What is a process designed to provide reasonable assurance regarding the achievement of company objectives related to operations reporting and compliance?

14 May 2013

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued its 2013 'Internal Control — Integrated Framework' and related illustrative documents.

Originally issued in 1992, the Framework helps organisations design, implement, and evaluate the effectiveness of internal controls. The updates to the Framework are intended to clarify internal control concepts and simplify their use and application.

One of the most significant changes COSO made in the 2013 Framework was to codify into principles the internal control concepts introduced in the original Framework.

The Framework defines Internal control as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Consistent with the above definition, the Framework outlines three categories of objectives to allow a focus on differing aspects of internal control: operations objectives, reporting objectives and compliance objectives. The reporting objectives "pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies".  The reference to "internal and external financial and non-financial reporting" is broader than the previous framework which focused on published financial statements.

The 1992 Framework will remain available during the transition period, which ends December 15, 2014, after which time COSO will consider it superseded.

Along with the 2013 Framework, COSO also issued today Illustrative Tools for Assessing Effectiveness of a System of Internal Control and Internal Control Over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples.

Additional information and resources, including an executive summary of the 2013 Framework, an FAQ document, and slides, are available on COSO’s website.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a COSO Framework for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 

WHAT IS THE COSO FRAMEWORK?

The COSOmodel defines internal control as “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories:

• Operational Effectiveness and Efficiency
• Financial Reporting Reliability
• Applicable Laws and Regulations Compliance

In an effective internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives:

1. Control Environment

• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the board of directors and audit committee.
• Facilitate management’s philosophy and operating style.
• Create organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures.

1. Risk Assessment

• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.

1. Control Activities

• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.

1. Information and Communication

• Measure quality of information.
• Measure effectiveness of communication.

1. Monitoring

• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels across the company. The entire system of internal control is monitored continuously, and problems are addressed timely.

KnowledgeLeader offers a number of resources on COSO, including the items listed below. Explore the website for additional knowledge on this topic.

Entity-Level Controls Risk Assessment Questionnaire
Entity-Level Controls Fraud Questionnaire
Entity-Level Controls Environment Questionnaire

What is a reasonable assurance?

What is the reasonable assurance that internal control provides?

What is the process designed and affected by those charged with governance management and other personnel to provide reasonable assurance?

What are the 3 objectives of an entity where internal controls are designed to provide reasonable assurance?