E.15 Internal Control and Risk Frameworks

  1. Control and risk frameworks have been developed to provide more common, generally accepted structures or methodologies for reviewing and assessing risk and assessing the adequacy of control over identified risks. The frameworks provide discipline, while allowing for the Office of the Auditor General of Canada (Office) customization.

  2. In considering control frameworks, the internal auditor should keep in mind the Institute of Internal Auditors’ (IIA) definition of control, taken from the Glossary of the IIA’s International Standards for the Professional Practice of Internal Auditing:
    Control: Any action taken by management, the Audit Committee, the Auditor General, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Framework Examples

COSO – United States

  1. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) report Internal Control – Integrated Framework was designed by the U.S. Committee of Sponsoring Organizations of the Treadway Commission, of which the IIA is a member. The COSO model provides a common definition of internal control and a framework for evaluating internal control.

COSO’s Definition of Internal Control 1

  1. Internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

    1. Effectiveness and efficiency of operations
    2. Reliability of financial reporting
    3. Compliance with applicable laws and regulations.

  2. This framework is established around five interrelated components:

    1. Control environment
    2. Risk assessment
    3. Control activities
    4. Information and communications
    5. Monitoring

COSO Enterprise Risk Management (ERM)

  1. The COSO ERM framework expands the concepts of Internal Control – Integrated Framework to a more extensive focus on enterprise risk management. It does not replace the control framework, but incorporates it and expands it to the broader risk management process.

  2. COSO defines ERM as a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

  3. The COSO ERM considers the key areas of enterprise risk management to be the following:

    1. Alignment of risk appetite and strategy
    2. Enhancing risk response
    3. Reducing operational surprises and losses
    4. Identifying and managing multiple and cross-enterprise risks
    5. Seizing opportunities
    6. Improving deployment of capital

  4. The COSO ERM framework involves the following components:

    1. Internal environment
    2. Objective setting
    3. Event identification
    4. Risk assessment
    5. Risk response
    6. Control activities
    7. Information and communication

CoCo—Canada

  1. Designed by the Criteria of Control Board (CoCo) of the Chartered Professional Accountants Canada, CoCo defines internal control as follows:2
    Control comprises those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.

  2. These controls may fall into one or more of the following general categories:

    1. Effectiveness and efficiency of operations
    2. Reliability of internal and external reporting
    3. Compliance with applicable laws and regulations and internal policies

  3. The CoCo framework is structured around the following:

    1. Purpose
    2. Commitment
    3. Capability
    4. Monitoring and learning

Control Objectives for Information and Related Technology (COBiT)

  1. COBiT was created by the Information Systems Audit and Control Association (ISACA) and the Information Technology Governance Institute (ITGI) in 1992. Since that time, a number of new editions have been issued, including its most recent (4.1) that was issued in 2007.

  2. Its mission is to “research, develop, publicize, and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals, and assurance professionals.”

  3. The COBiT internal control framework, which compliments the COSO Integrated Framework, is designed to

    1. link IT activities with the objectives of the organization,
    2. establish a generally accepted IT process model,
    3. identify those IT assets that can be effectively leveraged, and
    4. define and evaluate management control objectives.

  4. The specific IT Governance Focus Areas outlined in COBiT include the following:

    1. Strategic alignment
    2. Value delivery
    3. Resource management
    4. Risk management
    5. Performance management

Internal Control—Revised Guidance for Directors on the Combined Code—October 2005—UK (Turnbull Review Group)

  1. The Internal Control Revised Guidance for Directors on the Combined Code represents a flexible, principle-based approach that is designed to maintain a strong system of internal controls. It is intended to

    1. embed internal controls into the processes companies utilize to achieve their business objectives,
    2. maintain its relevance over time even though the business environment is continually changing, and
    3. provide a level of flexibility that allows companies to tailor their implementation of the guidance to their individual circumstances.

  2. The guidance was developed because of the importance that internal controls play in

    1. achieving a company’s business objectives;
    2. ensuring the effectiveness and efficiency of operations, reliability of internal and external financial reporting, and compliance with laws and regulations;
    3. limiting unnecessary financial risks, ensuring the reliability of financial records, and adequately safeguarding assets; and
    4. managing and controlling overall company risk.

The Australian and New Zealand Standard on Risk Management (AS/NZS 4360: 2004)—Australia and New Zealand

  1. The joint Standards Australia and Standards New Zealand Technical Committee developed this standard in order to provide both the public and private sector entities with assistance in applying sound risk management practices. The approach outlined in the AS/NZS Standard includes the following risk management process steps:

    1. Establish risk context (What is at risk?)
    2. Identify risks (What are the risks?)
    3. Analyze risks (What is the significance of each risk?)
    4. Evaluate risks (What is the relative importance of each risk in relation to other risks?)
    5. Treat risks (What response is needed to address the risks?)

  2. In addition to these steps, communication, consultation, monitoring, and reviews are completed throughout each step to ensure the successful execution of the entire process.

References:

1 Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 1992, 1994, 2013.

2 Guidance on Control, issued by the Criteria of Control Board of the Canadian Institute of Chartered Accountants, November 1995.

Last modified:
2018-04-05