COSO Definition of Internal Control
The purpose of this COSO Internal Control - Integrated Framework (Framework) is to help management better control the organization and to provide a board of directors with an added ability to oversee internal control. A system of internal control allows management to stay focused on the organization’s pursuit of its operations and financial performance goals, while operating within the confines of relevant laws and minimizing surprises along the way. Internal control enables an organization to deal more effectively with changing economic and competitive environments, leadership, priorities, and evolving business models.
Internal control is defined as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
This definition emphasizes that internal control is:
- Geared to the achievement of objectives in one or more separate but overlapping categories - operations, reporting and compliance
- A process consisting of ongoing tasks and activities - it is a means to an end, not an end in itself
- Effected by people - not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control
- Able to provide reasonable assurance - but not absolute assurance, to an entity’s senior management and board of directors
- Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process
This definition of internal control is intentionally broad for two reasons. First, it captures important concepts that are fundamental to how organizations design, implement, and conduct internal control and assess effectiveness of their system of internal control, providing a basis for application across various types of organizations, industries, and geographic regions. Second, the definition accommodates subsets of internal control.
Those who want to may focus separately, for example, on internal control over reporting or controls relating to complying with laws and regulations. Similarly, a directed focus on controls in particular units or activities of an entity can be accommodated.
It also provides flexibility in application, allowing an organization to sustain internal control across the entire entity; at a subsidiary, division, or operating unit level; or within a function relevant to the entity’s operations, reporting, or compliance objectives, based on the entity’s specific needs or circumstances.