COSO – Internal Control – 17 Principles

Within each of the 5 components, there are various principles, totaling 17 principles.

First, let’s discuss the principles within the control environment component:

  1. “Demonstrates commitment to integrity and ethical values.”
  2. “Exercises oversight responsibility.”
  3. “Establishes structure, authority, and responsibility.”
  4. “Demonstrates commitment to competence.”
  5. “Enforces accountability.”

As mentioned earlier, the** control environment** is the company’s culture. Concerning internal controls, five principles demonstrate what a good culture for internal controls looks like. The first principle is “Demonstrates commitment to integrity and ethical values”. This means that the organization should prioritize acting ethically to foster an effective control environment.

Part of establishing an ethical culture involves defining what ethics means for an organization. This is achieved by implementing a code of conduct. Through a code of conduct, employees learn what is acceptable in an organization and what is not. The most crucial part of the control environment is called **“tone at the top”. **

In an organization, senior management sets the tone at the top. If senior management highly values internal controls, the rest of the organization will also value internal controls. The entire organization will be influenced by the tone at the top set by management. If management is negative about internal controls, then no one will take the internal controls seriously.

The second principle is “Exercises oversight responsibility”. In simple terms, the board of directors should oversee the process of internal controls. The third principle is **“Establishes structure, authority, and responsibility”. **

This means that management should make employees’ job responsibilities as clear as possible. The clearer employees understand their specific roles, the better they’ll be able to embrace effective internal controls.

The fourth principle is “Demonstrates commitment to competence”. Management should value hiring highly competent employees. Having highly competent employees will help minimize the chance of internal controls not being properly followed.

The fifth principle is “Enforces accountability”. Employees within an organization should feel a significant responsibility for following internal controls. Those are the five principles of the component of the control environment.

Now, let’s examine the principles within the risk assessment component:

  1. “Specifies suitable objectives.”
  2. “Identifies and analyzes risks.”
  3. “Assesses fraud risk.”
  4. “Identifies and analyzes significant changes.

The first principle of the risk assessment component is “Specify suitable objectives”. The more specific management is when identifying the company’s objectives, the smoother the risk assessment process will be. The second principle is “Identifies and analyzes risks”. This principle simply suggests that management should identify and analyze risks.

The third principle is “Assesses fraud risk”. The organization should recognize the potential for fraud to occur to properly identify the associated risks. The fourth principle is “Identifies and analyzes significant changes”. The process of risk assessment is not a one-time event. Anytime there’s a major change internally or externally, the organization’s risk should be reassessed. Those are the four principles within the risk assessment component.

Here are the principles of the control activities component:

  1. “Selects and develops control activities.”
  2. “Selects and develops general controls over technology.”
  3. “Deploys control activities through policies and procedures.”

The first principle of the control activities component is “Selects and develops control activities”. The organization should select and develop effective internal controls. The second principle is “Selects and develops general controls over technology”. Businesses are becoming increasingly more reliant on technology each year. Therefore, developing internal controls for the company’s technology is important. For example, not allowing accountants to access the source code behind the accounting software.

The third principle is “Deploys control activities through policies and procedures”. The organization’s responsibility doesn’t end at simply creating internal controls. It should also create policies that help employees better understand those internal controls. The more comprehensively employees understand the internal controls, the more effectively they will adhere to them. Those are the three principles for the control activities component.

Now let’s consider the two principles of the monitoring component:

  1. “Conducts ongoing and/or separate evaluations.”
  2. “Evaluates and communicates deficiencies.”

The first principle of the monitoring component is “Conducts ongoing and/or separate evaluations”. Ongoing evaluations mean that management continually assesses internal controls. If continually monitoring them would be too resource-intensive, then management could perform separate evaluations instead. For instance, every two months management reviews the internal controls.

Monitoring includes 4 key steps:

  1. Create baseline
  2. Identify changes
  3. Implement needed changes
  4. Develop updated baseline

The first step is creating a baseline. A baseline is essentially what is normal, what the company expects to happen with the controls. After analyzing the controls and comparing them to the baseline, they identify ways to change the internal controls.

Once changes are identified, they need to be implemented. After changing the internal controls, an updated baseline is developed. This change updates the standard of what is considered normal. These are the four steps of monitoring the internal controls.

Having gone through those four steps, we transition to the second principle of monitoring, which is “Evaluates and communicates deficiencies”. After management monitors the internal controls, it is crucial to establish a plan for corrective action. Simply identifying a dysfunctional internal control isn’t sufficient. Instead, management should delineate steps addressing how to rectify that internal control.

The 3 principles of the **information and communication component **are:

  1. “Uses relevant information.”
  2. “Communicates internally.”
  3. “Communicates externally.”

The first principle of the information and communication component is “Uses relevant information”. The organization should utilize relevant, high-quality information because the quality of the information directly impacts the effectiveness of the internal controls.

The second principle is “Communicates internally”. There must be effective communication within the organization. The third principle is “Communicates externally”, implying that it’s also important to engage with sources outside of the organization to understand diverse perspectives and innovative ideas.

Previous
Previous

Prevent, Detect, and Correct – Internal Controls

Next
Next

COSO – Internal Control – 5 Components