Control Environment
The foundation or bottom level of the COSO internal control framework is what COSO calls the internal control environment. The control environment should be viewed as a foundation for all other components of internal control, and has an influence on each of the three objectives and overall unit and entity activities. The control environment reflects the overall attitude, awareness, and actions by the board of directors, management, and others concerning the importance of internal controls in the enterprise. Senior managers should always try to manage and understand this overall control environment in their organizations.
The essential components of the control environment:
• INTEGRITY AND ETHICAL VALUES
• COMMITMENT TO COMPETENCE
• BOARD OF DIRECTORS AND AUDIT COMMITTEE
• MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
• ORGANIZATIONAL STRUCTURE
• ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
• HUMAN RESOURCES POLICIES AND PRACTICES
• SUMMARY
Risk Assessment
The foundation or bottom level of the COSO internal control framework is what COSO calls the internal control environment. The control environment should be viewed as a foundation for all other components of internal control, and has an influence on each of the three objectives and overall unit and entity activities. The control environment reflects the overall attitude, awareness, and actions by the board of directors, management, and others concerning the importance of internal controls in the enterprise. Senior managers should always try to manage and understand this overall control environment in their organizations.
The essential components of the control environment:
• INTEGRITY AND ETHICAL VALUES
• COMMITMENT TO COMPETENCE
• BOARD OF DIRECTORS AND AUDIT COMMITTEE
• MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
• ORGANIZATIONAL STRUCTURE
• ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
• HUMAN RESOURCES POLICIES AND PRACTICES
• SUMMARY
Risk Assessment
The next level or layer above the control environment on the COSO internal control framework is risk assessment. An enterprise’s ability to achieve its objectives can be at risk due to a variety of internal and external factors. An understanding and management of the risk environment is a basic element of the internal control foundation, and an enterprise should have a process in place to evaluate the potential risks that may impact attainment of its various objectives. This risk assessment component has its focus on internal controls within an enterprise and has a much narrower focus than the COSO ERM enterprise risk management framework and IT governance risk management issues.
COSO internal control risk assessment should be a forwardlooking process that is performed at all levels and for virtually all activities within the enterprise.
The COSO internal controls framework describes risk assessment as a three-step process:
1. Estimate the significance of the risk.
2. Assess the likelihood or frequency of the risk occurring.
3. Consider how the risk should be managed and assess what actions must be taken.
This COSO risk assessment process places the responsibility on management to assess whether a risk is significant and, if so, to take appropriate actions. COSO internal controls also emphasize that risk analysis is not a theoretical process but often can be critical to an entity’s overall success. As part of its overall assessment of internal control, management should take steps to assess the risks that may impact the overall enterprise as well as the risks over various enterprise activities or entities. A variety of risks, caused by either internal or external sources, may affect the overall enterprise.
The risk assessment element of COSO internal controls is an area where there has been much misunderstanding and confusion because of the similarly named COSO ERM framework. The risk assessment component of the COSO internal control framework includes risk assessments for within an individual enterprise. The COSO ERM framework covers the entire entity and beyond. These are really two separate issues; one is not a replacement for the other
Control Activities
The next layer up in the COSO internal control framework is called control activities. These are the processes and procedures that help ensure that actions identified to address risks are carried out. Control activities exist at all levels, and in many cases may overlap one another. They are essential elements to building and then establishing effective internal controls in an enterprise.
The COSO internal control framework identifies a series of these activities that are generally classified as manual, IT, or management controls, and they are also described in terms of whether they are preventive, corrective, or detective control activities.
While no one set of internal control definitions is correct for all situations, COSO internal controls recommend the following control activities for an enterprise:
• Top-level reviews
• Direct functional or activity management
• Information processing
• Physical controls
• Performance indicators
• Segregation of duties
These control activities represent only a small number of the many performed in the normal course of business operations but involve policies establishing what should be done and procedures to implement them. Even though control activities may sometimes be communicated orally, they should be implemented thoughtfully, conscientiously, and consistently. This is a strong message for reviewing such internal control activities.
Control activities should not be installed just because they seem to be the “right thing to do” even if there are no significant risks in the area where the control activity would be installed. Sometimes there may be control activities in place that perhaps once served some control-risk concern, although the concerns havelargely gone away. A control activity should not be discarded because there has been no recent history of control violations, but management needs periodically to reevaluate the associated relative risks. All internal control activities should contribute to the overall control structure, and IT auditors should keep this concept in mind as they review internal controls and make recommendations.
No comments:
Post a Comment