study notes

STudy & Tech noTeS/The inSTiTuTe/evenTS

ReSouRce45Financial Management | December 2013

In this issue: Paper E1 Enterprise Operations, p48Paper P2 Performance Management, p50

The US Committee of Sponsoring Organizations of the Treadway Commission has updated its internal control framework. P3 students should familiarise themselves with this new and improved documentBy Eric Leung

Paper P3Performance Strategy

It’s impossible for organisations to avoid risk, but they are expec­ted to properly identify, assess and manage the risks they face. One of the most effective ways to do this is to design and imp­

lement an effective system of internal control. In 1992, the US Committee of Sponsoring Organizations of the Tread­way Commission (Coso) published an integrated framework for internal con­trol that has since been widely adopted. This is designed to help an organisation identify potential events that may affect

it; manage these factors according to its appetite for risk; and provide assurance on the achievement of its objectives.

Commercial transactions have become increasingly complex since 1992, while the number of regulatory requirements has grown. Also, businesses are consid­erably more technologically driven than they were 21 years ago, which has trans­formed how they operate. With all this in mind, the Coso published a revised framework in May 2013 to address the significant changes to the business en­vironment and associated risks.

In the original framework, internal controls were considered effective if the five components of internal control (see panel at the top of page 46) were present and functioning. The funda­mental concepts associated with each component were implicit. The Coso has now codified criteria that makes the fun­damental concepts explicit.

The original framework focused on financial reporting. The extent of reg­ulatory oversight has increased over recent years, as have stakeholders’ ex­pectations concerning non­financial reporting – with regard to sustainability, for example. The new framework there­fore places a greater emphasis on opera­tions, compliance and non­financial reporting objectives by providing extra guidance on these aspects.

The framework retains the fundamen­tal definition and components of inter­nal control. Internal control is, according to the Coso, “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance”.

Financial Management | September 201346

The new framework has redefined the three categories of objectives to which the five components of internal control apply as: l Operations objectives such as safe­guarding assets against loss. l Reporting objectives such as reliability

to these three objectives. In turn, under each of the components they need to apply 17 principles, which are the new features of the revised framework. The Coso codifies these principles under the five components to help entities achieve effective internal control with more confidence. These principles, to­gether with some examples provided by the Coso, are shown in the panel below.

This principles­based framework is said to improve governance by being more clear, adaptable and widely applicable. You would be well advised to understand the three objectives when considering different types of risks facing a given organisation and to appreciate the Coso’s 17 principles and examples when suggesting appropriate internal controls to mitigate the risks facing the organisation.

Eric Leung is a lecturer in accounting at the Chinese University of Hong Kong Business School.

and timeliness of reporting, as required by the recognised standard­setters. l Compliance objectives such as adher­ence to laws and regulations to which the organisation is subject.

Organisations are expected to apply the five components of internal control

46 Financial Management | December 2013

The five components of effective internal control

The 17 principles of internal control introduced in the Coso’s revised framework

l Control environment: the set of standards, processes and structures providing the basis for internal control across the organisation.l Risk assessment: a dynamic and iterative process for identifying and assessing risks to the achievement of the entity’s objectives. It forms the basis for determining how risks will be managed.l Control activities: the actions established through policies and procedures that help to ensure that management directives to mitigate risks to the achievement of objectives are carried out. These may be preventive or detective in nature.l Information and communication: information supports the achievement of the organisation’s objectives, while communication is the continual, iterative process of providing, sharing and obtaining the information.l Monitoring activities: used to ascertain whether each of the five components of internal control is present and functioning. This includes ongoing evaluations and separate assessments.

ComponentsControl environment

Risk assessment

Control activities

Information and communication

Monitoring activities

Principles1. Demonstrate commitment to integrity

and ethical values.

2. Demonstrate board independence and exercise oversight responsibility.

3. Establish structure, authority and responsibilities.

4. Demonstrate commitment to attract, develop and retain competent individuals.

5. Enforce accountability for internal control responsibilities.

6. Specify objectives to enable the identification and assessment of risks.

7. Identify and analyse risk.

8. Assess fraud risks.

9. Identify and assess significant change potentially affecting internal controls.

10. Select and develop control activities.

11. Select and develop general controls over technology.

12. Deploy control activities through policies and procedures.

13. Obtain or generate and use relevant, high-quality information.

14. Communicate internally.

15. Communicate externally.

16. Make ongoing and/or separate evaluations.

17. Evaluate and communicate internal control deficiencies in a timely manner.

ExamplesPublish an internal newsletter reinforcing expectations of integrity and ethics.

Evaluate the effectiveness of the audit committee with respect to whether it fulfils its responsibilities or not.

Prepare organisational charts setting forth assignments of authority and ensuring that duties are appropriately segregated.

Establish and document annual performance objectives for every employee.

Design objective employee evaluation and compensation systems that periodically provide individual rewards or disciplinary actions.

Regularly review financial accounting policies and statutory reporting requirements.

Use benchmark data to assess significance of, and response to, risk.

Consider opportunities for management override.

Develop approaches for observing changes in the organisation’s market, including websites and social media.

Use matrices to map identified risks to control activities.

Configure the IT infrastructure to support restricted access with authentication of authorised users.

Use templates to document policies in a standardised format.

Maintain data-flow diagrams, flow charts, narratives and procedures manuals.

Establish an intranet site specific to internal control matters.

Conduct discussions with customers.

Use an internal audit function to provide an objective perspective.

Track management action plans related to issues arising from internal audit reports.