Internal control provides reasonable but not absolute assurance that an entity will achieve its financial reporting objectives. Even an effective internal control system can experience a failure due to:
• Human error. The people who implement internal controls may make simple errors or mistakes that can lead to control failures.
• Management override. Even in an otherwise well-controlled entity, managers may be able to override internal controls for selfish purposes.
• Collusion. Two or more individuals may collude to circumvent what otherwise would be effective controls.
Objective-Driven Approach
The COSO Framework views internal control as built-in to an entity's overall business processes, as opposed to a separate added-on component that attaches itself to the company's real business. Building in internal control requires that management do four things:
1. Establish business objectives. For our purposes, the most relevant objectives relate to financial reporting.
2. Identify the risks to achieving those objectives.
3. Determine how to manage the identified risks. The establishment of internal controls is just one of several options.
4. Where appropriate, establish controls as a way to manage certain risks. Individual controls are designed and implemented to meet the stated risks.
Internal controls have limited value by themselves – they do not produce a product or service or generate revenue for the business. Controls have value to the degree in which they help the entity to achieve its objectives through providing complete, accurate, relevant, and reliable information for decision making and for the fair communication of financial results to third parties. The effectiveness of internal control is judged according to how well it aligns with and addresses the objectives of the company.
Flexible, Adaptable, No One-Size-Fits-All Approach
The COSO Framework is a conceptual and not a rigid, prescriptive approach to internal controls. Thus, a paint-by-numbers approach is not going to be effective in complying with the aims of COSO. COSO recognizes that different entities will make different choices about how to implement controls in their businesses. The key is not whether the company uses control A or control B but whether the controls in place meet the risks by proper design and effective operation. COSO is not a checklist of suggested controls. Furthermore, management will make certain cost–benefit judgments and trade-offs. For example, an elaborate control structure over cash disbursements may be warranted in a large and complex business, but simpler controls may be effective and efficient in smaller enterprises. The result: Internal control is not a one-size-fits-all proposition, and a checklist of “usual” controls is not an effective tool to satisfy the COSO Framework guidance.
What can sometimes be frustrating about COSO controls guidance and the auditing standards is that simplifying the assessment and testing process through the use of practice aids is not easy. To have a successful project, it requires thought and understanding to apply the objectives of the Framework to a specific company circumstance. It takes knowledge of the entity and its processes, the regulatory environment, and the COSO Framework to make sense of the assessment and testing process. Early in the implementation of SOX, an experienced audit partner noted that she obtained a much better knowledge of her clients and their risks after going through the controls assessment process with them. Companies seeking practice aids to take the work out of the assessment process eventually realize this is not an achievable goal. However, an assessment and testing project done right is much easier to maintain over time than one cobbled together to get through this year. Think long term. Practice aids can still have value, but they must be adapted to the application. There is no turn-key approach out there, despite any Web site or brochure claims.
Furthermore, circumstances change at the entity, and so its internal control must be designed in a way to adapt and remain effective in a dynamic business environment. In fact, one of the primary objectives of the monitoring component of internal control is to assess the quality of the system's performance over time, recognizing that circumstances will change. In the 2013 guidance, analyzing and responding to change is a Principle (9) to be satisfied.
Reasonable Assurance
COSO recognizes the limitations of internal control. No matter how well designed or operated, internal control can provide only reasonable assurance that objectives will be met. Reasonable assurance is a high threshold, but it stops short of absolute assurance. The presence of an isolated internal control failure (less than a material weakness) does not, in and of itself, mean that a system is ineffective. The COSO even states that “even an effective internal control system can experience failure.”
However, to be able to report publicly that internal controls are effective or to rely on the effectiveness of internal controls in lieu of other audit procedures requires that material weaknesses are either not present or are limited to specific areas that can be identified and mitigated by other procedures. When reporting on controls, the public expects a correspondingly high level of audit assurance.
People Factor
COSO recognizes that internal control is implemented by people. Documentation of controls is important, but documentation is not all there is to internal control. The effectiveness of internal control depends on the people responsible for carrying out individual control elements – from the chief executive officer and board of directors, all the way to rank-and-file employees charged with performing day-to-day transaction processing and control-related tasks.
Thus, the design of internal control must take into account the human element and must consider the role of human nature. For example, people are greatly influenced by the actions taken by an entity's senior management, more so than they are by what these individuals say. Therefore, the relative strength of an entity's control environment depends in large part on the actions of the entity's leaders and how they are perceived by the rest of the organization. This factor is assessed as part of the control environment.
The ability of individuals to carry out their responsibilities also depends on their competencies and how well they understand what is required. This need for understanding requires that the entity's internal controls have an effective hiring, training, and communication element. This is also an element of the control environment.
The Debate Continues
Companies and regulators continue to debate the cost–benefit of the requirements to assess and report on internal controls. Detractors have been somewhat successful in resisting auditor attestation in smaller public companies in the Dodd-Frank Act of 2010 and the JOBS Act of 2012. However, history has shown that inattention to internal controls is at the root of many business failures and frauds, which weaken investor confidence in the capital and stock markets. In addition, in the period before the imposition of the SOX Act of 2002, an alarming increase in the number of restatements of previously issued financial statements was observed. A lack of ICFR was a likely root cause of many of these restatements. A spike of fraud and restatement in smaller public companies may indeed bring reconsideration of the need for auditor verification of managements' assertions regarding controls.
It has been observed that certain categories of losses due to fraud and the incidence of restatements have come down in the post-SOX period. Whether this is due to greater management awareness of and attention to internal controls or strengthened auditor requirements regarding fraud and internal controls effectiveness is not known. What is clear is that there have been some notable improvements and reversals of downward trends, and thus the “medicine” seems to be working. The revised COSO Framework is intended to keep the ball rolling and help us to take the updates that have been issued since the original 1992 report and codify them into basic principles we can carry into the future.
Some executives have spoken out in favor of the value that the current regulatory requirements bring to the business environment. A recent survey of the Financial Executives Institute relates