves monitoring the entire fraud risk management process: the organisation selects, develops and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning, and communicates fraud risk management programme deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

The five fraud risk management principles align with and can be mapped to the 2013 Framework’s five internal control components (control environment, risk assessment, control activities, information and communication and monitoring) and 17 principles. COSO users will find the structure and terminology used in the FRMG very familiar.

For those not sure that they need to address fraud risk management beyond what they already have as part of their existing internal control structure, there is an easy way to find out. The FRMG contains five ‘scorecards’. These scorecards list all of the attributes needed to fully address each principle. These can be used to self-assess how well an organisation’s current processes and procedures address fraud risk. Each attribute can be assessed as red (we have not considered this), yellow (we address this in part, but more can be done), or green (we have fully implemented this attribute). It does not take very long for organisations to conduct this self-assessment. If there is a lot of red on the scorecards, the organisation is vulnerable to fraud.

Arguably the COSO’s renewed focus on fraud risk management is long overdue. The 1992 Framework was a tremendous advancement in organisational accountability. The 2013 Framework brings COSO back to its fraud-focused roots. The 2016 FRMG provides the guidance needed to enable organisations to make themselves as fraud-proof as possible.

David L. Cotton is the chairman of Cotton & Company LLP. He can be contacted on +1 (703) 836 6701 or by email: .

© Financier Worldwide

How is internal control defined in the COSO framework?

What are the four objectives of the Committee of Sponsoring Organizations of the Treadway Commission's?

What is the Committee of Sponsoring Organizations and what is its purpose?

Who are the sponsoring organizations of COSO and what is COSO best known for doing?