SUMMAry
Are You CURIOUS?
Try it yourself! Do summaries.
In the context of globalization and business growth, the dispersion of ownership and management has led to the need for adopting an administrative process to address operational complexity. A new perspective on internal control emerges, with the COSO report standing out as a guide for implementing, managing, and evaluating internal control systems. Internal control is defined as a process to assess and maintain the effectiveness and efficiency of operations, the reliability of financial information, and compliance with laws and regulations. It is emphasized that internal control is a means to achieve business objectives, with five essential components: control environment, risk assessment, information and communication, control activities, and monitoring. The 2004 COSO 2 report focuses on enterprise risk management, outlining critical principles and components for an effective corporate risk management process. The COSO framework for enterprise risk management consists of eight components that emphasize setting objectives, identifying events, assessing risks, responding to risks, implementing control activities, communicating information, and monitoring. In May 2013, COSO updated its internal control framework to provide greater clarity and effectiveness, expanding its scope to cover non-financial data in addition to financial information. The advantages of the 2013 COSO framework include enhancing anti-fraud measures, adapting controls to evolving business requirements, improving risk evaluation, and strengthening corporate governance. The components of the COSO 2013 framework encompass control environment, risk assessment, control activities, information and communication, and monitoring. The COSO framework delineates the necessary steps to rectify deviations discovered in internal control systems and operational management during self-assessment and independent evaluation. The 2013 framework comprises 17 principles categorized into components such as control environment, risk assessment, control activities, information and communication, and monitoring activities. These principles address aspects like organizational integrity, risk management, fraud prevention, and continuous assessment. The framework has progressed from COSO 1 in 1992 to COSO 2 in 2004, and now to COSO 3 in 2013, with updated roles, responsibilities, and a focus on technology and governance. It underscores strategic objectives, corporate governance, and fraud prevention, thereby enhancing internal control systems.
Key Points
(00:00:46)
Evolution of Company Ownership and Management
Previously, companies were centralized under a single ownership and management structure. However, with globalization and company growth, there has been a dispersion of ownership and management. This shift has led to owners distancing themselves from routine operations, increasing operational complexity. As a response, an administrative process was adopted to address these challenges.
(00:01:21)
Introduction of COSO Framework
The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework provides a structure for internal control. It is a voluntary organization in the private sector in the USA, offering guidance to both private and governmental sectors. The COSO framework outlines directives for implementing, managing, and evaluating internal control systems to ensure functionality, effectiveness, and efficiency.
(00:02:45)
Definition and Objectives of Internal Control
Internal control, as defined by the COSO framework, is a process that evaluates organizational operations to achieve basic business objectives such as performance, profitability, asset protection, reliability of financial information, and compliance with laws and regulations. It is emphasized that internal control is a means to achieve objectives, not an end in itself.
(00:04:02)
Essential Components of Internal Control
The COSO framework identifies five essential components of internal control: control environment, risk assessment, information and communication, control activities, and monitoring. These components can be tailored to fit the administrative, operational, and specific size characteristics of any company.
(00:04:19)
Control Environment Component
The control environment serves as the foundation of internal control, providing discipline to the structure on which the other components rely. It influences the functioning of the organization and the awareness of its employees. Factors within the control environment include integrity, ethical values, management style, authority allocation, organizational structure, and personnel policies.
(00:05:15)
Risk Assessment Component
Each unit must assess internal and external risks. These risks need to be evaluated to ensure effective risk management. Factors to consider during risk assessment include identifying and analyzing potential risks that may impact the organization's objectives and operations.
(00:05:22)
Risk Evaluation Process
Prior to risk evaluation, it is crucial to identify objectives at various levels that should be interconnected. Risk evaluation involves identifying and analyzing risks relevant to achieving objectives, serving as a basis for determining how risks should be managed. Control activities encompass policies, procedures, techniques, and mechanisms to manage and mitigate identified risks, ensuring compliance with established guidelines.
(00:06:09)
Risk Control Implementation
Control guidelines are executed at all levels of the organization and in each management stage, starting with the development of a risk map. The internal control system evaluation should not only consider relevant activities for identified risks but also their applicability in reality and whether the outcomes met expectations.
(00:06:31)
Information Communication
Effective communication involves identifying, collecting, and disseminating relevant information promptly to enable each official to fulfill their responsibilities. Clear communication from management regarding individual responsibilities within the implemented internal control system is essential for officials to understand their roles and how their activities relate to others' work.
(00:07:12)
Supervision and Monitoring
Internal control systems necessitate supervision through ongoing monitoring activities to verify the system's effectiveness over time. This is achieved through continuous supervision activities, periodic evaluations, or a combination of both.
(00:07:35)
COSO 2 Framework
The COSO 2 framework from 2004, Enterprise Risk Management (ERUM), comprises four objectives, four institution levels, and eight components. It outlines critical principles and components for effective corporate risk management, providing guidelines for managing risks and criteria to assess the effectiveness of enterprise risk management.
(00:08:19)
COSO 2 Components Description
The COSO 2 framework includes components such as the internal environment, objective setting, event identification, risk assessment, control activities, information and communication, and monitoring activities. Each component plays a crucial role in establishing a robust risk management system within an organization.
(00:10:13)
Risk Analysis Process
The risk analysis process involves analyzing various factors such as political, governmental, economic, technological, and social aspects. It includes assessing weaknesses, opportunities, strengths, and threats. Methods used include historical information analysis, sector indicators, exception indicators, interviews, guided group sessions, and process flow analysis to identify immediate, medium-term, and long-term risks.
(00:11:02)
Risk Evaluation
Risk evaluation involves analyzing risks based on their probability and impact to determine how they should be managed. Risks are assessed on inherent and residual bases, considering the likelihood of an event occurring and the effect of its occurrence. Internal data may be subjective, while external data tends to be more objective.
(00:11:50)
Risk Response
After evaluating risks, management identifies and evaluates possible responses to risks based on the company's needs. Responses may include avoiding, reducing, sharing, or transferring risks. Effective risk response aims to mitigate the impact or likelihood of risks occurring.
(00:12:35)
Control Activities
Control activities involve establishing and implementing policies to ensure that risk responses are effectively carried out. These activities help in managing and mitigating risks within the organization.
(00:12:50)
Information and Communication
Information and communication play a crucial role in risk management. Relevant information is identified, captured, and communicated in a timely manner to enable personnel to fulfill their responsibilities effectively. Effective communication flows in all directions within the organization.
(00:13:18)
Monitoring
The entire process of corporate risk management is monitored, and necessary modifications are made. Monitoring activities involve ongoing management oversight, independent evaluations, or a combination of both. Risk management is not a linear process but rather multidirectional and interactive.
(00:14:01)
COSO Framework Update
In May 2013, the COSO committee published an updated version of the Integrated Internal Control Framework. The update aimed to enhance the clarity of implementation processes, increase the effectiveness of internal control systems, and develop the framework's components through 17 principles and focus areas. Changes included adapting controls to business and regulatory changes, expanding the scope of financial information, and incorporating non-financial internal and external information.
(00:15:13)
Benefits of COSO 2013 Framework
The COSO 2013 Framework for internal control integration offers various benefits, including strengthening anti-fraud efforts, adapting controls to changing business needs, improving risk assessment, expanding the use of financial and non-financial information, and enhancing corporate governance.
(00:15:42)
Components of Internal Control
The COSO 2013 framework outlines various components of internal control. These include the control environment, risk assessment, control activities, information and communication, and monitoring. Each component plays a crucial role in ensuring effective risk management and internal control within organizations.
(00:16:09)
Components of Risk Management
Risk management consists of several components: 1. Control architecture influences risk management. 2. Risk evaluation involves assessing business risks that could impact an organization's ability to achieve its business objectives. Risks have two components: probability and impact. 3. Control activities are measures taken to mitigate risks and increase the likelihood of achieving business goals. 4. Information and communication are crucial for effective internal control, ensuring timely communication of expectations and results.
(00:17:00)
Control Activities and Communication
Control activities are integral to risk management, helping prevent or detect risk events to meet business objectives. Effective communication is essential for adapting to new conditions and addressing critical deficiencies in control.
(00:17:58)
Monitoring and Improvement
Monitoring activities involve prevention, tracking results, and commitments to improvement. It is essential to report deficiencies promptly to facilitate continuous process improvement. Implementing corrective actions is necessary to address deviations in internal control and operations.
(00:19:19)
COSO Principles of Internal Control
The COSO framework comprises 17 principles categorized into components: 5 principles for control environment, 4 for risk assessment, 3 for control activities, 3 for information and communication, and 2 for monitoring activities. These principles cover areas such as integrity, ethical values, independence in management, and attracting competent individuals to the organization.
(00:21:35)
Internal Control System Principles
The organization implements its control activities through appropriate policies and procedures (Principle 12). It generates relevant information to support the functioning of other internal control components (Principle 13). Internally, the organization shares information, including objectives and responsibilities, to support the operation of other components (Principle 14). Externally, it communicates matters affecting the operation of other components in internal control (Principle 15). The organization conducts continuous and individual evaluations to verify the presence and functioning of internal control components (Principle 16). It also evaluates and communicates control deficiencies and significant changes in the integrated internal control framework across its five components.
(00:23:00)
Evolution of Internal Control Frameworks
The original COSO framework from 1992 was updated to COSO 2 in 2004, focusing on aspects like goal setting, risk identification, and response. In 2013, COSO 2 evolved into COSO 3, which revised roles and responsibilities of participants in the process, such as the CEO and CFO, to formally assume internal control effectiveness. COSO 3 also incorporated external assurance providers and evaluators to enhance internal control over areas like environmental risks, fair trade practices, and labor safety. Changes in principles and focus were made to facilitate implementation and maintenance of the internal control system, emphasizing 17 principles and the increased relevance of information technology.
(00:25:53)
Corporate Governance and Fraud Considerations
Corporate governance involves establishing best practice relationships between shareholders, the board, and senior management to enhance shareholder value and meet stakeholder objectives. Prior to setting internal control objectives, strategic objectives must be defined, strengthening corporate governance concepts and addressing fraud expectations.
(00:26:19)
Internal Audit and COSO Report
Internal audit is integral to the internal control system. The COSO report is a tool used by internal auditors to assess internal control within companies. Internal auditors are responsible for reviewing the implemented control measures to ensure effectiveness.
