COSO – Internal Control – 5 Components
The Framework consists of five different components which include:
- Control Environment
- Risk Assessment
- Control Activities
- Monitoring
- Information and Communication
The first component is called the control environment. The control environment essentially constitutes the company’s culture for its internal controls. If the culture does not support internal controls, the company will find it challenging to implement effective internal controls. This is known as the “tone at the top.”
Imagine that the department heads believe internal controls are a complete waste of time. Anytime top management requires a new control, the department manager will ignore it and complain to their employees about it. This negative control environment would lead to ineffective internal controls. Even if the internal controls were designed excellently, no one would follow them since they consider them a waste of time.
The second component of the framework is called risk assessment. An organization needs to analyze all its risks. In other words, it needs to question what could potentially go wrong, and if it did, how significant an impact would it have.
Let’s say a company sells low-value items like coffee cups. One risk could be someone stealing the coffee cups from inventory. However, if that happened, how severe would it be?
Perhaps the company would lose a few hundred dollars, but the overall impact on the company would be minimal. Therefore, the company probably does not need to design a new internal control just to ensure that coffee cups are not stolen.
Once a company has conducted the risk assessment, it’s ready for the third component, which is control activities. This component pertains to the actual internal controls the company is going to implement. The control environment and risk assessment components prepare the company to implement its internal controls. The control activities component is for actually designing and implementing the internal controls. For instance, the control activities component is where a company could create an internal control to keep all its TVs in a cage and require a key for access so that no one steals them.
Then, after the controls are implemented, what does a company need to do? It needs to monitor the effectiveness of the controls to see if they’re working. Monitoring is the fourth component of the framework.
For instance, imagine that the company implemented the control of keeping all the TVs locked in the cage. Yet, a month later, employees got tired of signing up for a key and simply removed the lock off the cage. Management would not find out about this if it did not prioritize the monitoring component.
Monitoring internal controls is crucial to ensure they’re being properly implemented. Also, as a company changes, perhaps the internal controls are no longer relevant and therefore need to be redesigned.
The fifth component of the framework is termed information and communication. It doesn’t apply to a single step of creating internal controls, but rather it facilitates the entire process of a company’s approach to internal controls. The purpose of this component is to ensure that the company maintains effective communication both internally and externally. The better the communication the organization has, the better the information it possesses, and the better the information, the better the internal controls.
These are the five components of the COSO internal control integrated framework. It’s essential that you know all five components and what each one entails.