The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive framework of internal control systems that is regarded as the accounting industry standard. This system, containing five elements, guides management and auditors in assessing the effectiveness of internal control over financial reporting. While internal control audits are only required for large public companies, understanding the COSO framework can help in designing effective internal control programs for large and small businesses.
Known as the "tone-at-the-top," the control environment consists of management's attitude and interest in internal control. The best designed control systems are bound to fail if management turns a blind eye to fraud and dishonesty. As such, the strong control environment is considered by many auditors to be a prerequisite of effective internal control, as many of the objectives of this element are entity-wide.
Risk assessment in the process of determining what could go wrong. Accountants and auditors examine the company's systems and processes to determine where there could be opportunities for fraud and unintentional misstatement. Recent changes in auditing standards have called for the risk assessment step to be conducted as a "top-down, risk-based" approach. This approach should help reduce excess analysis while analyzing the risks that are most material to the financial statements.
Control activities are the actual internal control policies and procedures that are put into place. Requiring two signers on a check, locking the computer warehouse, and requiring passwords on sensitive files are all examples of control activities. A common mistake in internal control system design is to start with control activities without completing a thorough risk assessment or examining the control environment. This can lead an auditor or manager to conclude that the controls that are in place are being carried out, but not realize that there were gaps in design and implementation of control activities.
Monitoring is the process of ensuring that controls are operating effectively as designed and implemented. To be comfortable with the effectiveness of control activities, management may test controls periodically by reviewing control activity documentation or tracing business transactions through the accounting system.
Information and Communication
The final element of internal control is information and communication. A natural extension of monitoring internal control systems, the information and control element consists of aggregating the results of monitoring and communicating the results to management. Once management understands the results, they are free to take action to address any shortcomings of the internal control system.