How to Assess the Effectiveness of Internal Control

Wednesday, January 11, 2012

Norman Marks


The new draft internal control framework (ICF) from COSO includes guidance on how to assess whether the system of internal control is effective.

In this post, I am going to try to summarize what the document says. I then will ask your views on whether you agree with this way of assessing the adequacy of internal control. (BTW, I am going to limit the discussion to COSO lingo and not introduce any ISO or other terms.)

We have to start with the definition of internal control, which is unchanged from the 1992 edition:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of reporting.
  • Compliance with applicable laws and regulations.”

Before taking on the issue of evaluation, let’s look at two key phrases in the definition above: “reasonable assurance” and “objectives”:

Reasonable assurance

The discussion in the draft of “reasonable assurance” (in paragraphs 21-22) does not use risk management terms. (What I mean by that is that it doesn’t talk about ensuring the risk to the achievement of objectives is acceptable, within organizational tolerances).

It simply acknowledges that factors outside the system of internal control (such as human error or judgment) can affect achievement of objectives. As a reminder, here is the definition of enterprise risk management from the COSO ERM framework:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”


In paragraph 30, the ICF draft provides a nice summary:

“An organization establishes a mission, sets strategies, establishes the objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity.”

It is arguable whether objectives such as obtaining a 30% operating margin, growing revenue by 10%, or improving customer satisfaction by 10% can be readily placed within the three categories of objectives identified in the draft.

The COSO ERM framework adds a fourth category of objectives to the three in the ICF. It describes the four as:

  • Strategic – high-level goals, aligned with and supporting its mission
  • Operations – effective and efficient use of its resources
  • Reporting – reliability of reporting
  • Compliance – compliance with applicable laws and regulations.

The examples of business objectives I listed earlier would presumably fit under “Strategic”. I can’t explain why the ICF draft does not include this category. In lieu of a Strategic category, they would have to fit in the Operations group.

Assessing internal control effectiveness

The draft ICF starts the discussion at paragraph 71:

“An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. To have an effective system of internal control relating to one, two, or all three categories of objectives each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective.”

As a reminder, the three categories of objectives are Operations, Reporting, and Compliance. The five components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

The assessment flow continues at paragraph 76:

“In assessing whether the system of internal control is effective, senior management and the board of directors determine to what extent the principles and, in turn, the corresponding attributes associated with each component are present and functioning.”

For each of the five components, the draft ICF describes principles: 5 for Control Environment, 4 for Risk Assessment, 3 for Control Activities, 3 for Information and Communication, and 2 for Monitoring – a total of 17.

Moving to 78:

“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning.”

The key

As I read it, the draft is saying:

1. To have an effective system of internal control, the risk of not achieving an objective is reduced to an acceptable level. CHECK

2. For the risk to be acceptable, all 5 components must be present and functioning. QUESTIONABLE

3. The way to assess whether each component is present and functioning is to examine whether the related principles are achieved. OK IN PRINCIPLE (pun intended)

4. If any of the principles are not achieved, you need to assess the deficiency as to whether the related component is present and functioning. OK

The issues

My major issues are:

1. I struggle with the categories of objectives. I think we are better off talking about achieving the organization’s strategies and objectives to create value, rather than confusing the issue with 3 categories that don’t clearly match to an entity’s strategic plan.

2. I am not persuaded that all 5 components must be present and operating effectively for the risk to be considered acceptable. I am sure that one or more may be ineffective, but the nature of the objective and the other controls mean that the risk level is not excessive.

3. I fear that the 17 principles will become a checklist.

My preference

1. Eliminate the three categories of objectives and replace them with one: the achievement of the entity’s strategies and objectives for creating value. Failures in reporting or compliance, if significant, will result in a failure to achieve strategies and objectives (via penalties, loss of share value, etc.)

2. The system of internal control – as a whole – may be considered effective if the risk to the most significant objectives (i.e., not necessarily all of them) is reduced to an acceptable level. It may be effective even if:

    a. The risk of non-achievement of minor objectives is higher than acceptable, or

    b. The risk of non-achievement is only marginally high for a limited number of objectives, and acceptable when considering the overall success of the organization

3. Require judgment as to whether the overall risk to achievement of strategies and objectives is acceptable, considering the combination of controls within and across all 5 components.

4. Retain the principles, but change the language to say that these should be considered if there is a desire to assess each component individually. Remove the inference that we now have a checklist of 17 items.

In other words, simplify the assessment flow to answering one question:

Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?

This question can be applied to the strategies and objectives for creating value – as a whole, for a group of strategies/objectives, or for individual strategies/objectives.

Do you agree? If not, please share your views. I have a poll to gather opinions on this topic and would appreciate your votes.

Cross-posted from Norman Marks on Governance, Risk Management and Audit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Controls Assessments Enterprise Risk Management Norman Marks Internal Control Framework COSO
Post Rating I Like this!
benson dana I'm not sure rearranging these standards improves the effectiveness of the assessment in any meaningful way. When you assess business risks and internal controls, you are by definition criticizing the very management that employs you. That is a tricky tightrope to walk, and I think in too many cases, when risks seem high in one or a number of areas, and controls are likewise weak, management has every opportunity to minimize and marginalize their response to the findings by delaying remediation, rationalizing away the risk or effect, or simply ignoring the issue. And internal and external auditors in some cases allow this behavior.

Fine, fine, fine. Great report, Steve. See you next year.

I think senior management has to be held much more accountable for their responsibility to maintain high standards in the areas of risk controls and internal controls. One of the traditional risk factors in fraud is a secret need. How many internal control checklists include reviewing the credit reports of senior management? How about a critical analysis of a key manager's written performance evaluation compared with general or serious control weaknesses under their control?

We need to do a much better job of holding senior management accountable for their performance and risk control. All politics is local, and all internal control weaknesses are personal.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.