One of the widely-used definitions of internal control is that of the Committee on Sponsoring Organizations of the Treadway Commission (COSO). Under the COSO Internal Control-Integrated Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories at the organizational level: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.). Internal control procedures reduce process variation, leading to more predictable outcomes.
COSO defines internal control as having five components:
- Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
- Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
- Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Control Activities-the policies and procedures that help ensure management directives are carried out.
- Monitoring-processes used to assess the quality of internal control performance over time.
The COSO definition relates to the aggregate control system of the organization, which is comprised of many individual control procedures.
Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control's impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics – for example, they can be: automated or manual; reconciliation; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)."
Roles and responsibilities in internal control
According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:
Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the CPAs), regardless whether the CPAs are required to opine on the internal controls of the company.