The Five Components of Internal Control

The purpose of this article is to discuss the Committee of Sponsoring Organizations of the Treadway Commission, known as COSO. This discussion will include its origin, history, and purpose. Also included will be a discussion of the five components of internal control as defined by COSO.

Origin, History, and Purpose of COSO

COSO has existed for 22 years, having been formed in 1985. The purpose of COSO is to study the causal factors that lead to fraudulent financial reporting and to develop "recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions" (COSO). COSO is sponsored by five U.S. professional organizations: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the Institute of Management Accountants. COSO has created several recommendations that are used by companies to aid in developing, implementing, and monitoring internal control.

COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations" (COSO Definition).

Recommendations provided by COSO also include information on key concepts, several publications and articles, and the five components of internal control.

The Five Components

In 1992, COSO published the report Internal Control--Integrated Framework as a "basis for developing business control systems and assessing their effectiveness" (Internal Control Issues). This report provides the following five components of internal control:

The Control Environment - relates to the control consciousness of the people within the organization. The control environment is the basis for all other components of internal control.

Risk Assessment - refers to the organization's identification, analysis, and management of the risks that are related to financial statement preparation, in order to ensure that financial statements are presented fairly and in compliance with generally accepted accounting principles (GAAP).

Control Activities - the organization's policies and procedures which help ensure that necessary actions are taken to address the potential risks involved in accomplishing the entity's objectives.

Information and Communication - focuses "on the nature and quality of information needed for effective control, the systems used to develop such information, and reports necessary to communicate it effectively" (Internal Control Issues).

Monitoring - involves assessing the quality and effectiveness of the organizations internal control process over time. It includes assessing the design and operation of controls, and assessing compliance with policies and procedures. It also provides for the implementation of appropriate actions when necessary.

References "COSO." COSO website. URL: http://www.coso.org/ "COSO Definition of Internal Control." COSO website. URL: http://www.coso.org/key.htm "Internal Control Issues in Derivatives Usage Executive Summary." COSO website. URL: http://www.coso.org/publications/executive_summary_derivatives_usage.htm