Printer Friendly

What the Treadway Commission's Internal Control Study means to you.

A report of the Committee of Sponsoring Organizations of the Treadway commission (COSO), released in September 1992, is expected to have far-reaching effects on the financial community. Already called a landmark study, Internal Control--Integrated Framework establishes for the first time a standard for evaluating the effectiveness of internal control systems.

Here's a look at the framework and its implications. The simple answer to this question is that everyone seemed to have a different mindset regarding what internal control is all about. Since the words "internal control" and its variations have been used to mean fundamentally different things, miscommunication and vastly different expectations of internal control systems among various parties have been rampant.

The problem, when contained within the business community, is serious enough. But when laws and regulations establish requirements based on misunderstood terms and concepts, the problem's scope and impact expand dramatically.

The study was an outgrowth of a recommendation of the National Commission on Fraudulent Financial Reporting, commonly referred to as the Treadway commission. The commission called on its five sponsoring organizations to come together to integrate the various internal control concepts and provide a common reference point.

The objective was not only a conceptual framework but also a standard against which companies could assess their internal control systems and judge their effectiveness. In other words, the study was to provide both a common language and understanding and a practical way for companies to assess and improve their control systems.

The five organizations that established and funded the Treadway commission (the American Institue of CPAs, the Institute of Internal Auditors, the Financial Executives Institute, the Institute of Management Accountants and the American Accounting Association) formed COSO. After obtaining a consensus on the need for and scope of the project, COSO established an advisory council made up of senior executives from the corporate financial community, internal and external auditing and academe.

Coopers & Lybrand was commissioned to conduct the study and prepare the report under the oversight and with the guidance of the advisory council and COSO. (The Financial Executives Research Foundation also was involved initially, providing funding and coordination. )

One might have thought, and some participants in fact did think, that bringing together largely existing concepts would be fairly straightforward. After all, virtually everyone "knew" what internal control "really was," so the task would be easy. That view was quickly dismissed as the difficulty of the challenge of developing a framework acceptable to all parties-- an important project objective---became all too clear.

The study extended over three years and involved tens of thousands of hours of research, discussion, analysis, dialogue and due process. Many hundreds of people, including many members of the sponsoring organizations, chief executives, board members, legislators, regulators, lawyers, consultants, auditors and academicians participated.

The report, consisting of four volumes (as outlined in exhibit 1), was published in September.

The parties most directly involved with the study-- COSO, the advisory council and Coopers & Lybrand-- and many of those who otherwise played a role, believe the study does what it was supposed to do. It provides a conceptually sound framework for defining internal control and establishing fundamental concepts that enables management to compare its internal control system against a standard for the purpose of strengthening the system.

There was much discussion and debate on basic issues. To take one example, some participants initially wanted internal control defined narrowly, much the way internal accounting control has been defined in certain auditing literature. Others wanted a broader definition, focusing on the way management controls business operations. It was agreed that the report, being a framework, must define internal control broadly; at the same time, however, subsets of internal control are provided that readily accommodate the narrower focus (see exhibit 2).

In addition to establishing three broad categories of objectives, the report identifies five components of internal control. The objectives represent what an entity strives to achieve. The components, on the other hand, represent what is needed for their achievement. These components (summarized in exhibit 3) also serve as criteria for internal control effectiveness (as highlighted in exhibit 4).

With its objectives-based definition, supported by requisite components, the COSO framework can be viewed as defining an entire forest--in a way that enables a directed focus on one or more types of trees within the forest. Because of its design features, the involvement of many interested parties and the use of due process, all indications are this report will serve as the definitive standard for internal control.

To put its role into perspective, the COSO report can be compared with early standards for generally accepted accounting principles. For readers who remember when GAAP was represented basically by Accounting Research Bulletin No. 43, Restatement and Revision of Accounting Research Bulletins, the comparison is relevant. The COSO report can be viewed as representing a standard for internal control at a similarly early stage. Just as GAAP has evolved with opinions of the Accounting Principles Board and statements of the Financial Accounting Standards Board, we might expect the standard for internal control to similarly evolve.

Casual observers might question the need for a standard at all, believing we've gotten along all right thus far without one. Auditors have even issued reports on internal control under Statement on Auditing Standards no. 30, Reporting on Internal Accounting Control. (These reports speak to "internal accounting control," which is analogous to "internal control over financial reporting' as used in the COSO report.)

The profession's thinking, however, has evolved, and a new attestation standard is expected to be issued shortly that will supersede SAS no. 30, requiring reports to be issued only when management uses recognized criteria for internal control effectiveness.

Practitioners who believe the professional auditing literature in SAS no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, already encompasses such criteria should recognize that although SAS no. 55 contains a definition of internal control, it does not present criteria for internal control system effectiveness. A definition of internal control is very different from criteria for judging whether an internal control system is effective.


The COSO report has immediate and longer-term implications. In the near term, it enables

* Managements to assess their companies' control systems against an established standard to see where deficiencies might exist and identify opportunities for strengthening systems.

* All parties--managements, board members, auditors, lawyers and others--to speak the same language and thereby enhance communication and the ability to solve problems.

* Companies issuing management reports on internal control to report against the COSO criteria. Doing so will improve communications to stakeholders because reference to the COSO report will incorporate its definitions and concepts, as well as its discussions of limitations of internal control systems, thereby helping to avoid unrealistic expectations and provide protection to management report issuers.

* Auditors to issue reports attesting to management repons on internal control. As noted, a forthcoming attestation standard will require recognized criteria for internal control effectiveness to be used. We are aware of no standards other than those in the COSO report that provide such criteria.

The last two points are particularly important to insured depository institutions subject to the Federal Deposit Insurance Corporation Improvement Act of 1991. Those banks will be required to issue management reports on their systems of internal control over financial reporting and to have their auditors issue attestation reports.

Another immediate benefit of the COSO report is its use in dealing with the 1991 federal sentencing guidelines. The guidelines provide for substantially reduced sanctions for white-collar crimes to companies that have in place an effective program to prevent and detect violations of law. Since good internal control is at the heart of an effective program, managements can look to the COSO framework in gauging its existing program's strengths and weaknesses.

The COSO report has a number of implications for the longer term:

* Managements and their advisers will over time be better positioned to integrate controls into business operations, thereby enhancing quality, effectiveness and efficiency.

* Professional organizations will be looking at their pronouncements and other materials on the subject of internal control to provide consistency with the frame* work. Several of the COSO organizations already have begun these initiatives.

* Legislators and regulators who have been considering requirements for reporting on internal control might look to the framework as a basis for reporting. Indeed, the drafters of the 1991 FDIC banking law were urged not to make internal control reporting effective until the COSO criteria were made final.

* Legislators, regulators and others will likely come away with a better understanding of what internal control is, what subsets it encompasses, what internal control can do and what its limitations are. This common knowledge base will facilitate communication between rule makers and those affected by the rules and make ensuing decisions cost-effective and capable of realistic implementation.

* Educators can be expected to reflect the COSO report concepts and terminology into course curriculums and texts and to use the report as a basis for future research.

The future

Internal Control--Integrated Framework, while indeed a landmark study, will not be the last word on the subject. We can expect it to be built on and enhanced over time. But for now it represents the best, and for that matter the only, standard for assessing internal control effectiveness. It is a standard established by the coming together of many different parties with diverse interests for the common good. For that, all participants can and should believe they have made an important contribution to the business community.

The four-volume Internal Control--Integrated Framework (product no. 990002) is available for $50; the Executive Summary (product no. 990001CL) is available separately for $3 (prices do not include shipping and handling). To order, contact the AICPA order department by calling 1-800-TO-AICPA (fax 1800-362-5066).

--RICHARD M. STEINBERG, CPA, and FRANK J. TANKI, CPA, served as project partner and engagement partner, respectively, directing the Coopers & Lybrand team that conducted the COSO study and developed the report. Mr. Steinberg, a partner in C&L's national office, was cochairman of the American Institute of CPAs task force that developed the SAS no. 55 audit guide and chairman of the task force on consideration of internal control in a computer environment. Mr. Tanki is partner in charge of C&L's New York office business assurance services. He is a member of the AICPA auditing standards board and its task force on reporting on internal control.


The COSO report

Internal Control--integrated Framework is in four volumes:

* Executive Summary is a high-level overview of the internal control framework that is directed to the chief executive and other senior executives, board members, legislators and regulators.

* Framework defines internal control, describes its components and provides criteria against which managements, boards or others can assess their control systems.

* Reporting to External Parties is a supplemental document providing guidance to entities that report publicly on internal control over preparation of their published financial statements, or that are contemplating doing so.

* Evaluation Tools provides materials that may be useful in conducting an evaluation of an internal control system.



Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in each of the following categories:

* Effectiveness and efficiency of operations.

* Reliability of financial reporting.

* Compliance with applicable laws and regulations.

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources.

The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly.

The third deals with complying with those laws and regulations to which the entity is subject. These categories address different needs and allow a directed focus to meet the separate needs.


Internal control components

* Control environment. The core of any business is its people----their individual attributes, including integrity, ethical values and competence---and the environment in which they operate. They are the engine that drives the entity and the foundation on which everything else rests.

* Risk assessment. The entity must be aware of and deal with the risks it faces. It must set objectives integrated with the sales, production, marketing, financial and other activities so the organization is operating in concert. It also must establish mechanisms to identify, analyze and manage the related risks.

* Control activities. Control policies and procedures must be established and executed to help ensure the actions identified by management as necessary to address risks to achieve the entity's objectives are carried out effectively.

* Information and communication. Surrounding these activities are various information and communication systems. These enable the entity's people to capture and exchange the information needed to conduct, manage and control its operations.

* Monitoring. The entire process must be monitored, with modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.


Internal control effectiveness

Internal control can be judged effective in each of the three categories, respectively, if the board of directors and management have reasonable assurance that

* They understand the extent to which the entity's operations objectives are being achieved.

* Published financial statements are being prepared reliably.

* Applicable laws and regulations are being complied with.

Internal control is a process. Determining whether a particular internal control system is effective is a subjective judgment resulting from an assessment of whether the five components (see exhibit 3) are present and functioning effectively at a point in time. Their effective functioning provides the reasonable assurance regarding achievement of one or more of the stated categories of objectives. Thus, these components are also criteria for effective internal control.

These components and criteria apply to an entire internal control system, or to one or more objectives categories. When considering any one category--controls over financial reporting, for example--all five criteria must be satisfied in order to conclude that internal control over financial reporting is effective.
COPYRIGHT 1992 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Tanki, Frank J.
Publication:Journal of Accountancy
Date:Nov 1, 1992
Previous Article:Recruiting costs scrutinized.
Next Article:FASB ED clarifies GAAP's application to mutual insurers.

Related Articles
How to organize and use audit committees.
Reporting on internal control: the SEC's proposed rules; implementation will bring substantial changes in reporting and auditing.
Integrating concepts of internal control.
Can honesty be legislated?
The name of the GAO's game is more legislation.
Help is at hand for your internal controls.
Does the COSO report pass muster?
The COSO report: a new addendum results in GAO endorsement.
Reaching consensus: the GAO's acceptance of the COSO report.
COSO focuses corporate attention on internal controls.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters