The recent CAN Conference featured a program on Internal Controls, Risk & Fraud prepared by Tana Davis of Davis & Dash. The program defined "Internal Control" using the following definition provided by the Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting: "a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
Internal Control can be judged as effective in each of the three categories if the board of directors and management have reasonable assurance that they understand the extent to which (1) the entity’s operation objectives are being achieved, and (2) published financial statements are being prepared reliably, each in compliance with applicable laws and regulations.
COSO further defined Internal Control as consisting of five interrelated components:
- Control Environment. The organization’s leaders must recognize that the "tone at the top" of the organization (with respect to integrity, ethics and competence) will set the foundation for all other components of Internal Control.
- Risk Assessment. Relevant risks must be identified and analyzed to determine how they should be managed.
- Control Activities. Policies and procedures must be designed and implemented to help ensure that management directives are carried out (including required approvals, authorizations, reconciliations and reviews).
- Information and Communication. The organization’s information systems must capture and communicate information to the right people to enable them to carry out their responsibilities.
- Monitoring. The organization must ensure that it adequately monitors relevant information (part of the internal audit function and essential for general management activities).