June 2013

Internal Control – Integrated Framework, is a new framework for fraud deterrence that was recently released by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”).  It provides expanded practical advice regarding effective implementation of internal controls.  COSO is a joint initiative of five private sector organizations with a shared interest in enterprise risk management, internal control and fraud deterrence.  The sponsoring entities are the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Association of Accountants and Financial Professionals in Business, and the Institute of Internal Auditors.  In addition to the weight provided by the influence of the sponsoring entities, the framework has also been influenced by participation from regulators such as the Federal Deposit Insurance Corporation (“FDIC”), Government Accountability Office (“GAO”), International Federation of Accountants (“IFAC”), Public Accounting Oversight Board (“PCAOB”), and Securities Exchange Commission (“SEC”).

The new framework was honed over 2 ½ years and expands on an original framework released in 1992. While the core components remain intact, it provides additional explanations as well as expanded guidance to account for advances and changes in the business environment.  The continued goal is to enable organizations to “effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.”

As defined in the framework, Internal Control consists of five integrated components and 17 principals, summarized in part below:

1. The Control Environment

a. “The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top….The control environment comprises the integrity and ethical values of the organization…”.

b. Related principals are:

i. “The organization demonstrates a commitment to integrity and ethical values.

ii. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

iii. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

iv. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

v. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”

 2. Risk Assessment

a. “Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing

[external and internal] risks to the achievement of objectives [and are] considered relative to established risk tolerances.”

 b. Related principals are:

i. “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

ii. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

iii. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

iv. The organization identifies and assesses changes that could significantly impact the system of internal control.”

 3. Control Activities

a. “Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.”

b. Related principals are:

i. “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

ii. The organization selects and develops general control activities over technology to support the achievement of objectives.

iii. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action”

 4. Information and Communication

a. “Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information”

b. Related principals are:

i. “The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

ii. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

iii. The organization communicates with external parties regarding matters affecting the functioning of internal control.”

 5. Monitoring Activities:

a. “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning….Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.”

 b. Related principals are:

i. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

ii. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The above items must be both “present and functioning”.  It is not enough to establish a system of internal control and not ensure its actual practice.  These items are specifically designed to be applicable to all entities, both large and small.  Any major deficiency prevents the organization from claiming an effective system of internal control.  The board of directors, management, internal and external auditors, and other personnel have responsibilities related to internal control and a failure to treat such responsibilities with due care can cause serious harm to an organization’s function, stability, reputation and ability to continue as a going concern.

Fulcrum Inquiry performs internal control assessments as part of its forensic accounting and financial investigations practice.