Meaning of internal control system

Encyclopedia of Business and Finance, 2nd ed.
COPYRIGHT 2007 Thomson Gale

Internal control can be described as any action taken by an organization to help enhance the likelihood that the objectives of the organization will be achieved. The definition of internal control has evolved as different internal control models have been developed. This article will describe these models, present the definitions of internal control they provide, and indicate the components of internal control. Various parties responsible for and affected by internal control will also be discussed.

THE COSO MODEL

In the United States many organizations have adopted the internal control concepts presented in the report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Published in 1992, the COSO report defines internal control as:

a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• effectiveness and efficiency of operations
• reliability of financial reporting
• compliance with applicable laws and regulations

COSO describes internal control as consisting of five essential components. These components, which are subdivided into seventeen factors, include:

1. The control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

The COSO model is depicted as a pyramid, with the control environment forming a base for control activities, risk assessment, and monitoring. Information and communication link the different levels of the pyramid. As the base of the pyramid, the control environment is arguably the most important component because it sets the tone for the organization. Factors of the control environment include employees' integrity, the organization's commitment to competence, management's philosophy and operating style, and the attention and direction of the board of directors and its audit committee. The control environment provides discipline and structure for the other components.

Risk assessment refers to the identification, analysis, and management of uncertainty facing the organization. Risk assessment focuses on the uncertainties in meeting the organization's financial, compliance, and operational objectives. Changes in personnel, new product lines, or rapid expansion could affect an organization's risks.

Control activities include the policies and procedures maintained by an organization to address risk-prone areas. An example of a control activity is a policy requiring approval by the board of directors for all purchases exceeding a predetermined amount. Control activities were once thought to be the most important element of internal control, but COSO suggests that the control environment is more critical since the control environment fosters the best actions, while control activities provide safeguards to prevent wrong actions from occurring.

Information and communication encompasses the identification, capture, and exchange of financial, operational, and compliance information in a timely manner. People within an organization who have timely, reliable information are better able to conduct, manage, and control the organization's operations.

Monitoring refers to the assessment of the quality of internal control. Monitoring activities provide information about potential and actual breakdowns in a control system that could make it difficult for an organization to accomplish its goals. Informal monitoring activities might include management's checking with subordinates to see if objectives are being met. A more formal monitoring activity would be an assessment of the internal control system by the organization's internal auditors.

OTHER CONTROL MODELS

Some users of the COSO report have found it difficult to read and understand. A model that some believe overcomes this difficulty is found in a report from the Canadian Institute of Chartered Accountants, which was issued in 1995. The report, Guidance on Control, presents a control model referred to as Criteria of Control (CoCo). The CoCo model, which builds on COSO, is thought to be more concrete and user-friendly. CoCo describes internal control as actions that foster the best result for an organization. These actions, which contribute to the achievement of the organization's objectives, center around:

• Effectiveness and efficiency of operations
• Reliability of internal and external reporting
• Compliance with applicable laws and regulations and internal policies

CoCo indicates that control comprises:

those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization's objectives.

CoCo model recognizes four interrelated elements of internal control, including purpose, capability, commitment, and monitoring and learning. An organization that performs a task is guided by an understanding of the purpose (the objective to be achieved) of the task and supported by capability (information, resources, supplies, and skills). To perform the task well over time, the organization needs a sense of commitment. Finally, the organization must monitor task performance to improve the task process. These elements of control, which include twenty specific control criteria, are seen as the steps an organization takes to foster the right action.

In addition to the COSO and CoCo models, two other reports provide internal control models. One is the Institute of Internal Auditors Research Foundation's Systems Auditability and Control (SAC), which was issued in 1991 and revised in 1994. The other is the Information Systems Audit and Control Foundation's C OBI T (Control Objectives for Information and Related Technology), which was issued in 1996.

The Institute of Internal Auditors issued SAC to provide guidance to internal auditors on internal controls related to information systems and information technology (IT). The definition of internal control included in SAC is:

a set of processes, functions, activities, sub-systems, and people who are grouped together or consciously segregated to ensure the effective achievement of objective and goals.