Committee of Sponsoring Organizations (COSO)
Internal Control Integrated Framework

Concepts of Internal Control

Objectives Setting and Internal Control

An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity. Though many objectives are specific to a particular entity, some are widely shared. For example,
objectives common to most entities are sustaining organizational success, reporting to stakeholders, recruiting and retaining motivated and competent employees, achieving and maintaining a positive reputation, and complying with laws and regulations.

Supporting the organization in its efforts to achieve objectives are five components of internal control:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring Activities

Relationship of Objectives, Components, and the Entity:

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.

•      The three categories of objectives operations, reporting, and compliance are represented by the columns.
•       The five components are represented by the rows.
•       The entity structure, which represents the overall entity,  divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, are depicted by the third dimension of the cube.  

Each component cuts across and applies to all three categories of objectives. For example, attracting, developing, and retaining competent people who are able to conduct internal control—part of the control environment component—is relevant to all three objectives categories.

The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing, procurement, or human resources.

Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity’s operations is needed. In that case, focus is on the middle column of the model—reporting objectives—rather than on the operations objectives category.

Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences the control environment and control activities, but also may highlight a need to reconsider the entity’s requirements for information and communication, or for its monitoring activities. Thus, internal control is not a linear process where one component affects only the next. It is an integrated process in which components can and will impact another.

No two entities will, or should, have the same system of internal control. Entities, objectives, and systems of internal control differ dramatically by industry and regulatory environment, as well as by internal considerations such as the size, nature of the management operating model, tolerance for risk, reliance on technology, and competence and number of personnel. Thus, while all entities require each of the components to maintain effective internal control over their activities, one entity’s system of internal control usually looks different from another’s.

Objectives

Management, with board oversight, sets entity-level objectives that align with the entity’s mission, vision, and strategies. These high-level objectives reflect choices made by management and board of directors about how the organization seeks to create, preserve, and realize value for its stakeholders. Such objectives may focus on the entity’s unique operations needs, or align with laws, rules, regulations, and standards imposed by legislators, regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning.

Individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization. As part of internal control, management specifies suitable objectives so that risks to the achievement of such objectives can be identified and assessed. Specifying objectives includes the articulation of specific, measurable or observable, attainable, relevant, and time-bound objectives.

However there may be instances where an entity might not explicitly document an objective. Objectives specified in appropriate detail can be readily understood by the people who are working toward achieving them.

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Operations Objectives

Operations objectives relate to achievement of an entity's basic mission - the fundamental reason for its existence. These objectives vary based on management's choices relating to structure, industry considerations, and performance of the entity. Entity-level objectives cascade into related sub-objectives for operations within the divisions, subsidiaries, operating units, and functions, directed at enhancing effectiveness and efficiency in moving the entity toward its ultimate goal.

As such, operations objectives may relate to improving financial performance, productivity (e.g., avoiding waste and rework), quality, environmental practices, innovation, and customer and employee satisfaction. These objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability, return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or levels of spending, may focus more on increasing donor participation. A governmental agency may focus primarily on executing its spending in line with the designated purposes of its appropriators to ensure that the spending supports its mission objectives. If an entity’s operations objectives are not well conceived or clearly specified, its resources may be misdirected.

Safeguarding of Assets

The operations category of objectives includes safeguarding of assets, which refers to protecting and preserving entity assets. For instance, an entity may set objectives relating to the prevention of loss of assets and the timely detection and reporting of any such losses. These objectives form the basis of assessing risk relating to safeguarding of assets and selecting and developing controls needed to mitigate such risk.

The efficient use of an entity’s assets, and prevention of loss through waste, inefficiency, or poor business decisions (e.g., selling product at too low a price, extending credit to bad risks, failing to retain key employees, preventing patent infringement, incurring unforeseen liabilities) relate to a broader operations objectives and are not a specific consideration relating to safeguarding of assets.

Laws, rules, regulations, and standards have created an expectation that management reporting on internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or disposition of the assets. In addition, some entities consider safeguarding of assets a separate category of objective, and that view can be accommodated within the application of the Framework.

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Reporting Objectives

Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting objectives may relate to financial or non-financial reporting and to internal or external reporting. Internal reporting objectives are driven by internal requirements in response to a variety of potential needs such as the entity’s strategic directions, operating plans, and performance metrics at various levels. External reporting objectives are driven primarily by regulations and/or standards established by regulators, and standard-setting bodies.

  • External Financial Reporting Objectives - Entities need to achieve external financial reporting objectives to meet obligations to and expectations of stakeholders. Financial statements are necessary for accessing capital markets and may be critical to being awarded contracts or in dealing with suppliers and vendors. Investors, analysts, and creditors often rely on an entity’s external financial statements to assess its performance against peers and alternative investments. Management may also be required to publish financial statements using objectives set forth by rules, regulations, and standards.

  • External Non-Financial Reporting Objectives - Management may report external non-financial information in accordance with regulations, standards, or frameworks. An entity may engage an independent auditor to report on
    its conformance with standards published by standard-setting bodies. Nonfinancial reporting requirements as set forth by regulations and standards for management reporting on the effectiveness of internal control over financial
    reporting are part of external non-financial reporting objectives. For purposes of the Framework, external reporting in the absence of a regulation, standard, or framework represents external communication..

  • Internal Financial and Non-Financial Reporting Objectives - Internal reporting to management and the board of directors includes information deemed necessary to manage the organization. It supports decision making and assessment of the entity’s activities and performance. Internal reporting objectives are based on preferences and judgments of management and the board. Internal reporting objectives vary among entities because different organizations have different strategic directions, operating plans, and expectations. 

Relationship within Reporting Category of Objective:
The overall relationship between the four sub-categories of reporting objectives is depicted in the graphic below.

Reporting objectives are different from the information and communication component of internal control. Management establishes, with board oversight, reporting objectives when the organization needs reasonable assurance of achieving a particular reporting objective. In these situations all five components of internal control are needed. For instance, in preparing internal non-financial reporting to the board on the status of merger integration efforts, the organization specifies internal reporting objectives (e.g., prepares reliable, relevant, and useful reports), assigns competent individuals, assesses risks relating to specified objectives, selects and develops controls within the five components necessary to mitigate such risks, and monitors components of internal control supporting the specified non-financial reporting objective.

In contrast, the Information and Communication component supports the functioning of all components of reporting objectives, as well as operations and compliance objectives. For instance, controls within information and communication support the preparation of the above report, helping to provide relevant and quality information underlying the report, but these controls are only part of the overall system of internal control. 

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Compliance Objectives

Entities must conduct activities, and often take specific actions, in accordance with applicable laws and regulations. As part of specifying compliance objectives, the organization needs to understand which laws, rules and regulations apply across the entity. Many laws and regulations are generally well known, such as those relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as those that apply to an entity conducting operations in a remote foreign territory.

Laws and regulations establish minimum standards of conduct expected of the entity. The organization is expected to incorporate these standards into the objectives set for the entity. Some organizations will set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. For instance, a particular law may limit minors working outside school hours to eighteen hours in a school week. However, a retail food service company may choose to limit its minor-age staff to working fifteen hours per week.

For purposes of the Framework, compliance with an entity’s internal policies and procedures, as opposed to compliance with external laws and regulations as discussed above, relates to operations objectives.

Overlap of Objectives Categories

An objective in one category may overlap or support an objective in another. For example, "closing financial reporting period within five workdays" may be a goal supporting primarily an operations objective-to support management in reviewing business performance. But it also supports timely reporting and timely filings with regulatory agencies.

The category in which an objective falls may vary depending on the circumstances. For instance, controls to prevent theft of assets—such as maintaining a fence around inventory, or having a gatekeeper to verify proper authorization of requests for movement of goods—fall under the operations category. These controls may not be relevant to reporting where inventory losses are detected after a periodic physical inspection and recording in the financial statements. However, if for reporting purposes management relies solely on perpetual inventory records, as may be the case for interim or internal financial reporting, the physical security controls would then also fall within the reporting category. These physical security controls, along with controls over the perpetual inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity’s business processes, policies and procedures, and the respective impact on each category of objectives.

Basis of Objectives Categories

Some objectives are derived from the regulatory or industry environments in which the entity operates. For example:

  • Some entities submit information to environmental agencies.
  • Publicly traded companies file information with securities regulators.
  • Universities report grant expenditures to government agencies.

These objectives are established largely by law or regulation, and fall into the category of compliance, external reporting, or, in these examples, both.

Conversely, operations and internal reporting objectives are based more on the organization’s preferences, judgments, and choices. These objectives vary widely among entities simply because informed and competent people may select different objectives. For example, one organization might choose to be an early adopter of emerging technologies in developing new products, whereas another might be a quick follower, and yet another a late adopter. These choices would reflect the entity’s strategies and the competencies, technologies, and controls within its research and development function. Consequently, no one formulation of objectives can be optimal for all entities.

Objectives and Sub-Objectives

Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the organization. Sub-objectives also are established as part of or flowing from the strategy-setting process, and relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing, productivity, employee engagement, innovation, and information technology. Management aligns these sub-objectives with entity-level objectives and coordinates these across the entity.

Where entity-level objectives are consistent with prior practice and performance, the linkage between activities is usually known. Where objectives depart from an entity’s past practices, management addresses the linkages or accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on linked sub-objectives dealing with the introduction of services that use a newer and less proven technology infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven technologies.

Sub-objectives for operating units and functional activities also need to be specific, measurable or observable, attainable, relevant, and time-bound. In addition, they must be readily understood by the people who are working toward achieving them. Management and other personnel require a mutual understanding of both what is to be accomplished and the means of determining to what extent it is accomplished in order to ensure individual and team accountability. 

Entities may specify multiple sub-objectives for each activity, flowing both from the entity-level objectives and from established standards relating to compliance and reporting objectives, as deemed suitable in the circumstances. For example, procurement operations objectives may be to:

  • Purchase goods that meet established engineering specifications.
  • Purchase goods from companies that meet the entity's environmental, health, and safety specifications as set forth in a code of conduct (e.g., no child labor, good working conditions).
  • Negotiate acceptable prices and other terms.  

As another example, when specifying suitable external reporting objectives relating to the preparation of external financial statements, management considers accounting standards, financial statement assertions, and qualitative characteristics that are applicable to the entity and its subunits. For example, management may set an entity-level external financial reporting objective as follows: “Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles.”

Management also specifies suitable sub-objectives for divisions, subsidiaries, operating units, and functions with sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales transactions that apply appropriate accounting standards based on the circumstances and that address relevant financial statement assertions and qualitative characteristics, such as

  • All sales transactions that occur are recorded on a timely basis.
  • Sales transactions are recorded at correct amounts in the right accounts.
  • Sales transactions are accurately and completely summarized in the entity’s books and records.
  • Presentation and disclosures relating to sales are properly described, sorted, and classified.

Limitations of Internal Control

Internal control, no matter how well designed, implemented and conducted, can provide only reasonable assurance to management and the board of directors of the achievement of an entity’s objectives. The likelihood of achievement is affected by limitations inherent in all systems of internal control. These include the realities that human judgment in decision making can be faulty, external events outside the organization’s control may arise, and breakdowns can occur because of human failures such as making errors. Additionally, controls can be circumvented by two or more people colluding, and because management can override the system of internal control

Internal control has been viewed by some observers as ensuring that an entity will not fail—that is, the entity will always achieve its operations, reporting, and compliance objectives. In this sense, internal control sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal control is not a panacea

In considering limitations of internal control, two distinct concepts must be recognized. The first set of limitations acknowledges that certain events or conditions are simply beyond management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any system of internal control is that reasonable assurance be obtained, which is the focus of this chapter. Second, internal control cannot provide absolute assurance for any of the objective categories

The first set of limitations acknowledges that certain events or conditions are simply outside management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any of system of internal control is that reasonable assurance be obtained, which is the focus of this chapter.

Reasonable assurance does not imply that systems of internal control will frequently fail. Many factors, individually and collectively, serve to strengthen the concept of reasonable assurance. Controls that support multiple objectives or that effect multiple principles within or across components reduce the risk that an entity may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity’s objectives. Indeed, it is likely that these activities often apprise management about the process toward the entity’s operations objectives, and also support the achievement of compliance and reporting objectives. However, because of the inherent limitations discussed here, there is no guarantee that, for example, an uncontrollable event, mistake, or improper incident could never occur. In other words, even an effective system of internal control may experience failures. Reasonable assurance is not absolute assurance

Preconditions of Internal Control

The Framework specifies several areas that are part of the management process but not part of internal control. Two such areas relate to the governance process that extends the board’s role beyond internal control and establishing objectives as a precondition to internal control. There is a dependency established on these areas, among others, to also be effective. For example, an entity’s weak governance processes for selecting, developing, and evaluating board members may limit its ability to provide appropriate oversight of internal control. Similarly, ineffective strategy-setting or objective-setting processes would challenge the entity’s ability to identify poorly specified, unrealistic, or unsuitable objectives. A system of internal control cannot encompass all activities undertaken by the entity, and weaknesses in these areas may impede the organization from having effective internal control.

External Events

Internal control, even effective internal control, operates at different levels for different objectives. For objectives relating to the effectiveness and efficiency of an entity’s operations—achieving its mission, value propositions (e.g., productivity, quality, and customer service), profitability goals, and the like—internal control cannot provide reasonable assurance of the achievement when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level. In these situations, internal control can only provide reasonable assurance that the organization is aware of the entity’s progress, or lack of it, toward achieving such objectives.

Management Override

Even an entity with an effective system of internal control may have a manager who is willing and able to override internal control. The term “management override” is used here to mean overruling prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity’s performance or compliance. A manager of a division or operating unit, or a member of senior management, might override the control for many reasons such as to:

  • Increase reported revenue to cover an unanticipated decrease in market share
  • Enhance reported earnings to meet unrealistic budgets
  • Boost the market value of the entity prior to a public offering or sale
  • Meet sales or earnings projections to bolster bonus payouts tied to performance
  • Appear to cover violations of debt covenant agreements
  • Hide lack of compliance with legal requirements

Override practices include deliberately making misrepresentations to bankers, lawyers, accountants, and vendors, and intentionally issuing false documents such as purchase orders and sales invoices.

Management override should not be confused with management intervention, which represents management’s actions to depart from prescribed controls for legitimate purposes. Management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Provision for management intervention is necessary because no process can be designed to anticipate every risk and every condition. Management’s actions to intervene are generally overt and subject to policies and procedures or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or disclosed, and have the intent to cover up the actions.

Collusion

Collusion can result in internal control deficiencies. Individuals acting collectively to perpetrate and conceal an action from detection often can alter financial or other management information so that it cannot be detected or prevented by the system of internal control. Collusion can occur, for example, between an employee who performs controls and a customer, supplier, or another employee, Sales and/or operating unit management might collude to circumvent controls so that reported results meet budgets or incentive targets.

Roles and Responsibilites of Internal Control

Introduction

Internal control is effected by personnel internal to the organization, including the board of directors or equivalent oversight body and its committees, management and personnel, business-enabling functions, and internal auditors. Collectively, they contribute to providing reasonable assurance that specified objectives are achieved. When outsourced service providers perform controls on behalf of the entity, management retains responsibility for those controls.

An organization may view internal control through three lines of defense:

  • Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives.

  • Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.

  • Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management to consider and implement; their position and compensation are separate and distinct from the business areas they review.

Responsible Parties

Every individual within an entity has a role in effecting internal control. Roles vary in responsibility and level of involvement, as discussed below.

The Board of Directors and Its Committees

Depending on the jurisdiction and nature of the organization, different governance structures may be established, such as a board of directors, supervisory board, trustees, and/or general partners, with committees as appropriate. In the Framework, these governance structures are commonly referred to as the board of directors.

The board is responsible for overseeing the system of internal control. With the power to engage or terminate the chief executive officer, the board has a key role in defining expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. Board members are objective, capable, and inquisitive. They have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities. They utilize resources as needed to investigate any issues, and they have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.

Boards of directors often carry out certain duties through committees, whose use varies depending on regulatory requirements and other considerations. Board committees may be used for oversight of audit, compensation, nominations and governance, risk, and other topics significant for the organization. Each committee can bring specific emphasis to certain components of internal control. Where a particular committee has not been established, the related functions are carried out by the board itself.

Board-level committees can include the following:

  • Audit Committee - Regulatory and professional standard-setting bodies often require the use of audit committees. The role and scope of authority of an audit committee can vary depending on the organization’s regulatory jurisdiction, industry norm, or other variables. This is sometimes also called the audit and risk committee to emphasize the importance of risk oversight. Management is responsible for the reliability of the financial statements, but an effective audit committee plays a critical oversight role. The board of directors, often through its audit committee, has the authority and responsibility to question senior management regarding how it is carrying out its internal and external reporting responsibilities and to verify that timely corrective actions are taken, as necessary.

    As a result of its independence the audit committee, along with a strong internal audit function as applicable, is often best positioned, to identify and promptly act in situations where senior management overrides controls or deviates from expected standards of conduct. The audit committee interacts with external auditors, meeting regularly to discuss the scope of planned audit procedures and results of audit procedures. Meetings with external auditors include executive sessions without management present to provide a forum for further dialogue between external auditors and audit committees. While board composition requirements vary, independent directors are important as they can provide an objective perspective. For example, the UK, German, and other corporate governance codes, and the New York Stock Exchange (NYSE) and NASDAQ listing requirements define the number and criteria for audit committee members to be independent from management and financially literate (e.g., at least one member with accounting or financial management expertise).

  • Compensation Committee - Establishes the compensation for the chief executive officer or equivalent and provides oversight of compensation arrangements to motivate without providing incentives for undue risk-taking so as to ultimately protect and promote the interest of shareholders or other owners of the entity. It oversees senior management in its role to balance performance measures, incentives, and rewards with the pressures created by the entity’s objectives, and helps structure compensation practices to support the achievement of the entity’s objectives without unduly emphasizing short-term results over long-term performance.

  • Nomination/Governance Committee - Provides control over the selection of candidates for directors and senior management. It regularly assesses and nominates members of the board of directors; makes recommendations regarding the board’s composition, operations, and performance; oversees the succession planning process for the chief executive officer and other key executives; and develops oversight discipline, processes, and structures. It promotes director orientations and training and evaluates oversight structures and processes (e.g., board/committee evaluations).

  • Other Committees - There may be other committees of the board of directors that oversee specific areas. These committees are often established in large organizations or due to particular circumstances of the entity. For example, in an industry where compliance with certain laws and regulations is fundamental to the survival or development of the organization, a board-level compliance committee may be necessary. Risk committees are formed to focus on changes in risk levels and related impacts, and oversight of risk responses. Further to board committees that provide oversight, management-level committees often exist to provide guidance in the execution of specific areas, such as compliance committees, new product committees, and others.

Business-Enabling Functions

Various organizational functions or operating units support the entity through specialized skills, such as risk management, finance, controllers, product/service quality management, technology, compliance, legal, human resources, and others. They provide guidance and assessment of internal control related to their areas of expertise, and it is incumbent on them to share and evaluate issues and trends that transcend organizational
units or functions. They keep the organization informed of relevant requirements as they evolve over time (e.g., new or changing laws and regulations across a multitude of jurisdictions). Such business-enabling functions are referred to as the second line of defense, while front-line personnel execute their control activities.

While all controls function to serve a purpose, their efforts are coordinated and integrated as appropriate. For example, a company’s new customer acceptance process may be reviewed by the compliance function from a regulatory perspective, by the risk management function from a concentration risk perspective, and by the internal audit function to assess the design and effectiveness of controls. Disruptions to the business process are minimized when the timing and approach to reviews and management of issues are coordinated to the extent possible. Integration of efforts helps create a common language and platform for evaluating and addressing internal control matters, as business-enabling functions guide the organization in achieving its objectives.

Risk and Control Personnel

Risk and control functions are part of the second line of defense. Depending on the size and complexity of the organization, dedicated risk and control personnel may support functional management to manage different risk types (e.g., operational, financial, quantitative, qualitative) by providing specialized skills and guidance to front-line management and other personnel and evaluating internal control. These activities can be part of an entity’s centralized or corporate organization or they can be set up with “dotted line” reporting to functional heads. Risk and control functions are central to the way management maintains control over business activitie

Responsibilities of risk and control personnel include identifying known and emerging risks, helping management develop processes to manage such relevant risks, communicating and providing education on these processes across the organization, and evaluating and reporting on the effectiveness of such processes. The chief risk/control
officer is responsible for reporting to senior management and the board on significant risks to the business and whether these risks are managed within the entity’s established tolerance levels, with adequate internal control in place. Despite such significant responsibilities, risk and control personnel are not responsible for executing controls, but support overall the achievement of internal control.

Legal and Compliance Personnel

Counsel from legal professionals is key to defining effective controls for compliance with regulations and managing the possibility of lawsuits. In large and complex organizations, specialized compliance professionals can be helpful in defining and assessing controls for adherence to both external and internal requirements. The chief legal/compliance officer is responsible for ensuring that legal, regulatory, and other requirements are understood and communicated to those responsible for effecting compliance.

A close working relationship between business management and legal and compliance personnel provides a strong basis for designing, implementing, and conducting internal control to manage adverse outcomes such as regulatory sanctions, legal liability, and failure to adhere to internal compliance policies and procedures. At smaller organizations, legal and compliance roles may be shared by the same professional, or one of these roles can be outsourced with close oversight by management.

Other Personnel

Internal control is the responsibility of everyone in an entity and therefore constitutes an explicit or implicit part of everyone’s job description. Front-line personnel constitute the first line of defense in the performance of internal control responsibilities. Examples include:

  • Control Environment - Reading, understanding, and applying the standards of conduct of the organization

  • Risk Assessment - Identifying and evaluating risks to the achievement of objectives and understanding established risk tolerances relating to their areas of responsibility

  • Control Activities - Performing reconciliations, following up on exception reports, performing physical inspections, and investigating reasons for cost variances or other performance indicators

  • Information and Communication - Producing and sharing information used in the internal control system (e.g., inventory records, work-in-process data, sales or expense reports) or taking other actions needed to effect control

  • Monitoring Activities - Supporting efforts to identify and communicate to higher-level management issues in operations, non-compliance with the code of conduct, or other violations of policy or illegal actions

The care with which those activities are performed directly affects the effectiveness of the internal control system. Internal control relies on checks and balances, including segregation of duties, and on employees not “looking the other way.” Personnel understands the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines are available to permit reporting of such circumstances.

Internal Auditors

As the third line of defense, internal auditors provide assurance and advisory support to management on internal control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to be carried out by competent and professional resources aligned to the risks relevant to the entity.

The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding. For example:

  • Reliability and integrity of financial and operational information

  • Effectiveness and efficiency of operations and programs

  • Safeguarding of assets

  • Compliance with laws, regulations, policies, procedures, and contracts

All activities within an organization are potentially within the scope of the internal auditor’s responsibility. In some entities, the internal audit function is heavily involved with controls over operations. For example, internal auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance or financial reporting–related activities. In all cases, they demonstrate the necessary knowledge of the business and independence to provide a meaningful evaluation of internal control.

The scope of internal auditing is typically expected to include oversight, risk management, and internal control, and assisting the organization in maintaining effective control by evaluating their effectiveness and efficiency and by promoting continual improvement. Internal audit communicates findings and interacts directly with management, the audit committee, and/or the board of directors.

Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and administrative reporting to the chief executive officer or other members of senior management.

Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to that of others and when protected from other threats to their objectivity. The primary protection against these threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating responsibilities, nor are they assigned to audit activities with which they were involved recently in connection with prior operating assignments.

External Parties

A number of external parties can contribute to the achievement of the entity’s objectives, whether by performing activities as outsourced service providers or by providing data or analysis to functional/operational personnel. In both cases, functional/operational management always retains full responsibility for the internal control.

Outsourced Service Providers

Many organizations outsource business functions, delegating their roles and responsibilities for day-to-day management to outside service providers. Administrative, finance, human resources, technology, legal, and even select internal operations can be executed by parties outside the organization, with the objective of obtaining access to enhanced capabilities at a lower cost. For example, a financial institution may outsource its loan review process to a third party, a technology company may outsource the operation and maintenance of its information technology processing, and a retail company may outsource its internal audit function. While these external parties execute activities for or on behalf of the organization, management cannot abdicate its responsibility to manage the associated risks. It must implement a program to evaluate those activities performed by others on their behalf to assess the effectiveness of the system of internal control over the activities performed by outsourced service providers.

Other Parties Interacting with the Entity

Customers, vendors, and others transacting business with the entity are an important source of information used in conducting control activities. For example:

  • A customer can inform a company about shipping delays, inferior product quality, or failure to otherwise meet the customer’s needs for product or service. Or a customer may be more proactive and work with an entity in developing needed product enhancements.
  • A vendor can provide statements or information regarding completed or open shipments and billings, which may be used to identify and correct discrepancies and to reconcile balances.
  • A potential supplier can notify senior management of an employee’s request for a kickback.
  • Experts can provide market data to help the organization adapt its business model and supporting processes and controls to new challenges and opportunities.
  • A non-governmental organization or newspaper may publish reports on working or environmental conditions at a supplier or sub-supplier.

Such information sharing between management and external parties can be important to the entity in achieving its operations, reporting, and compliance objectives. The entity has mechanisms in place with which to receive such information and to take appropriate action on a timely basis - that is, it not only addresses the particular situation reported, but also investigates the underlying source of an issue and fixes it.

In addition to customers and vendors, other parties, such as creditors, can provide insight on the achievement of an entity’s objectives. A bank, for example, may request reports on an entity’s compliance with certain debt covenants and recommend performance indicators or other desired targets or controls.

Independent Auditors

In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of internal control over external financial reporting in addition to auditing the entity’s financial statements. (In some jurisdictions, the auditor is also legally required to express an opinion on the effectiveness of the internal control over external financial reporting in addition to his or her opinion on the financial statements.) Results of these audits enable the auditor to provide information to management that will be useful in conducting its oversight responsibilities. These reports and communications may include:

  • Observations including analytical information and recommendations for use in taking actions necessary to achieve established objectives
  • Findings of internal control deficiencies that come to attention of the auditor, and recommendations for improvement

Notwithstanding the depth and nature of the independent auditor’s work, this is not a replacement or a supplement to an adequate system of internal control, which remains the full responsibility of management.

Such information frequently relates not only to financial reporting but to operations and compliance activities as well. The information is reported to and acted upon by management and, depending on its significance, to the board of directors or audit committee.

External Reviewers

Subject matter specialists can be solicited or mandated to review specific areas of the organization’s internal control. Recognizing the various requirements or expectations of its stakeholders, an organization often seeks expert advice to translate these into policies and procedures, as well as communications and training, and evaluation of adherence to such requirements and standards. Workplace safety, environmental concerns, and fair trade practices are some examples of areas where an organization proactively seeks to ensure that it is complying with governing rules and standards. Certain functional areas may also be reviewed to promote greater effectiveness and efficiency of operations, such as compliance reviews, information systems penetration testing, and employment practices assessments.

Legislators and Regulators

Legislators and regulators can affect the internal control systems through specific requirements to establish internal control across the organization and/or through examinations of particular operating units. Many entities have long been subject to legal requirements for internal control. For example, companies listed on a US stock exchange are expected to establish and maintain a system of internal control, and legislation requires that senior executives of publicly listed companies certify to the effectiveness of their company’s internal control over financial reporting.

Various regulations require that public companies establish and maintain internal accounting control systems that satisfy specified objectives. Various laws and regulations apply to financial assistance programs, which address a variety of activities ranging from civil rights to cash management, and specify required internal control procedures or practices. Several regulatory agencies directly examine entities for which they have oversight responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on certain aspects of the banks’ internal control systems. These agencies make recommendations and are frequently empowered to take enforcement action. Thus, legislators and regulators affect the internal control systems in several ways:

  • They establish rules that provide the impetus for management to establish an internal control system that meets statutory and regulatory requirements.
  • Through examination of a particular entity, they provide information used by the entity’s internal control system and provide comment letters, recommendations, and sometimes directives to management on needed internal control system improvements.
  • They may receive and, in turn, investigate, whistle-blower allegations.

Financial Analysts, Bond Rating Agencies, and the News Media

Financial analysts, bond rating agencies, and news media personnel analyze management’s performance against strategies and objectives by considering historical financial statements and prospective financial information, actions taken in response to conditions in the economy and marketplace, potential for success in the short and long term, and industry performance and peer-group comparisons, among other factors. Such investigative activities can provide insights, among many other outcomes, into the state of internal control and how management is responding to enhancing internal control.

Principles of the Internal Control Framework

Role of Principles
Principles are fundamental concepts associated with components. As such, the Framework views the seventeen principles as suitable to all entities. Relevance refers to a determination that each principle has a significant bearing on the presence and functioning of its associated component.

The Framework presumes that principles are relevant. However, there may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to the associated component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity.

If management decides that a principle is not relevant, management must support that determination, including the rationale of how, in the absence of that principle, the associated component could be present and functioning. When a relevant principle is deemed not to be present and functioning, a major deficiency exists in the system of
internal control.

In determining whether a component is present and functioning, senior management and the board of directors need to determine to what extent relevant principles are present and functioning. However, a principle being present and functioning does not imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control.

Listing of all principles for the integrated framework

Control Environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

  1. The organization demonstrates a commitment to integrity and ethical values.

  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

  4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.

  1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

  2. The organization selects and develops general control activities over technology to support the achievement of objectives.

  3. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Information and Communication

Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

  3. The organization communicates with external parties regarding  matters affecting the functioning of other components of internal control.

Monitoring Activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.

  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

 

COSO 2013 Quick Reference Guide
Available for Purchase on Amazon.com



U.S. Government Accountability Office (GAO)
Standards for Internal Control in the Federal Government

Concepts of Internal Control


Roles in an Internal Control System

OV2.14 Because internal control is a part of management’s overall responsibility, the five components are discussed in the context of the management of the entity. However, everyone in the entity has a responsibility for internal control. In general, roles in an entity’s internal control system can be categorized as follows:

  • Oversight body - The oversight body is responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing management’s design, implementation, and operation of an internal control system. For some entities, an oversight body might be one or a few members of senior management. For other entities, multiple parties may be members of the entity’s oversight body. For the purpose of the Green Book, oversight by an oversight body is implicit in each component and principle.
  • Management - Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity’s internal control system. Managers’ responsibilities vary depending on their functions in the organizational structure.
  • Personnel - Personnel help management design, implement, and operate an internal control system and are responsible for reporting issues noted in the entity’s operations, reporting, or compliance objectives.

OV2.15 External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity’s internal control system. While management may evaluate and incorporate recommendations by external auditors and the OIG, responsibility for an entity’s internal control system resides with management.

Internal Control and the Entity

OV2.10 A direct relationship exists among an entity’s objectives, the five components of internal control, and the organizational structure of an entity. Objectives are what an entity wants to achieve. The five components of internal control are what are required of the entity to achieve the objectives. Organizational structure encompasses the operating units, operational processes, and other structures management uses to achieve the objectives. This relationship is depicted in the form of a cube developed by COSO.

The Components, Objectives, and Organizational Structure of Internal Control


OV2.11 The three categories into which an entity’s objectives can be classified are represented by the columns labeled on top of the cube. The five components of internal control are represented by the rows. The organizational structure is represented by the third dimension of the cube.

OV2.12 Each component of internal control applies to all three categories of objectives and the organizational structure. The principles support the components of internal control (see figure below).

The Components, Objectives, and Organizational Structure of Internal Control


OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors.

Presentation of Standards

OV2.01 The Green Book defines the standards for internal control in the federal government. FMFIA requires federal executive branch entities to establish internal control in accordance with these standards. The standards provide criteria for assessing the design, implementation, and operating effectiveness of internal control in federal government entities to determine if an internal control system is effective. Nonfederal entities may use the Green Book as a framework to design, implement, and operate an internal control system.

OV2.02 The Green Book applies to all of an entity’s objectives: operations, reporting, and compliance. However, these standards are not intended to limit or interfere with duly granted authority related to legislation, rulemaking, or other discretionary policy making in an organization. In implementing the Green Book, management is responsible for designing the policies and procedures to fit an entity’s circumstances and building them in as an integral part of the entity’s operations.

Components, Principles and Attributes

OV2.03 An entity determines its mission, sets a strategic plan, establishes entity objectives, and formulates plans to achieve its objectives. Management, with oversight from the entity’s oversight body, may set objectives for an entity as a whole or target activities within the entity. Management uses internal control to help the organization achieve these objectives. While there are different ways to present internal control, the Green Book approaches internal control through a hierarchical structure of five components and 17 principles. The hierarchy includes requirements for establishing an effective internal control system, including specific documentation requirements.

OV2.04 The five components represent the highest level of the hierarchy of standards for internal control in the federal government. The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The five components of internal control are as follows:

  • Control Environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.
  • Risk Assessment - Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
  • Control Activities - The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
  • Information and Communication - The quality information management and personnel communicate and use to support the internal control system.
  • Monitoring - Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

OV2.05 The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.

OV2.06 In general, all components and principles are relevant for establishing an effective internal control system. In rare circumstances, there may be an operating or regulatory situation in which management has determined that a principle is not relevant for the entity to achieve its objectives and address related risks. If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. In addition to principle requirements, the Green Book contains documentation requirements.

OV2.07 The Green Book contains additional information in the form of attributes. These attributes are intended to help organize the application material management may consider when designing, implementing, and operating the associated principles. Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Attributes may also provide background information on matters addressed in the Green Book.

OV2.08 Attributes are relevant to the proper implementation of the Green Book. Management has a responsibility to understand the attributes and exercise judgment in fulfilling the requirements of the standards. The Green Book, however, does not prescribe how management designs, implements, and operates an internal control system.

OV2.09 The fiigure below lists the five components of internal control and 17 related principles.

The 17 principle requirements of the Green Book are as follows:

Control Environment
1. The oversight body and management should demonstrate a commitment to integrity and ethical values.

2. The oversight body should oversee the entity’s internal control system.

3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.

4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.

5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

Risk Assessment
6. Management should define objectives clearly to enable the identification of risks and define risk tolerances.

7. Management should identify, analyze, and respond to risks related to achieving the defined objectives.

8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.

9. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Control Activities
10. Management should design control activities to achieve objectives and respond to risks.

11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.

12. Management should implement control activities through policies.

Information and Communication
13. Management should use quality information to achieve the entity’s objectives.

14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.

15. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Monitoring
16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

17. Management should remediate identified internal control deficiencies on a timely basis.



Objectives of an Entity

OV2.16 Management, with oversight by an oversight body, sets objectives to meet the entity’s mission, strategic plan, and goals and requirements of applicable laws and regulations. Management sets objectives before designing an entity’s internal control system.

Management may include setting objectives as part of the strategic planning process.

OV2.17 Management, as part of designing an internal control system, defines the objectives in specific and measurable terms to enable management to identify, analyze, and respond to risks related to achieving those objectives.

Categories of Objectives

OV2.18 Management groups objectives into one or more of the three categories of objectives:

  • Operations - Effectiveness and efficiency of operations
  • Reporting - Reliability of reporting for internal and external use
  • Compliance - Compliance with applicable laws and regulations

Operations Objectives

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives.
Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources.

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission.

Reporting Objectives

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories:

    • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders.
    • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders.
    • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance.

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively.

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity.

Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity.

Safeguarding of Assets

OV2.24 A subset of the three categories of objectives is the safeguarding of assets. Management designs an internal control system to provide reasonable assurance regarding prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an entity’s assets.

Setting Subobjectives

OV2.25 Management can develop from objectives more specific subobjectives throughout the organizational structure. Management defines subobjectives in specific and measurable terms that can be communicated to the personnel who are assigned responsibility to achieve these subobjectives. Both management and personnel require an understanding of an objective, its subobjectives, and defined levels of performance for accountability in an internal control system.

Factors of Effective Internal Control

OV3.01 The purpose of this section is to provide management with factors to consider in evaluating the effectiveness of an internal control system. For federal entities, OMB Circular No. A-123 provides specific requirements on how to perform evaluations and report on internal control in the federal government. Nonfederal entities may refer to applicable laws and regulations as well as input from key external stakeholders when determining how to appropriately evaluate and report on internal control.

OV3.02 An effective internal control system provides reasonable assurance that the organization will achieve its objectives. As stated in section 2 of the Overview, an effective internal control system has

  • each of the five components of internal control effectively designed, implemented, and operating and
  • the five components operating together in an integrated manner.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective.

Evaluation of Internal Control

OV3.04 In the federal government, FMFIA mandates that the head of each executive branch agency annually prepare a statement as to whether the agency’s systems of internal accounting and administrative controls comply with the requirements of the act. If the systems do not comply, the head of the agency will prepare a report in which any material weaknesses in the agency’s system of internal accounting and administrative control are identified and the plans and schedule for correcting any such weakness are described. OMB issues guidance for evaluating these requirements in OMB Circular No. A-123. Nonfederal entities may refer to applicable laws and regulations for guidance in preparing statements regarding internal control.

Design and Implementation

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system.

Operating Effectiveness

OV3.06 In evaluating operating effectiveness, management determines if controls were applied at relevant times during the period under evaluation, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under evaluation, management evaluates operating effectiveness separately for each unique control system. A control cannot be effectively operating if it was not effectively designed and implemented. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Effect of Deficiencies on the Internal Control System

OV3.07 Management evaluates control deficiencies identified by management’s ongoing monitoring of the internal control system as well as any separate evaluations performed by both internal and external sources. A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks.

OV3.08 Management evaluates the significance of identified deficiencies. Significance refers to the relative importance of a deficiency to the entity’s achieving a defined objective. To evaluate the significance of the deficiency, management assesses its effect on achieving the defined objectives at both the entity and transaction level. Management evaluates the significance of a deficiency by considering the magnitude of impact, likelihood of occurrence, and nature of the deficiency. Magnitude of impact refers to the likely effect that the deficiency could have on the entity achieving its objectives and is affected by factors such as the size, pace, and duration of the deficiency’s impact. A deficiency may be more significant to one objective than another. Likelihood of occurrence refers to the possibility of a deficiency impacting an entity’s ability to achieve its objectives. The nature of the deficiency involves factors such as the degree of subjectivity involved with the deficiency and whether the deficiency arises from fraud or misconduct. The oversight body oversees management’s evaluation of the significance of deficiencies so that deficiencies have been properly considered.

OV3.09 Deficiencies are evaluated both on an individual basis and in the aggregate. Management considers the correlation among different deficiencies or groups of deficiencies when evaluating their significance. Deficiency evaluation varies by entity because of differences in entities’ objectives.

OV3.10 For each principle, management makes a summary determination as to whether the principle is designed, implemented, and operating effectively. Management considers the impact of deficiencies identified in achieving documentation requirements as part of this summary determination. Management may consider the related attributes as part of this summary determination. If a principle is not designed, implemented, or operating effectively, then the respective component cannot be effective.

OV3.11 Based on the results of the summary determination for each principle, management concludes on the design, implementation, and operating effectiveness of each of the five components of internal control. Management also considers if the five components operate together effectively. If one or more of the five components are not effectively designed, implemented, or operating effectively or if they are not operating together in an integrated manner, then an internal control system is ineffective. Judgment is used in making such determinations, which includes exercising reasonable care.

Service Organizations

OV4.01 Management may engage external parties to perform certain operational processes for the entity, such as accounting and payroll processing, security services, or health care claims processing. For the purpose of the Green Book, these external parties are referred to as service organizations. Management, however, retains responsibility for the performance of processes assigned to service organizations.

Therefore, management needs to understand the controls each service organization has designed, has implemented, and operates for the assigned operational process and how the service organization’s internal control system impacts the entity’s internal control system.

OV4.02 If controls performed by the service organization are necessary for the entity to achieve its objectives and address risks related to the assigned operational process, the entity’s internal controls may include complementary user entity controls identified by the service organization or its auditors that are necessary to achieve the service organization’s control objectives.

OV4.03 Management may consider the following when determining the extent of oversight for the operational processes assigned to the service organization:

  • The nature of services outsourced
  • The service organization’s standards of conduct
  • The quality and frequency of the service organization’s enforcement of adherence to standards of conduct by its personnel
  • The magnitude and level of complexity of the entity’s operations and organizational structure
  • The extent to which the entity’s internal controls are sufficient so that the entity achieves its objectives and addresses risks related to the assigned operational process

Large versus Small Entities

OV4.04 The 17 principles apply to both large and small entities. However, smaller entities may have different implementation approaches than larger entities. Smaller entities typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with personnel. Smaller entities may find informal staff meetings effective for communicating quality information, whereas larger entities may need more formal mechanisms—such as written reports, intranet portals, or periodic formal meetings—to communicate with the organization.

OV4.05 A smaller entity, however, faces greater challenges in segregating duties because of its concentration of responsibilities and authorities in the organizational structure. Management, however, can respond to this increased risk through the design of the internal control system, such as by adding additional levels of review for key operational processes, reviewing randomly selected transactions and their supporting documentation, taking periodic asset counts, or checking supervisor reconciliations.

Benefits and Costs of Internal Control

OV4.06 Internal control provides many benefits to an entity. It provides management with added confidence regarding the achievement of objectives, provides feedback on how effectively an entity is operating, and helps reduce risks affecting the achievement of the entity’s objectives. Management considers a variety of cost factors in relation to expected benefits when designing and implementing internal controls. The complexity of cost-benefit determination is compounded by the interrelationship of controls with operational processes. Where controls are integrated with operational processes, it is difficult to isolate either their costs or benefits.

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives.

Dcoumentation Requirements

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows:

    • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06)
    • Management develops and maintains documentation of its internal control system. (paragraph 3.09)
    • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02)
    • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09)
    • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05)
    • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06)

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively.

Use by Other Entities

OV4.10 The Green Book may be applied as a framework for an internal control system for state, local, and quasi-governmental entities, as well as not-for-profit organizations. If management elects to adopt the Green Book as criteria, management follows all relevant requirements presented in these standards.

GAO Green Book Infographic