7.5 Internal Controls from a Risk Management Perspective

Internal controls are processes and measures an organization implements to provide reasonable assurance regarding achieving operations, reporting, and compliance objectives. From a Risk management perspective, these are processes and measures implemented by an organization to:

COSO’s Internal Control Framework

COSO’s Internal Control-Integrated Framework identifies five interrelated components of internal control:​

Control Environment

• Sets the tone of the organization, influencing the control consciousness of its people
• Includes integrity, ethical values, management’s philosophy and operating style
• Encompasses organizational structure, assignment of authority and responsibility
• Involves human resource policies and practices
• Provides the foundation for all other components of internal control

Risk Assessment

• Involves identifying and analyzing relevant risks to achieving objectives
• Forms a basis for determining how risks should be managed
• Includes setting objectives at different levels (entity-wide and activity-level)
• Encompasses internal and external factors that could impact objectives
• Considers the potential for fraud in assessing risks
• Identifies and assesses changes that could significantly impact the internal control system

Control Activities

• Policies and procedures that help ensure management directives are carried out
• Occur throughout the organization, at all levels and in all functions
• Include a range of activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties
• Can be preventive or detective in nature
• Include general controls and application controls over technology

Information and Communication

• Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities.
• Information systems produce reports containing operational, financial, and compliance-related information.
• Deals with internal and external communications
• Provides the information needed to carry out day-to-day controls
• Enables personnel to understand their own role in the internal control system, as well as how individual activities relate to the work of others

Monitoring

• Assesses the quality of internal control performance over time
• Includes ongoing monitoring activities built into normal, recurring operating activities
• Involves separate evaluations, the scope and frequency of which depend on risk assessment and effectiveness of ongoing monitoring procedures
• Communicates deficiencies to those responsible for taking corrective action and to management and the board as appropriate
• Considers feedback from both internal and external sources, including audits and regulatory reviews

From a risk management monitoring perspective, these components work together as an integrated system. They provide a framework for organizations to develop and maintain effective internal controls that address significant risks. The monitoring component, in particular, is crucial in ensuring that the internal control system remains effective over time and adapts to changes in the organization’s risk profile and operating environment​ (Leland, 2023; COSO, 2013).