Chapter 1
What We All Share

Regardless of the type of entity, all Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework users and auditors in the public and nonpublic sectors share a great deal in common. We broadly outline those shared characteristics here before plunging into the details of application and documentation. This will also help readers to target the specific goals they have in studying this material. Later these concepts are developed in more detail. For now they serve to overview the subject matter.

Need for Control Criteria

Early auditing literature talked about controls, primarily in terms of controls over more routine transactions, such as cash receipts and disbursements. Based on the analysis of business and accounting failures over decades of experience, it became clear that a broader view of controls was necessary to address the various management, information processing, or oversight weaknesses that so often contributed to these events. However, there was no broader framework or set of criteria against which to evaluate the effectiveness of the entity in controlling its risk of filing materially false financial information and preventing other types of fraud. The COSO Framework has filled that void.

A set of criteria is a standard against which a judgment can be made. In the United States, the internal control integrated framework published by COSO is just about the only overall controls criteria to assess the effectiveness of internal controls over financial reporting (ICFR). Choosing an appropriate control criteria is a Securities and Exchange Commission (SEC) requirement for public companies when performing an assessment of the effectiveness of an entity's internal control. The American Institute of Certified Public Accountants (AICPA) auditing literature references COSO components in its guidance to auditors of nonpublic companies, so from a practical perspective, COSO is the only game in town. While there are other frameworks out there (e.g., the criteria of control (COCO) framework from Canada, the Turnbull Report in the United Kingdom, and SOX of Japan), these are not that dissimilar to COSO in overall concept and have not gained wide acceptance outside of their home countries.

Overview of the COSO Internal Control Integrated Framework

In 1985, COSO was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting. It was motivated by yet another intense period of time when financial reporting fraud and alleged audit failures were prominent in the news. Since this initial undertaking, COSO has expanded its mission to improving the quality of financial reporting. A significant part of this mission is aimed at developing guidance on internal control. In 1992, COSO published Internal Control-Integrated Framework, which established a framework for internal control and provided evaluation tools that businesses and other entities could use to evaluate their control systems.1

The COSO internal control framework identifies five components of internal control:

1. Control environment
2. Risk assessment
3. Control procedures
4. Information and communication
5. Monitoring

Today these remain unchanged from the 1992 Framework. That is a testament to the fundamental correctness of the COSO Framework. However, the level of detailed guidance over the years has increased due to the more recent widespread implementation of the Framework in our business environment and a desire to have more consistency in the application of COSO principles.

Holistic, Integrated View

The COSO Framework identifies five main components of internal control, and one of the keys of working with it is to understand how these components relate to and influence one another. COSO envisions these individual components as being tightly integrated in a nonlinear fashion. Each component has a relationship with and can influence the functioning of every other component, operating in an almost organic way.

The five interrelated components of the COSO Framework are, briefly:

1. Control environment. Senior management must set an appropriate tone at the top that positively influences the control consciousness of entity personnel. The control environment is the foundation for all other components of internal controls and provides discipline and structure.
2. Risk assessment. The entity must be aware of and deal with the financial reporting risks it faces. It must set objectives, integrated throughout its activities, so that the organization is operating in concert. Once these objectives are set, the entity is in a better position to identify the risks to achieving those objectives and to analyze and develop ways to manage them.
3. Control activities. Control policies and procedures must be established and executed to help ensure transactions being processed on a day-to-day basis, such as sales and expense transactions, or on a periodic basis, such as accruals and consolidations, are resulting in complete and accurate accounting recognition.
4. Information and communication. Surrounding the control activities are information and communication systems, including the accounting system. Whether manual or most likely today implemented using automated (computer) systems, they enable the entity's people to capture and exchange the information needed to conduct, manage, and control its operations. The information and communication component is comprised of both internal (e.g., management, governance) and external communications (e.g., shareholders, prospective investors, or creditors).
5. Monitoring. The COSO Framework identifies monitoring as the responsibility of management. The auditor is not a part of the entity's system of internal control. The entire company control process should be monitored on a regular basis by management, and issues that arise should be communicated appropriately within the organization. In this way, the system should be in a position to react dynamically, as changing as conditions warrant, and not require that special procedures or independent audit procedures detect these problems. The company is expected to be proactive in identifying and correcting control deficiencies.

Figure 1.1 is from the 1992 COSO Integrated Framework report. It depicts these five elements of internal control and their interrelationships in a 3-sided pyramid, with the control environment as the base.

Figure 1.1 COSO Framework

Note that the information and communication component is positioned along the edge of the pyramid structure, indicating that this component has close linkages to the other components. It probably would be even more accurate if the component were depicted as affecting all other ones, including control environment and monitoring, as it is difficult to envision these components being effective without effective information and communication.

Historically, the auditing literature has pictorially described the COSO Framework in the shape of a cube (see Figure 1.2). This representation shows that controls can affect the entity either on an entity-wide basis or specifically on a divisional, regional or product line basis. The 2013 revision changed the "cube" and placed the control environment at the top of the cube. The strong hierarchical image of the pyramid and its strong base is somewhat lost in this representation, but for complex entities with multiple product lines or locations, the cube works well.

Figure 1.2 COSO Framework II

While both models have advantages, whatever the model used to communicate the Framework, it is helpful to have some physical representation of the Framework as a training tool and as a reminder of the components when initiating a project or bringing new personnel into an existing project. In the early days of Sarbanes-Oxley (SOX) implementation, some creative ways were developed to etch the components firmly in the auditor's mind. A unique product was a pen that revealed a new component each time the ballpoint pen point was retracted or extended.

A blessing of the COSO Framework is that together the five components seem to be satisfactory in describing the broad sources of internal control issues. The corresponding curse is that it is sometimes difficult to determine where specific facts and controls fall within the framework. While it would be nice if a one-to-one relationship existed between processes and controls and the Framework components, that is not the case. Entities can and did make their own decisions where controls belonged under the 1992 Framework. The focus and 17 Principles in the 2013 Framework will reduce the variability in classifying controls within the Framework going forward.

For example, the 1992 COSO Framework report contained only passing mention of information technology (IT). Can we cleanly assign IT to just one component? Clearly there is a linkage to the control activities component since automated accounting processes and controls depend on the IT being effective. In another sense, IT is important to information and communication, which relies on data in company databases being accurate and complete. And it is hard to imagine running a business or performing the governance function effectively without accurate and timely financial data, so failures of IT can also impact the control...