Читать книгу Internal Control Audit and Compliance - Graham Lynford - Страница 9

The COSO Framework identifies five main components of internal control, and one of the keys of working with it is to understand how these components relate to and influence one another. COSO envisions these individual components as being tightly integrated in a nonlinear fashion. Each component has a relationship with and can influence the functioning of every other component, operating in an almost organic way.

The five interrelated components of the COSO Framework are, briefly:

1. Control environment. Senior management must set an appropriate tone at the top that positively influences the control consciousness of entity personnel. The control environment is the foundation for all other components of internal controls and provides discipline and structure.

2. Risk assessment. The entity must be aware of and deal with the financial reporting risks it faces. It must set objectives, integrated throughout its activities, so that the organization is operating in concert. Once these objectives are set, the entity is in a better position to identify the risks to achieving those objectives and to analyze and develop ways to manage them.

3. Control activities. Control policies and procedures must be established and executed to help ensure transactions being processed on a day-to-day basis, such as sales and expense transactions, or on a periodic basis, such as accruals and consolidations, are resulting in complete and accurate accounting recognition.

4. Information and communication. Surrounding the control activities are information and communication systems, including the accounting system. Whether manual or most likely today implemented using automated (computer) systems, they enable the entity's people to capture and exchange the information needed to conduct, manage, and control its operations. The information and communication component is comprised of both internal (e.g., management, governance) and external communications (e.g., shareholders, prospective investors, or creditors).

5. Monitoring. The COSO Framework identifies monitoring as the responsibility of management. The auditor is not a part of the entity's system of internal control. The entire company control process should be monitored on a regular basis by management, and issues that arise should be communicated appropriately within the organization. In this way, the system should be in a position to react dynamically, as changing as conditions warrant, and not require that special procedures or independent audit procedures detect these problems. The company is expected to be proactive in identifying and correcting control deficiencies.

Figure 1.1 is from the 1992 COSO Integrated Framework report. It depicts these five elements of internal control and their interrelationships in a 3-sided pyramid, with the control environment as the base.

Figure 1.1 COSO Framework

Note that the information and communication component is positioned along the edge of the pyramid structure, indicating that this component has close linkages to the other components. It probably would be even more accurate if the component were depicted as affecting all other ones, including control environment and monitoring, as it is difficult to envision these components being effective without effective information and communication.

Historically, the auditing literature has pictorially described the COSO Framework in the shape of a cube (see Figure 1.2). This representation shows that controls can affect the entity either on an entity-wide basis or specifically on a divisional, regional or product line basis. The 2013 revision changed the “cube” and placed the control environment at the top of the cube. The strong hierarchical image of the pyramid and its strong base is somewhat lost in this representation, but for complex entities with multiple product lines or locations, the cube works well.

Figure 1.2 COSO Framework II

While both models have advantages, whatever the model used to communicate the Framework, it is helpful to have some physical representation of the Framework as a training tool and as a reminder of the components when initiating a project or bringing new personnel into an existing project. In the early days of Sarbanes-Oxley (SOX) implementation, some creative ways were developed to etch the components firmly in the auditor's mind. A unique product was a pen that revealed a new component each time the ballpoint pen point was retracted or extended.

A blessing of the COSO Framework is that together the five components seem to be satisfactory in describing the broad sources of internal control issues. The corresponding curse is that it is sometimes difficult to determine where specific facts and controls fall within the framework. While it would be nice if a one-to-one relationship existed between processes and controls and the Framework components, that is not the case. Entities can and did make their own decisions where controls belonged under the 1992 Framework. The focus and 17 Principles in the 2013 Framework will reduce the variability in classifying controls within the Framework going forward.

For example, the 1992 COSO Framework report contained only passing mention of information technology (IT). Can we cleanly assign IT to just one component? Clearly there is a linkage to the control activities component since automated accounting processes and controls depend on the IT being effective. In another sense, IT is important to information and communication, which relies on data in company databases being accurate and complete. And it is hard to imagine running a business or performing the governance function effectively without accurate and timely financial data, so failures of IT can also impact the control environment. The fact is that IT has a pervasive effect on many aspects of the controls assessment and does not fit neatly into only one of the component categories. However, IT General Controls are now a specific principle to be satisfied (Principle 11).

Another example is fraud risk. There is now a principle (Principle 8) of risk assessment directed to assessing management's implementation of antifraud programs and controls. However, fraud risk can also be associated with the control environment, because of the risk of management override of controls. Fraud can be associated with transaction processing (a control activity) such as cash disbursements. So, prior to the recent guidance, it was not so clearly assigned to one component.

The point here is that while some topical issues fall neatly within a COSO component, there are control issues that may potentially affect many other components. That is also a reason that the new guidance stresses the interrelationship of controls and control deficiencies. One deficiency can touch several principles and components.