Under the COSO framework, internal control is defined as “a process affected by an entity’s board of directors, management and other personnel” (“Internal Control integrated”, n.d.). It intends to provide a reasonable assurance for achieving objectives in the following aspects: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Based on the COSO framework, internal control can be categorized into three types: Preventive, detective, and corrective. As the core of the COSO framework, five interrelated components will be explained in detail.
Element 1: Control environment
Control environment is a firm’s tone at the top, which is the fundamental component among these five COSO components. It provides fundamental discipline and structure for effective and efficient operation and sets the basis for risk assessment. Control environment factors include risk management philosophy, business operating style, human resource policies, ethical values of the entity, and the direction of the administrative board.
Element 2: Risk Assessment
Risk assessment is a procedure of recognizing and examining relevant external and internal risks methodically to determine the firm’s risk response and control activities. It enables the firm to realize the impacts of the risks and the importance of appropriate internal controls to minimize them. Moreover, it is also the first step in developing an audit plan.
Element 3: Control activities
Control activities are the rules and processes which help to ensure that necessary directives are carried out to address risks in realizing the firm’s goals. It recognizes the implementation of internal control by addressing the risks identified in risk assessment.
Element 4: Information and communication
Communications are needed to ensure the proper exchange of information. It keeps a continuous flow of information internally across the organization and externally among the stakeholders. Effective communication of information enables employees to improve performance efficiency. Meanwhile, it creates a good reputation among the external parties.
Element 5: Monitoring
Monitoring is to evaluate the quality of internal control system. It can be achieved by ongoing monitoring activities and separate evaluations. Ongoing monitoring includes regular supervisory activities and other duty performing actions. The frequency of separate evaluations depends on the risk assessment and monitoring effectiveness. Any changes or deficiencies should be monitored to improve the business process.
All these five elements are linked to each other, forming an integrated internal control system. They can be applied in entity level, division, operating unit and function. Regardless of which level the firm belongs to, the five components together would assist the firm to achieve its three internal control objectives: Operations, reporting and...