I am in the process of reviewing and commenting on the latest set of draft guidance from COSO. (You may have seen my
post on their SOX guidance; I am still waiting for someone to tell me that I am wrong in my assessment).
The core of the internal controls guidance is, in my opinion, how you assess the adequacy of the system of internal control.
In this post, I am going to review the process I follow in assessing the system of internal control. I will include references to the latest version of the draft framework, but the purpose of this post is not to comment on how the assessment of internal control is handled in the draft: it is to set the basis for such a commentary.
Let's start with the definition of internal control. While I realize some disagree with the COSO definition, it's certainly a good place to start (¶ refers to the paragraph number in the COSO draft):
Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance (¶14)
From this, we can derive what constitutes an
effective system of internal control. While it is pretty obvious, I will refer again to an excerpt from the COSO draft:
An effective system of internal control provides reasonable assurance regarding achievement of an entity's objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. (¶86)
There are two keys to this:
- Controls provide reasonable assurance that risks are reduced to an acceptable level, and
- Only reasonable assurance can be achieved because:
- As COSO explains, in the original draft and in the updated one, the system of internal control is subject to human error and susceptible to collusion
- Objectives may be poorly defined
- The identification and assessment of risks to the achievement of objectives is subject to error
This is a critical point: The system of internal control does not provide assurance directly on the achievement of objectives. It provides assurance that
risks to the achievement of objectives are acceptable.
So, there is always a risk, which management and the board have accepted, that objectives will not be met.
Another key point is this: If there are too many controls, then the objective of efficient operations is not met!
So while it is important to consider effectiveness, it is also important to consider efficiency.
The bottom line is this: "An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories". (¶86)
In order to achieve this, you need:
- Clearly defined objectives
- A well-executed risk assessment that defines the risks to achievement of objectives
- Definition (which is preferably formal) of the level of risk that management and the board are willing to accept
- A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels
- An efficient combination of controls
So, what do you think? Do you agree or disagree?
I will review in a later post how the COSO draft handles the topic.