Home' A Plus Magazine : March 2014 Contents Internal control
24 March 2014
THE STRUCTURE OF
The Committee of Sponsoring Organiza-
tions of the Treadway Commission, a joint
initiative of five organizations, including the
American Institute of CPAs, issued the new
Internal Control – Integrated Framework in
May 2013. First published in 1992, the frame-
work is widely recognized as the leading
guidance for designing, implementing and
conducting internal control and assessing its
The framework provides three categories
of objectives, which allow organizations
to focus on differing aspects of internal
control. They are:
Operations objectives pertain to
effectiveness and efficiency of the
entity’s operations, including operational
and financial performance goals and
safeguarding assets against loss.
Reporting objectives pertain to internal
and external financial and non-financial
reporting and may encompass reliability,
timeliness, transparency, or other terms
as set forth by regulators, recognized
standard setters or the entity’s policies.
Compliance objectives pertain to
adherence to laws and regulations to
which the entity is subject.
Internal control consists of five integrated
This is the set of standards, processes,
and structures that provide the basis for
carrying out internal control across the
organization. The control environment
comprises integrity and ethical values;
parameters enabling the board of
directors to carry out its governance
oversight responsibilities; organizational
structure and assignment of authority
and responsibility; process for attracting,
developing and retaining competent
individuals; and rigour of performance
measures, incentives and rewards.
Every entity faces a variety of risks
from external and internal sources.
Risk is defined as the possibility that
an event will occur and adversely
affect the achievement of objectives.
Risk assessment involves a dynamic
and iterative process for identifying
and assessing risks to the achievement
of objectives and forms the basis for
determining how risks will be managed.
These are the actions established through
policies and procedures that help ensure
that management’s directives to mitigate
risks to the achievement of objectives
are carried out. Control activities are
performed at all levels of the entity, at
various stages within business processes,
and over the technology environment. They
may be preventive or detective in nature.
Information and communication
Information is necessary for the entity to
carry out internal control responsibilities to
support the achievement of its objectives.
Communication is the continual, iterative
process of providing, sharing, and obtaining
Evaluations are used to ascertain whether
each of the five components of internal
assurance, Hirth notes. “All public compa-
nies should have effective internal control
at a reasonable assurance level to prevent
or subject to early detection, fraudulent fi-
nancial activity. You can’t afford to get to
If COSO is a religion, Hirth is its recently
anointed prophet, having been appointed
Chairman in June 2013. Now that COSO is
established as a de facto standard in the U.S.,
Hirth would like to see its global adoption.
“How can I spread the word outside the U.S.
and get companies to implement [the frame-
work] on a voluntary basis,” he wonders.
After all, some of its principles are al-
ready included in non-U.S. legislation, such
as China’s Caikuai  No. 7, Basic Stan-
dard for Enterprise Internal Control (a l a w
nicknamed China SOX) and Japan’s Financial
Instruments and Exchange Law of 2008 (nick-
named, inevitably, JSOX).
Hirth praised the Hong Kong Institute
of CPAs for its initiative to provide corporate
governance guidance covering disclosure to
stakeholders about internal controls and
how they operate. “Outside of the U.S., there
is a real drive around internal control in Ja-
pan and Singapore and Hong Kong.”
The Mainland is also showing more
interest. More than 700 people attended
Hirth’s presentation in Beijing last month,
while another 300 saw him outline the new
framework in Tokyo. “ There’s a good interest
in the region,” he says.
Part of the international interest is a re-
f lection of globalization, he points out. “If
you think about the U.S.-listed companies
that COSO applies to, many of them are
global corporations,” he says, “and there
are many non-U.S.- domiciled companies
listed on U.S. exchanges using it, so it is al-
ready globalized and used effectively.”
Hirth adds that the COSO framework is
also well known to the international auditing
profession. “PwC had 30 people from outside
the U.S. working on the revision,” he says.
The new framework ’s more global out-
look will make it more able to transcend
“Outside of the U.S .,
there is a real drive
control in Japan and
Singapore and Hong
Links Archive February 2014 April 2014 Navigation Previous Page Next Page