Corporate Social Responsibility (IVOR nr. 77) 2010/5.2.2:5.2.2 The COSO definition and the framework of internal control

Corporate Social Responsibility (IVOR nr. 77) 2010/5.2.2

5.2.2 The COSO definition and the framework of internal control

Deze functie is alleen te gebruiken als je bent ingelogd.Deze functie is alleen te gebruiken als je bent ingelogd.Deze functie is alleen te gebruiken als je bent ingelogd.

Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them.1 In present times, internal control is primarily linked to accounting practices and to corporate governance. The objective of internal control over financial reporting is to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). The purpose of the evaluation by management of internal controls is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses exist in the control system as of the end of the fiscal year. Any such weaknesses must be disclosed in the annual report.

Internal control is crucial for the transparency and effective governance of corporate activities. It therefore became a key element of the European and other corporate governance codes, and of the FCPA and SOX, which require improvements in internal control in US public companies and non-US public companies with a US listing. In the US in 1985, the 'Committee of Sponsoring Organisations of the Treadway Commission' (COSO) was formed.2 COSO issued a report, "Internal Control - Integrated Framework (1992)" (COSO Report 1992), which established a definition of 'internal control' and created a framework for evaluating the effectiveness of internal controls. The standards set by COSO are important because later on, in 2003, when the SEC implemented new financial control regulations pursuant to SOX, the SEC referred to these standards (see section 5.2.3 infra) as does the Frijns Code (see section 5.2.4 infra). Internal control is defined in the COSO Report 1992 as:

a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations.

2. Reliability of financial reporting.

3. Compliance with applicable laws and regulations.

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the entity is subject. These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs.3

Besides a definition, COSO created a framework for evaluating the effectiveness of internal controls. This framework views internal control as consisting of five interrelated components. Internal control over business operations is only considered ' adequate' and ' effective' when all five are present and functioning effectively. It concerns the following components:

1.

The ' control environment' is what sets the tone for an organisation and provides discipline and structure. It reflects the entity's corporate governance and includes: the integrity and competence of the entity's people; management's philosophy and operating style; and the way management and the board assign authority and responsibility throughout the organisation.

2.

' Risk assessment' is the identification and analysis of risks to determine how they should be effectively managed. Once risks have been identified, sourced and measured, steps must be taken to avoid, transfer, or otherwise reduce the risks to acceptable levels. As an example, to evaluate the risk of bribery and corruption in the procurement process, one might analyse how engineering could create specifications that favour specific vendors, how purchasing could unfairly award contracts, and how accounting could record kickbacks.

3.

The 'control activities' are the policies and procedures that help to ensure that management's directives are carried out. These include such practices as authorisation, reconciliation and the segregation of duties. Such activities would permeate the entire organisation, at all levels and in all functions. They should be tailored to reflect the entity's specific control environment, objectives, and tolerance for risks.

4.

' Information and communication systems' produce operational, financial and compliance-related reports, and they also notify personnel of their role in the internal control system. These systems must provide a means for escalating important information to the very top of the organisation and for receiving input from external parties. As an example, one should consider information on corrupt practices coming from a whistleblower. The source could be a marketing clerk within the organisation who comes across incriminating documents or an external vendor who witnesses a corrupt practice. In either event, it is critical that internal and external information be identified, captured, and communicated in a form and time frame that enables decision makers to carry out their responsibilities.

5.

Finally, 'monitoring' is a process that assesses the quality of the system's performance over time. When deficiencies are discovered, they must be reported and appropriate remedial action taken. The internal enforcement mechanism must be taken seriously by subsidiary, branch, and regional management and personnel.

In 1994 COSO issued an "Addendum to Reporting to External Parties" (COSO Addendum 1994), which encourages company management that reports to external parties on controls over financial reporting to also report on controls dealing with 'safeguarding assets' against unauthorised acquisition, use, or disposition. 'Safeguarding assets' relates mainly to bribery and other corruptive practices. The Addendum defines such controls and provides a suggested form of reporting.4 The Addendum was issued in response to a concern expressed by some parties, including the US General Accounting Office, that the management reports contemplated by the COSO Report 1992 did not adequately address controls relating to the safeguarding of assets and therefore would not fully respond to the requirements of the FCPA. In the COSO Addendum 1994, COSO concluded that while it believed that its definition of internal control in the COSO Report 1992 remained appropriate, it recognised that the FCPA encompasses certain controls related to the safeguarding of assets and that there is a reasonable expectation on the part of some recipients of internal control reports that the reports will cover such controls. The COSO Addendum 1994 provides for the following definition of the term 'internal control over safeguarding of assets against unauthorised acquisition, use or disposition:

Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements.5

Deze functie is alleen te gebruiken als je bent ingelogd.