COSO – Internal Control Integrated Framework

COSO defines five interrelated components of internal control:

• the control environment,
• risk assessment,
• control activities,
• information and communication,
• and monitoring.

The Control Environment is sometimes described as the “conscience” of an organization. This concept refers to the business environment in which individuals with differing responsibilities conduct an organization’s business and comply with their internal control obligations.

Risk Assessment requires the identification, assessment and review of relevant risks that an organization does or might face. Organizations will be required, after identifying the relevant risks, to determine if sufficient controls apply to particular risk areas and to correct any inadequate controls.

In this article, we will examine the Control Environment and Risk Assessment components of the COSO framework. We will overview the other components in future articles

.

Control Environment – The Foundation of Internal Controls

The control environment is often referred to as “The tone at the Top”. The control environment is initially set when the organization is formed and it sets the foundation for all other controls. The following is an example of what is included in the control environment:

• The vision and values of the entity as communicated (verbally and non-verbally) by the board of directors and management.
• Integrity, ethical values and management philosophy.
• Operating style of the board of directors and management.
• Personnel and Human Resource policies and strategies.
• Organizational structure
• Delegation or assignment of responsibilities
• Commitment to Competence

Material deficiencies in the control environment are hard to overcome with entity or activity level controls.

Risk Assessment – Your Objectives and the Risk of Achieving or Not Achieving those Objectives

Risk assessment first begins with management determining the specific business objectives at the entity level and the business process level. Once those objectives are established the risk associated with achieving or not achieving those objectives is established. Risk is assessed by management by considering the consequences of the risk and the likelihood of the specifically identified risk occurring. Areas with increased risk in your financial institution may include business processes that require an estimate (such as allowance for loan losses), a financial statement line item that is material or could be material to the overall financial condition of your bank, areas with limited segregation of duties, etc.

To assess where your bank is at in the COSO – Internal Control Integrated Framework you must consider all components and realize that a “cookie cutter” approach will not work in all areas of your bank. If, based on your initial assessment, you are deficient in or have not considered certain components we would encourage you to take actions to strengthen the component.

If your bank has an adequate internal control structure you should consider:

• Are you adequately monitoring your control activities to determine the effectiveness of your internal controls?
• Have you considered the business objectives and assessed the risk associated with those objectives?
• Are you communicating effectively to your employees and colleagues their role in the internal control structure?
• Are you educating your employees on why controls are important and what are some of the controls that are applicable to your bank?

Contact Nichols, Cauley & Associates by Email, phone, or online form with your questions.

Site visitors should keep in mind that the content is generally designed to be of general applicability. Particular state laws, regulations and special contractual provisions can greatly impact rights, responsibilities and legal obligations. Only a competent attorney, accountant or other professional looking at all the pertinent facts and circumstances of a particular situation can provide definitive guidance for you. Please refer to our important legal discalimer which can be accessed from the bottom of any BankAudit.net webpage.