The Magic Words: Internal Control Structure and Procedures In 1985, inspired by an alarming increase in fraudulent corporate financial reporting, a consortium of the largest accounting professional associations formed the National Commission on Fraudulent Financial Reporting, more commonly referred to as The Treadway Commission. Each member of the consortium also participates in a supporting organization, COSO “ literally, the Counsel of Supporting Organizations. COSO works on ethical and professional issues for the accounting profession. Periodically, it comes out with a report. These reports and their recommendations have a powerful self-governing influence on accountants.

In a 1992 report, COSO defined the ambiguous phrase internal control: Internal control is broadly defined a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) effectiveness and efficiency of operations; 2) reliability of financial reporting; 3) compliance with applicable laws and regulations.

To be expressed as written policy and for tracking and reporting purposes, the COSO report states that internal control process manifests as a framework. COSO identifies eight core elements in its integrated framework for internal control. 404 specifically calls for just such an internal control structure that management has to describe and adjudge as to its effectiveness in the companys annual report. The SEC mentions COSO by name in its rules for 404, and declines making it the official legal standard only because foreign companies doing business in the United States might use a different structure. Thus, in practice, if not by law, the COSO framework probably will be the benchmark standard of internal control structure and procedures for US companies complying to 404. In part, the SEC says:

The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of managements annual internal control evaluation and disclosure requirements.

Using the COSO Framework for Sarbanes-Oxley Internal Control Compliance The draft COSO framework covers a wide swath of territory “ ranging from declaratory statements about a company’s values and culture, to specific parameters around data storage and integrity. Each element contributes to the overall evaluation of the companys exposure to risk “ market or regulatory.

Here are highlights of the framework where an effective analytical capability would be especially useful:

“ Event Identification: This is a company’s ability to draw insight from its information and flag the contingencies upon which the objectives are premised. Aggregate analytical capabilities would be critical: in some cases, it may be useful to group potential events into categories. By aggregating events horizontally across an entity and vertically within operating units, management develops an understanding of the interrelationships between events, gaining enhanced information as a basis for risk assessment.

“ Risk Assessment: This is the assessment of the probability of those contingencies. Risk assessment employs both qualitative and quantitative analytic methods“and evaluates potential uncertainties as they unfold, whether they are internally or externally generated.

“ Control Activities: These are policies and procedures ensure that risk responses are carried out efficiently. Here too is a point which calls for analytic capabilities in two key areas. 1) COSO identifies general controls as encompassing IT infrastructure and management, security management and software. 2) Application controls are designed to ensure completeness, accuracy and validity of data capture and processing.

“ Information & Communication: Analytics is the solution for COSOs information & communication element of internal control. COSO says information is needed at all levels of an organization to identify, assess and respond to risk. Pertinent information from both internal and external sources must be captured and shared in a form and time-frame that equips personnel to react quickly and efficiently. Effective communication also involves the exchange of relevant data with external parties, such as customers, vendors, regulators and shareholders. Effective enterprise risk management relies on both historical and current data. Historical data tracks actual performance against targets, identifies trends, correlates results and forecasts performance. Historical data also provides early warning signals concerning potential risk-related events. Current data gives management a real-time view of risks inherent in a process, function or unit. This enables an organization to alter its activities as needed in keeping with its risk appetite. (Continued – Part 4)

Disclaimer

The information and opinions expressed on this paper are not intended to be a comprehensive description, nor to provide legal advice, and should not be treated as a substitute for specific advice concerning individual situations. While the author and Upper Quadrant has made every attempt to ensure that the information contained in this document is accurate, neither the author nor Upper Quadrant is responsible for any errors or omissions, or for the results obtained from the use of this information.