Which of the following components of internal control include the set of standards processes and structures that provide the basis for carrying out internal control?

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a COSO Framework for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 

WHAT IS THE COSO FRAMEWORK?

The COSOmodel defines internal control as “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories:

• Operational Effectiveness and Efficiency
• Financial Reporting Reliability
• Applicable Laws and Regulations Compliance

In an effective internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives:

1. Control Environment

• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the board of directors and audit committee.
• Facilitate management’s philosophy and operating style.
• Create organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures.

1. Risk Assessment

• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.

1. Control Activities

• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.

1. Information and Communication

• Measure quality of information.
• Measure effectiveness of communication.

1. Monitoring

• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels across the company. The entire system of internal control is monitored continuously, and problems are addressed timely.

KnowledgeLeader offers a number of resources on COSO, including the items listed below. Explore the website for additional knowledge on this topic.

Entity-Level Controls Risk Assessment Questionnaire
Entity-Level Controls Fraud Questionnaire
Entity-Level Controls Environment Questionnaire

Elements of Internal Control

Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgement resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control Environment

The control environment, as established by the organization's administration, sets the tone of an institution and influences the control consciousness of its people. Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:

• Integrity and ethical values;
• The commitment to competence;
• Leadership philosophy and operating style;
• The way management assigns authority and responsibility, and organizes and develops its people;
• Policies and procedures.

Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior.

The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.

Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control activities usually involve two elements: a policy establishing what should be done and procedures to effect the policy. All policies must be implemented thoughtfully, conscientiously and consistently.

Information and Communication

Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream.

Monitoring

Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. Ongoing monitoring occurs in the ordinary course of operations, and includes regular management and supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal control system performance.

The scope and frequency of separate evaluations depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported immediately to top administration and governing boards.

Internal control systems change over time. The way controls are applied may evolve. Once effective procedures can become less effective due to the arrival of new personnel, varying effectiveness of training and supervision, time and resources constraints, or additional pressures. Furthermore, circumstances for which the internal control system was originally designed also may change. Because of changing conditions, management needs to determine whether the internal control system continues to be relevant and able to address new risks.

What are the 5 components of internal control?

What are the components of internal control structure?

Which of the following components of internal control would be considered the foundation for the other components?

Which one of the following components of internal control over financial reporting sets the tone for the organization?