Page 427 - Encyclopedia of Business and Finance
P. 427
eobf_I 7/5/06 3:04 PM Page 404
Internal Control Systems
base of the pyramid, the control environment is arguably zation. These actions, which contribute to the achieve-
the most important component because it sets the tone ment of the organization’s objectives, center around:
for the organization. Factors of the control environment
include employees’ integrity, the organization’s commit- • Effectiveness and efficiency of operations
ment to competence, management’s philosophy and oper- • Reliability of internal and external reporting
ating style, and the attention and direction of the board of
• Compliance with applicable laws and regulations
directors and its audit committee. The control environ- and internal policies
ment provides discipline and structure for the other com-
ponents. CoCo indicates that control comprises:
Risk assessment refers to the identification, analysis,
those elements of an organization (including its
and management of uncertainty facing the organization. resources, systems, processes, culture, structure
Risk assessment focuses on the uncertainties in meeting
and tasks) that, taken together, support people in
the organization’s financial, compliance, and operational
the achievement of the organization’s objectives.
objectives. Changes in personnel, new product lines, or
rapid expansion could affect an organization’s risks. CoCo model recognizes four interrelated elements of
Control activities include the policies and procedures internal control, including purpose, capability, commit-
maintained by an organization to address risk-prone areas. ment, and monitoring and learning. An organization that
An example of a control activity is a policy requiring performs a task is guided by an understanding of the pur-
approval by the board of directors for all purchases exceed- pose (the objective to be achieved) of the task and sup-
ing a predetermined amount. Control activities were once ported by capability (information, resources, supplies, and
thought to be the most important element of internal skills). To perform the task well over time, the organiza-
control, but COSO suggests that the control environment tion needs a sense of commitment. Finally, the organiza-
is more critical since the control environment fosters the tion must monitor task performance to improve the task
best actions, while control activities provide safeguards to process. These elements of control, which include twenty
prevent wrong actions from occurring. specific control criteria, are seen as the steps an organiza-
Information and communication encompasses the tion takes to foster the right action.
identification, capture, and exchange of financial, opera- In addition to the COSO and CoCo models, two
tional, and compliance information in a timely manner. other reports provide internal control models. One is the
People within an organization who have timely, reliable Institute of Internal Auditors Research Foundation’s Sys-
information are better able to conduct, manage, and con- tems Auditability and Control (SAC), which was issued in
trol the organization’s operations. 1991 and revised in 1994. The other is the Information
Monitoring refers to the assessment of the quality of Systems Audit and Control Foundation’s COBIT (Control
internal control. Monitoring activities provide informa- Objectives for Information and Related Technology),
tion about potential and actual breakdowns in a control which was issued in 1996.
system that could make it difficult for an organization to The Institute of Internal Auditors issued SAC to pro-
accomplish its goals. Informal monitoring activities might vide guidance to internal auditors on internal controls
include management’s checking with subordinates to see if related to information systems and information technol-
objectives are being met. A more formal monitoring activ- ogy (IT). The definition of internal control included in
ity would be an assessment of the internal control system SAC is:
by the organization’s internal auditors.
a set of processes, functions, activities, sub-sys-
tems, and people who are grouped together or
OTHER CONTROL MODELS
consciously segregated to ensure the effective
Some users of the COSO report have found it difficult to achievement of objective and goals.
read and understand. A model that some believe over-
comes this difficulty is found in a report from the Cana- COBIT focuses primarily on efficiently and effectively
dian Institute of Chartered Accountants, which was issued monitoring information systems. The report emphasizes
in 1995. The report, Guidance on Control, presents a con- the role and impact of IT control as it relates to business
trol model referred to as Criteria of Control (CoCo). The processes. This control model can be used by management
CoCo model, which builds on COSO, is thought to be to develop clear policy and good practice for control of IT.
more concrete and user-friendly. CoCo describes internal The following COBIT definition of internal control was
control as actions that foster the best result for an organi- adapted from COSO:
404 ENCYCLOPEDIA OF BUSINESS AND FINANCE, SECOND EDITION
