COSO’s goal is to improve the quality of financial reporting through a focus on

corporate governance, ethical practices, and internal control. It focuses on the

three key objectives of:

effective and efficient operations

reliable financial reporting

adherence to relevant legislation and regulation.

They established a framework providing an internationally recognised

standard against which organisations can assess internal control systems
across business units and activities.

The COSO Cube

The top level of the COSO Cube is Objectives

Internal control is broadly defined as a process, affected by the board of

directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:

effective and efficient operations

reliable financial reporting

compliance with legislation and regulations.

Objectives are achieved by meeting the standard for each component.

control environment

This sets the tone of an organization and is the foundation for all other
components of internal control, providing discipline and structure. It reflects:

the integrity, ethical values and competence of the people

management’s philosophy and operating style

the way management assigns authority and responsibility

how management organises and develops its people

the attention and direction provided by the board of directors.

Although the control environment is the foundation of all the other

components, very few people know how to assess these areas. Proper
assessment requires subjective as well as objective analysis. To do this people
need knowledge, experience, sound judgement and a method. This will be the
subject of a future article.

risk assessment

The identification and analysis of relevant risks to the achievement of

objectives (including the risk of material misstatement in the significant
accounts and disclosures) forming a basis for determining how the risks
should be managed. Without this there is a reduced certainty that we’re doing
the right things for the right reasons.

control activities

The policies and procedures that help ensure that management’s directives
are carried out, including those related to the prevention or detection of
errors or fraud that could result in material misstatement. This includes a
range of activities such as approvals, authorisation, reconciliations and
segregation of duties and reminds me of my days as an ACCA student learning
the acronym SOAPMAPs (Segregation of duties, Organisation, Authorisation
and approval, Physical, Management, Arithmetical and accounting, Personnel
and Supervision) which has stood me in good stead for more than 20 years!

information and communication

These systems support the identification, capture, and exchange of

information in a form and time frame that enables people to carry out their
responsibilities; this applies to information transferred in all directions within
the organisation. All personnel must receive a clear message from top
management that control responsibilities must be taken seriously. This
component includes:
obtaining and distributing information

information systems development

communication with outsourced functions

internal communications

communication with auditors and external parties.

monitoring

The processes that assess the quality of internal control performance over
time. This includes regular management and supervisory activities, and other
actions personnel take in performing their duties. This component considers
different types of monitoring:

ongoing during the course of operations (incl. regular mgmt and supervisory
activities)

separate evaluations of controls (depends on assessment of risk)

audit reviews

monitoring and reporting of deficiencies (e.g. complaints, action plans etc).

Each of the COSO components is further detailed with a range of

considerations providing a comprehensive tool against which to assess the
effectiveness of internal control.

Third dimension of the COSO cube

The entity and its organisational units are depicted by the third dimension of
the cube which can be tailored to any part of an organisation, e.g. you could
look at all objectives across all components across the whole business or just
in unit A or just in relation to activity one.
Summary

All of the above components are vital to the success of an organisation and
provide the framework for good internal control throughout. Internal control
is not just important for internal auditors or even risk managers. It is relevant
to all managers from executive director downwards.

An organisation having a good system of internal control, where all the

components are working well and are embedded is more likely to achieve its
objectives and have a strong and sustainable future. It’s important that, as
professional internal auditors, we encourage the formal adoption of an
internationally recognised framework such as COSO providing guidelines and
a benchmark as to what good looks like. Effective internal auditing will
provide independent assurance over the entirety of the framework.

Note: The framework described above is effectively COSO 1 (truly back to

basics) and has been further developed as an Enterprise Risk Management
(ERM) framework which will be explored in a future e-bulletin. For more
information visit www.coso.org.