what the eletment of COSO framework in Internal Control

When reviewing an Internal Control System COSO is generally applied. The format is as follows;

1) Review the internal control environment – discuss with managers, Internal audit department etc… the level of controls needed
2) Ascertain the level and types of risk the company faces e.g. by reading the risk report, discussions with risk management
3) Now that you now know the environment you can assess what is in place. Review the application of the Internal controls i.e. review internal audit reports
4) Review how recommendations and reports are received and acted on. Discussions with the audit committee may be relevant here
5) Review how internal controls are managed e.g. talk with senior/departmental mangers charges with such a responsibility

COSO provides a way to review the whole system of internal controls

There’s 8 component of COSO. This i get from COSO website itself.

1) Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

2) Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.

3) Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

4) Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

5) Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

6) Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

7) Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

8) Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

yes i think it fits into the five component. The 5 components is more on internal control. While the 8 component is enterprise risk management which is an extension to the former just that it adds steps 2,3 and 5. The added components is decided on strategic level by the board. For example if you look at 2,3 and 5.

2) objective setting – objective should align with the shareholders’ interest and risk appetite e.g financial industries (risk seeking) or airline (risk averse)

3)relate to internal and external environment
– internal (look at the financial and physical resources and capability of the company to handle the risk
– external (look at chages in laws and regulations, sector-specific industry etc)
Assessing all these help the company to identify business opportunities and risk – how well the company capitalize on the opportunities and minimize the risks involve with any business objectives and strategies

5) The line manager can only review and report to the board but the decision is for board to decide whether to transfer, avoid, reduce and accept the risk.

So if you ask me on reviewing the internal control, the 5 component would be sufficient as the internal control is to manage risk at operational level.

But if on board level the 8 components is more appropriate.

Hope this help.

Yes they overlap. But the 5 component iinternal control is widely used in SOX as a standard to evaluate the adequacy of the internal controls.

Hi Techno,

Sorry for the late response. The 5 step COSO came from the Kaplan Exam Kit. They stated that when faced with a question that asks you too “assess the Internal Control System” always use the 5 step approach.

The difference between this and your 8 steps is that the 8 steps is about risk management (i.e. whats the risk, is it big, this is our reponse, implement it etc… and the 5 steps is more like an audit of the whole control system. Apologies as I thought you meant COSO and internal control systems rather then management.

They are 2 different techniques for 2 different types of question.

Thanks richieinspain…

Thanks to crazycujo’s earlier posts, I managed to understand the difference between the COSO 8-stage Risk Mgt Framework….and the COSO 5-stage “Review of Internal Controls”…

….the problem I’m actually having is that there is no such thing as a COSO 5-stage “Review of Internal Controls” in my textbook…my BPP book says that for reviewing the internal controls (for instance, when the board does it’s regular and annual reviews of IC) then you should use the Turnbull 4-stage approach to review IC:

1) Risk assessment,
2) Control environment & control activities,
3) Information & communication,
4) Monitoring.

The only ref to anything resembling a COSO 5-stage review is this COSO’s “Internal Control Over Financial Reporting – Guidance for Smaller Public Companies”…which has the correct 5-stages, but says they are actuallly intended for controls over fin. reporting/statements, rather than all Internal Controls across all the org.

So it looks like the confusion has come out of the fact that BPP say IC should be reviewed by the Turnbull 4-stages, but Kaplan says you can use the COSO 5-stages.

Crazycujo sowed an idea in my head when they said that the COSO 5-stage is used in SOX…this would make sense, as SOX requires the identification of a framework used to review the IC over the fin reporting….so I figured maybe you use the coso 5-stage for the IC over fin. statements, but for reviews of the ICS across the whole org, you would use the Turnbull 4-stage.

That was the only way I could make sense of it…but obviously I’m just trying do do a bit of detective work on why something so important would be so different in my BPP textbook to the Kaplan.

I’m 100% confident that the use of the COSO 5-stage review would be correct if the exam question asks for a framework to meet the SOX requirements of review of controls over fin statements.

But what I am unsure of is what to do if the exam asks for a framework for the board’s review of IC’s in general…the BPP textbook really pushes the Turnbull 4-stage…..

And unfortunately I’ve no Kaplan text, so I’m stuck with the BPP Turnbull recommnedation.

It would be easier if there was just one framework for IC…like the Kaplan says…

Tricksy….