THE CPA IN INDUSTRY

March 2000

THE COMPONENTS OF A COMPREHENSIVE FRAMEWORK OF INTERNAL CONTROL

By Mary B. Curtis and Frederick H. Wu

Internal control, in the accounting community, is typically defined rather narrowly as a tool to promote reliable financial reporting. However, in the business world, accurate financial reporting is but one component of a greater objective: developing and maintaining a competitive advantage. Other components may include cost and product leadership, quality, and speed of delivery, among others. Internal control can be a useful tool for achieving and extending all of these goals; however, its broader application necessitates a coherent framework for the design and evaluation of applicable internal control systems.

The theory of internal control has undergone major reappraisals and changes during the last decade. These changes began in 1988, when the AICPA issued SAS No. 55, which describes internal control in terms of its three major components: control environment, accounting system, and control procedures. Four years later, the Committee of Sponsoring Organizations (COSO) issued Internal Control: Integrated Framework, in which internal control was characterized as five components: control environment, control activities, risk assessment, information and communication, and monitoring. At the same time, the concept of internal control evolved from a "structure" to a "process," making it both broader and more dynamic. Subsequently, in 1995, the AICPA adopted COSO's definition and five components of internal control and issued SAS No. 78 to supplement SAS No. 55.

The Institute of Internal Auditors issued the Systems Auditability and Control Report in 1991, providing control guidance for information technology (IT). A framework was proposed for the discussion of risks, control procedures, and audit considerations related to IT. Finally, in 1995, the Information Systems Audit and Control Association, after a comprehensive examination of previous studies of internal control, published a collection of materials called CobiT Audit Guidelines, revised in 1998. CobiT Audit Guidelines provides a framework for evaluating control objectives in information systems and technologies.

With these various pronouncements on internal control by the professional organizations, a synthesis of major interpretations of the concept of internal control appears to be desirable.

COSO: Internal Control, Integrated Framework

COSO's Internal Control: Integrated Framework defines internal control as--

a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

* Effectiveness and efficiency of operations.
* Reliability of financial reporting.
* Compliance with applicable laws and regulations.

This definition stresses several key concepts such as "process," "reasonable assurance," and the "objectives" of internal control. Internal control is a process because it is to be planned, executed, and monitored by the board of directors and management of an entity as a part of the management process and because it is the sum of a series of actions that permeate an entity's business processes. Internal control can provide only reasonable, not absolute, assurance regarding the achievement of an entity's objectives. An entity's objectives for internal control include not only reliability of financial reporting and compliance with applicable laws and regulations, but also effectiveness and efficiency of operations. The former focuses on the fair presentation of financial information regarding an entity's financial condition, results of operations, and cash flows, while the latter aims at an entity's profitability and survival.

SAS Nos. 55 and 78

SAS No. 78 amends SAS No. 55 by replacing its definition and description of the internal control structure with that prescribed in the COSO report. The exception is that, while COSO tends to refer to all information systems, operational as well as financial, SAS No. 78 emphasizes only those systems and controls relevant to financial reporting objectives. Basically, SAS No. 78 adopts COSO's definition and five components, which expand upon and replace SAS No. 55's three elements of internal control. COSO's five components--control environment, information and communication, control activities, risk assessment, and monitoring--give a greater understanding to those trying to make operational the concepts in an effective system.

The control environment component sets the tone of the organization and is the foundation for all other components of internal control, providing discipline and structure and influencing the control consciousness of its people. Control environment factors include management's philosophy and operating; the way management assigns authority and responsibility and organizes and develops its people; the attention and direction provided by the board of directors; and the integrity, ethical values, and competence of the entity's employees.

The communication and information component refers to the accounting systems relevant to financial reporting objectives. COSO's broader concept of information and communication, however, encompasses systems that not only deal with internally generated data, but also external events, activities, and conditions necessary for informed business decision-making and external reporting. Information must be effectively communicated to all levels of management so that an entity's control objectives can be accomplished.

Control activities, similar to control procedures as defined in SAS No. 55, refers to "the policies and procedures that help ensure management directives are carried out." They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives.

The two components new to SAS No. 78 are risk assessment and monitoring. Risk assessment in SAS No. 78 narrowly refers to the organization's process of identifying potential risks to its financial reporting objectives, whereas COSO's definition refers to all the risks an entity faces, encouraging mechanisms to identify, analyze, and manage the risks related to its sales, production, marketing, financial, and other activities. Monitoring, according to SAS No. 78, is the process of assessing the quality of internal control performance over time. COSO's definition refers to coordinating the entire internal control process, which must be modified and changed as conditions warrant.

Systems Auditability and Control Report (SAC)

The SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994) defines internal control as a means to provide reasonable assurance that the overall objectives of the organization are achieved in an efficient, effective, and economical manner. The system of internal control is described as a set of processes, functions, activities, subsystems, procedures, and organization of human resources that provides reasonable assurance that the organization's goals are achieved and risk is acceptable. Despite this rather broad definition, the SAC Report itself deals only with those objectives impacted by the organization's information systems. These include integrity of information used for decision-making purposes, the security and protection of the organization's IT assets, and compliance with internal and external procedures and regulations.

SAC shares the key concepts of "process," "reasonable assurance," and "objectives" with the COSO report, although its framework harks back to SAS No. 55 with its components of control environment, manual and automated accounting systems, and control procedures. The control environment includes organization structure, control framework, organization policies and procedures, and external influences. Manual and automated systems include all the ways in which an organization's business information is processed, reported, stored, or transferred. Control procedures include general IT controls, application controls, and compensating controls. Risk assessment and monitoring are discussed extensively in the report but not explicitly defined. Thus, the SAC Report is very similar to COSO, with the focus primarily on information, and secondarily on the organizational competitive advantage.

Control Objectives for Information and Related Technology (CobiT)

As the product of the CobiT Steering Committee and the Information Systems Audit and Control Foundation, CobiT aims to bridge the gap that exists between business control models and the more focused control models for IT.

CobiT provides two control concepts: control and IT control. The concept of control is adapted from the COSO report and defined as "the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected." This makes CobiT's "control" equivalent to COSO's "internal control." However, control objectives under CobiT are defined in a process-oriented manner following the principle of business reengineering. This type of control is exercised at the domain and process level. The "IT control" concept is adapted from the SAC Report and defined as "a statement of the desired results or purpose to be achieved by implementing control procedures in a particular IT activity." This control is exercised at the IT activity level.

The CobiT IT domain consists of four parts: planning and organization, acquisition and implementation, delivery and support, and monitoring. IT processes, 34 in all, are identified within each of the four domains. Consequently, activities within processes are also identified--activities dealing with day-to-day IT routines. The central control objective is to link IT domains, processes, and activities to the entity's operational processes and activities. The IT objective is basically to facilitate the accomplishment of business objectives. Business objectives are referred to as "business requirements for information" and include the following:

* Quality requirements (quality, cost, and delivery)
* Fiduciary requirements, as defined by COSO (effectiveness and efficiency of operations, reliability of information, and compliance with laws and regulations)
* Security requirements (confidentiality, integrity, and availability).

Thus, CobiT's control objectives go beyond the business objectives defined by COSO or SAS Nos. 55 and 78.

Implications

First, all control objectives are the concern of the business entity's management, including IT management. In particular, top management must address the highest-level control objective of competitive advantage by means of operational efficiency and effectiveness, unique products and services, or high quality and speedy delivery of products and services. Needless to say, top management is responsible for the entity's system of internal control to ensure reliable financial reporting and compliance with applicable laws and regulations.

Second, IT management must address its objective of supporting and facilitating the achievement of top management's control objectives by planning, acquiring, maintaining, and monitoring information systems and IT. In this regard, IT strategies should serve to enable the successful implementation of the entity's business strategies.

Third, in performing operational audits, internal auditors generally look at business processes regarding the level of efficiency and effectiveness. If, however, they are performing systems audits, they must review controls in the systems inside and outside of the entity, predictive models, the strategic planning processes in business, and nonfinancial applications to facilitate process reengineering.

Finally, reliable financial reporting and compliance with application laws and regulations are the control objectives of most concern to the external auditor. Operational efficiency and effectiveness may be the external auditor's concern only if they materially affect the reliability of financial reporting or distort the financial picture of the business entity. This is a big "if" to auditors, because most corporate bankruptcies in the past were fundamentally due to operational inefficiency and ineffectiveness rather than the reliability of financial reporting. *