COSO Definition of Internal Control
The purpose of this COSO Internal Control - Integrated Framework (Framework) is to help management better control the organization and to provide a board of directors with an added ability to oversee internal control. A system of internal control allows management to stay focused on the organization’s pursuit of its operations and financial performance goals, while operating within the confines of relevant laws and minimizing surprises along the way. Internal control enables an organization to deal more effectively with changing economic and competitive environments, leadership, priorities, and evolving business models.
Internal control is defined as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
This definition emphasizes that internal control is:
This definition of internal control is intentionally broad for two reasons. First, it captures important concepts that are fundamental to how organizations design, implement, and conduct internal control and assess effectiveness of their system of internal control, providing a basis for application across various types of organizations, industries, and geographic regions. Second, the definition accommodates subsets of internal control.
Those who want to may focus separately, for example, on internal control over reporting or controls relating to complying with laws and regulations. Similarly, a directed focus on controls in particular units or activities of an entity can be accommodated.
It also provides flexibility in application, allowing an organization to sustain internal control across the entire entity; at a subsidiary, division, or operating unit level; or within a function relevant to the entity’s operations, reporting, or compliance objectives, based on the entity’s specific needs or circumstances.
A Process
Internal control is not one event or circumstance, but a dynamic and iterative process - actions that permeate an entity’s activities and that are inherent in the way management runs the entity. Embedded within this process are controls consisting of policies and procedures. These policies reflect management or board statements of what should be done to effect internal control. Such statements may be documented, explicitly stated in other management communications, or implied through management actions and decisions. Procedures consist of actions that implement a policy.
Business processes, which are conducted within or across operating units or functional areas, are managed through the fundamental management activities, such as planning, executing, and checking. Internal control is integrated with these processes. Internal control embedded within these business processes and activities are likely more effective and efficient than stand-alone controls.
Geared to the Achievement of Objectives
The Framework sets forth three categories of objectives, which allow organizations to focus on separate aspects of internal control:
These distinct but overlapping categories - a particular objective can fall under more than one category - address different needs and may be the direct responsibility of different individuals. The three categories also indicate what can be expected from internal control.
A system of internal control is expected to provide an organization with reasonable assurance that those objectives relating to external reporting and compliance with laws and regulations will be achieved. Achieving those objectives, which are based largely on laws, rules, regulations, or standards established by legislators, regulators, and standard setters, depends on how activities within the entity’s control are performed. Generally, management and/or the board have greater discretion in setting internal reporting objectives that are not driven primarily by such external parties. However, the organization may choose to align its internal and external reporting objectives to allow internal reporting to better support the entity’s external reporting.
Achievement of some operations objectives - such as a particular return on investment, market share, or maintaining safe operations - is not always within the organization’s control. For instance, suppose an airline has specified an objective to depart 90% of all flights on time. Adverse weather such as hurricanes and snowstorms are external events beyond management’s control that have the potential to significantly impact the achievement of that objective. For these types of operations objectives, systems of internal control can only provide reasonable assurance that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward those objectives.
Where external events are unlikely to have a significant impact on the achievement of specified operations objectives or where the organization can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level, the entity may be able to attain reasonable assurance that these objectives can be achieved. For instance, suppose management specifies an objective to conduct routine servicing of equipment every 500 hours of operation. Management believes that achievement of this objective is largely within its control, while recognizing that there may be external events - such as a pandemic that could cause significant reductions in the workforce and related reductions in maintenance hours - that have the potential to impact the achievement of the objective, but that are unlikely to occur.
Effected by People
Internal control is effected by the board of directors, management, and other personnel. It is accomplished by the people of an organization, by what they do and say. People establish the entity’s objectives and put actions in place to achieve specified objectives.
The board’s oversight responsibilities include providing advice and direction to management, constructively challenging management, approving policies and transactions, and monitoring management’s activities. Consequently, the board of directors is an important element of internal control. The board and senior management establish the tone for the organization concerning the importance of internal control and the expected standards of conduct across the entity.
Issues arise every day in managing an entity. People may not fully understand the nature of such issues or alternatives available to them, communicate effectively, or perform consistently. Each individual brings to the workplace a unique background and ability, and each has different needs and priorities. These individual differences can be inherently valuable and beneficial to innovation and productivity, but if not properly aligned with the entity’s objectives they can be counterproductive. Yet, people must know their responsibilities and limits of authority. Accordingly, a clear and close linkage needs to exist between people’s roles and responsibilities and the way in which these duties are communicated, carried out, and aligned with the entity’s objectives.
Provides Reasonable Assurance
An effective system of internal control provides management and the board directors with reasonable assurance regarding achievement entity’s objectives. term “reasonable assurance” rather than “absolute acknowledges that limitations exist in all systems control, uncertainties risks may exist, which no one can confidently predict precision. Absolute is not possible.>
Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all systems of internal control, such as human error, the uncertainty inherent in judgment, and the potential impact of external events outside management’s control. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. Even though an entity’s system of internal control should be designed to prevent and detect collusion, human error, and management override, an effective system of internal control can experience a failure.
Adaptable to the Entity Structure
Entities may be structured along various dimensions. The management operating model may follow product or service lines, and reporting may be done for a consolidated entity, division, or operating unit, with geographic markets providing for further subdivisions or aggregations of performance. The management operating model may utilize outsourced service providers to support the achievement of objectives.
The legal entity structure is typically designed to follow regulatory reporting requirements, limit risk, or provide tax benefits. Often the organization of legal entities is quite different from the management operating model used to manage operations, allocate resources, measure performance, and report results.
Internal control can be applied, based on management’s decisions and in the context of legal or regulatory requirements, to the management operating model, legal entity structure, or a combination of these.
