December 14, 2017

COSO Series Articles Part 2 of 6: The following article is part two of a six-part series exploring the high-level basics of the COSO Integrated Internal Control Framework1. In this installment, we will address the Control Environment, which is the foundation of an effective organizational internal control system.

COSO defines the Control Environment as the “set of standards, processes and structures that provide the basis for carrying out internal control across the organization.” This component comprises the tone at the top, communication about ethical behavior and internal control with all levels of staff, and the overall integrity and values of the organization. These components provide the overall basis for a successful system of internal control.

What is the Control Environment?

The Control Environment can be broken down into five distinct principles, or concepts, and each concept’s related risks. The concepts and risks are as follows:

1. The organization demonstrates a commitment to integrity and ethical values.

This principle ultimately starts with tone at the top, which begins with the board of directors and management communicating—through both directive and their own behavior—the importance of an ethical work environment and its role in achieving organizational goals. Specific standards of conduct should be understood throughout all levels of the organization, and processes should be in place to evaluate performance and quickly address deviations from expectations.

Related Risks: Employees unaware of internal control, lack of approved policies and procedures, lack of employee accountability, systemic ethical problems or fraud.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Not only should the board of directors maintain independence—both in fact and in appearance—from management, but it should have the necessary expertise to fulfill individual roles. For example, it is critical to have someone in the Treasurer position who is familiar with financial statements and accounting. Otherwise, the controls around board-level financial analysis would be weak and thus a potential detriment to the organization’s objectives. The board of directors should also oversee the design and implementation of internal controls, which is carried out by management.

Related Risks: Perceived (or actual) conflicts of interest between the board and management, board members unable to perform assigned duties, lack of internal control design and oversight.

3. With board oversight, management establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

It is critical that management appropriately delegate authority and define responsibilities at the various levels of the organization. Primarily, this is done by establishing reporting lines to enable authority, responsibility, and flow of information. The board of directors should retain authority over significant decisions. They should also review management’s assignments and limitations of authorities and responsibilities.

Related Risks: Employees unaware of reporting relationships, duplication of duties, unchecked management decision making and control.

4. The organization demonstrates a commitment to attracting, developing, and retaining competent individuals in alignment with objectives.

Monitoring staff competence is very important in maintaining a system of internal control, and evaluation should not be limited to the hiring process. Instead, competence is something that should be nurtured and reinforced through an ongoing plan to develop and train employees.

Related Risks: Lack of training, employees not qualified to perform assigned tasks.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Accountability is reinforced by establishing clear expectations, performance measures, and incentives that consider the pressures of achieving the related goals. It is also reinforced by taking corrective action when appropriate.

Related Risks: Breakdown of internal control or cutting corners, unrealistic performance targets, lack of employee accountability, work environment conducive to fraud or waste.

As you evaluate your organization’s own control environment and unique risks, it is important that you consider all of these principles and whether they are all functioning successfully.

For complete and detailed information about the Framework, Components, and Principles, we encourage you to explore and learn more on COSO’s website.


Questions about this article? Please contact us.

1COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission. It was formed in 1992 as a joint initiative of five organizations, including the American Institute of CPAs and the Institute of Internal Auditors, among others. Since that time, the committee has been developing and refining frameworks and guidance around enterprise risk management, internal control and fraud deterrence, with the most recent revisions of the Internal Control – Integrated Framework model in 2013.

© Clark Nuber PS, 2017. All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.