Internal control - integrated framework: a landmark study. (Cover Story)By Richard M.Steinberg and Frank J. Tanki
The subject of internal control has long been an important part of the discussion on financial reporting. Yet, whenever the subject comes up, the tone, and even the language of the discussion varies greatly with the participants. When financial executives say internal control, they mean something different from what regulators and legislators mean. The same holds true for internal auditors, academics, or external auditors.
Not only has there been no common agreement on how to define internal control, there has been no standard which entities can consult to determine whether their own internal control systems are effective. Over the years, these deficiencies contributed a good deal to the confusion surrounding this important aspect of the managing process.
In 1987, the National Commission on Fraudulent Financial Reporting (more commonly known as the Treadway Commission) recognized the seriousness of the issue. The commission called upon its five sponsors to work together to integrate and reconcile the conflicting internal control concepts into a common conceptual framework. A number of separate and unrelated events have underscored the importance of such framework. In 1991, Congress passed the Federal Deposit Insurance Corporation Improvement Act requiring management of large financial institutions under FDIC oversight to issue annual reports on the effectiveness of their internal control systems. That same year, the U.S. Sentencing Commission adopted guidelines for use in assessing criminal penalties for so-called "white collar" crimes. These new guidelines permit significant reductions in penalties for entities that have in place an effective system for detecting and preventing violations of law. Finally, there have been various legislative and regulatory proposals for broad-based management reporting on internal control, and it is likely one or more such proposals may resurface. These events point to the need for consensus on internal control.
In September 1992, after more than three years of study and literally thousands of hours of research and discussion with corporate leaders, legislators and regulators, auditors, academics, outside directors, lawyers, and consultants, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control - Integrated Framework. COSO and its Project Advisory Council commissioned Coopers & Lybrand to conduct the study and write the report and provided continuing oversight and guidance. The report presents a common definition of internal control to meet the needs of diverse users and provides a framework against which entities can assess and improve their internal control systems.
The report is significant in several respects. One is the cooperative nature of the project: the sponsors represent a wide range of special, and sometimes opposing, interests that came together to take pre-emptive action to solve a common problem. Another noteworthy feature is the comprehensive nature of the report, which synthesizes input from hundreds of participants, and reflects the results of lengthy analysis and comprehensive due process.
The resulting report offers a foundation and a structure that in all likelihood will be amplified and embellished over time, as circumstances warrant. When viewed from this perspective, the COSO report looks similar in scope to the early standards for generally accepted accounting principles.
Internal Control - Integrated Framework represents a milestone in the evolution of how to assess the effectiveness of internal controls related not only to financial reporting but to business operations generally. For these reasons, the report is of interest and relevance to anyone engaged in the management of an entity. Likewise, it should be of value and use to independent public accountants, whether as a means for fulfilling their attestation responsibilities when reporting on internal control or advising clients on improving their operations.
The first objective of the project was to develop a common definition that would serve the needs of all parties. The definition originally presented in an exposure draft was debated for many months and, as a result, evolved over time. The final definition describes internal control as a process that is carried out by an entity's board of directors, management, and other personnel for the purpose of gaining reasonable assurance of achieving objectives in three broad areas relating to-
1. Effectiveness and efficiency of operations. An entity's basic business objectives, including performance and profitability and safeguarding of resources;
2. Financial reporting. The reliability of published financial statements, including, where applicable, interim and condensed financial statements and financial data selected from same; and
3. Compliance. Compliance with laws and regulations to which the entity is subject.
Underpinning this definition are several fundamental concepts. First, as a process, internal control is a means to an end, not an end in itself. Second, internal control is affected by people. Third, internal control can provide reasonable assurance but is not a guarantee. And finally, it is geared to achieving objectives in one or more separate but overlapping categories. It goes well beyond financial reporting to include all the controls that help management run the enterprise.
This framework provides a benchmark for assessing internal control. Overall, it should help an entity's management gain firmer control over an organization's activities. The components that comprise the process of internal control apply to all entities. While small and mid-size companies may implement the components differently than large companies, the same principles apply.
According to the report, five interrelated components comprise internal control: 1) the control environment, 2) risk assessment, 3) control activities, 4) information and communication, and 5) monitoring. These components are linked with the manner in which management operates its business and are integral to the managing process. Each is linked to and interrelates with the others, not in a linear or serial fashion, but as a multidirectional, iterative process. Because organizations' internal control needs differ - depending upon size, management philosophy, industry, and culture - no two enterprises will have identical control systems. Furthermore, internal control systems operate on different levels of effectiveness, depending on the entity, and at different times. A system covering one or more of the three broad areas - operations, financial reporting and compliance - can be deemed "effective" when an entity's board of directors and management have reasonable assurance that:
* They understand the extent to which operational objectives are being met,
* Published financial statements are being prepared reliably, and
* Applicable laws and regulations are being observed.
The process permits directors and management to examine one, two, or all three areas, depending on their focus.
Although internal control is an ongoing process, judgments concerning effectiveness occur at a point in time and are subjective. In order to conclude a system is effective, all five components must be present.
Control Environment. The control environment defines the tone of an organization and the way it operates. As such, it is the foundation for all other components of internal control, providing both discipline and structure. Organizations with effective control environments set a positive "tone at the top," hire and retain competent people, and foster integrity and control consciousness. They set formalized and clearly communicated policies and procedures, resulting in shared values and teamwork.
The control environment is influenced by an entity's history and culture, and conversely, it influences the control consciousness of its people. The factors that make up the control environment include the integrity, ethical values, and competence of the people in the organization; the manner in which management assigns authority and responsibility and the way in which it organizes develops its human resources; and the attention and direction provided by board of directors.
These characteristics should be present in small companies, although they may be more apparent in the actions and attitudes of the owner or CEO rather than in formal documents and written procedures.
Risk Assessment. Risk assessment is the process through which management decides how it will deal with the risks that pose a threat to achieving its objectives. This exercise entails identifying risks and analyzing their likelihood and impact. Since there is no practical way to eliminate all risk, management must decide how much risk it is willing to tolerate and determine how those tolerance levels can be maintained.
All entities encounter risk, both within and outside of their organizations. Because economic, industry, regulatory, and operating conditions will continue to change, organizations need mechanisms to identify and deal with risks resulting from such change. However, for this process to function, it must be preceded by the setting of objectives that moves the entity toward a certain direction or goal. While this objective setting process is not a formal part of the internal control process, it is an important prerequisite.
In smaller organizations, risk assessment is likely to be less formal and structured, though no less important. Smaller organizations should have clear objectives, though they may be more implicit than explicit. In the case of smaller entities, the heads of such organizations may rely more on face-to-face contact and direct interaction for the risk assessment phase rather than on formal written reports from subordinates. Nevertheless, risk assessment is just as vital an internal control component for small entities as for large ones.
Control Activities. Control activities are the policies and procedures put in place to assure management's directives are carried out. Such activities permeate the entire organization, at all levels and in all functions, and include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Essentially these activities can be grouped by the three categories of objectives to which they relate: operations, financial reporting, and compliance. However, they often overlap and interrelate. Regardless of the activity, it rests solidly upon a foundation of people, because it is people who carry out these activities.
Again, these activities are likely to be less formal or structured in smaller organizations, and in some cases, there may be no need for certain activities due to the direct involvement of the manager, owner, or CEO. Nevertheless, the concepts that underpin these activities must exist to provide a system of checks and balances necessary for effective internal control.
Information and Communication. Systems for capturing and communicating relevant information in a timely manner are an essential component of the internal control process. These systems are essential to running an enterprise because they produce reports containing operational, financial, and compliance information. They contain internally generated data as well as information about external events, developments, and conditions required for informed decisions.
There must also be clear and open channels of communication that allow information to flow through an organization. These channels must reinforce the message to all personnel that internal control responsibilities are a priority and must be taken seriously. In addition, these communications channels should make each individual's role in the internal control system clear, as well as provide an understanding of how those activities relate to the work of others in the organization. These systems must provide a means for moving important information to the very top of the organization and for receiving inputs from external sources.
Smaller organizations may have an advantage with this component because there is greater opportunity for face-to-face discussion among personnel and between staff and management. At the same time, the ability to monitor external developments often depends on the interest and ability of the CEO to do so. While the systems for communication may be simpler in a small enterprise, they are no less significant.
Monitoring. The rapid pace and rate of change requires evaluating all systems - and particularly, internal control systems - to ensure that they are performing as intended. Such monitoring can be accomplished in two ways: through ongoing monitoring, which occurs during normal operations, and separate evaluations by management, often with the assistance of the internal audit function. The degree of ongoing monitoring lessens the need for separate evaluations. When deficiencies in internal control are discovered, they should be reported immediately to higher echelons in the organization, including management, and, for very significant matters, the board of directors, and appropriate remedial action undertaken. Although management should obtain input from third parties, such as the external auditor, parties external to the entity are not part of the internal control system.
Not a Panacea
The COSO report sounds a warning against promoting internal control as a panacea for all business problems - that is, the notion that effective internal control means that the entity will achieve its operational, financial reporting, and compliance objectives. In a chapter devoted solely to a discussion of the limitations of internal control, the report explains that internal control, no matter how well designed and operated, can provide only reasonable assurance to management and the board of directors regarding achievement of an entity's objectives. The limitations inherent in all internal control systems affect the likelihood of achievement. Chief among these can be simple human error or faulty judgments. In addition, controls can be circumvented through collusion and well planned fraud. All of these factors must be viewed within the context of a cost benefit relationship, so that entities are not burdened by excessive and expensive control systems that, provide little extra benefit or are counterproductive. Instead, a balance must be achieved.
Roles and Responsibilities
The COSO report urges that all participants in the internal control process understand their roles and responsibilities. While everyone in the organization has some responsibility for internal control, it is management and the chief executive, in particular, that have primary responsibility for the internal control system. The other roles laid out in the report are -
* Financial and accounting officers are central to the way management exercises control; but all management personnel play important roles, especially in controlling their own unit's activities.
* Internal auditors contribute to the ongoing effectiveness of the internal control system; but they do not have the primary responsibility for establishing or maintaining it.
* The board of directors oversees the internal control system.
* External parties, such as auditors, often provide information useful to effective internal control.
The report, already referred to as a landmark, results in a number of significant accomplishments:
* Creating a foundation of mutual understanding to improve communications on the subject among interested parties;
* Advancing corporate governance by delineating the responsibility each party plays in maintaining and assessing internal controls;
* Enabling legislators and regulators to gain a deeper understanding, not only of the purpose and benefits of internal controls, but also of their limitations;
* Moving the concept of internal controls from narrow, technical terms of financial reporting to include the broad aspects of business operations and compliance;
* Establishing a standard against which all organizations, regardless of size, industry, or purpose, can measure their internal control systems; and
* Giving managers and independent public accountants related tools, in the form of illustrative checklists, that can be useful in evaluating internal control systems.
Although the report represents the culmination of a major study involving thousands of hours, it really marks the beginning of a new and important focus on internal control - both conceptual and practical. In the time since this study began, the authors have had several opportunities to apply the framework to real situations. In each case, the framework provided not only the basis for determining weaknesses, but also direction for effective remedial action. Managements in various industries have embraced the concepts in the report. They recognize and appreciate that these concepts over time will contribute to more effective operations and improved corporate governance.
Frank J. Tanki, CPA, and Richard M. Steinberg, CPA, served as engagement partner and project partner, respectively, directing the Coopers & Lybrand team that conducted the COSO study and developed the report.
Mr. Tanki is partner in charge of C&L's New York office business assurance services. He is a past member of the AICPA auditing standards board and its task force on reporting on internal control.
Mr. Steinberg, a partner in C&L's national office was co-chairman of the AICPA's task force that developed the SAS 55 audit guide and chaired the task force on consideration of internal control in a computer environment.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.