Internal Controls

 Treadway Commission was established to study factors that lead to fraudulent financial
reporting. The Treadway commission was established by Private Sponsoring Organizations.
PSO included:-
o American Accounting Association
o American Institute of Certified Public Accountant
o Financial Executives Institute
o Institute of Internal Auditors
o Institute of Management Accountants
 The COSO is sometimes referred to as the Treadway Commission after its original Chairman,
James Treadway
 COSO is an independent private sector initiative (Not Governmental), was established in the
mid 1980’s to study the factors that can lead to fraudulent financial reporting.
 In 1992, COSO Issued Internal Control- Integrated Framework to assist organizations in
developing comprehensive assessments of internal control effectiveness. The Framework is
widely regarded as an appropriate and comprehensive basis to document the assessment of
ICFR.
 COSO Framework was developed in 1992, 10 years before SOX 2002.
 The COSO Internal Control Framework does complement the enterprise risk management
framework, the internal control literature was prepared in 1992 while the Enterprise Risk
Management was developed in 1994. The Internal Control Framework could not have been
developed to complement the enterprise risk management framework.
 In a large public Organization, evaluating internal control procedures should be the
responsibility of an organizationally independent internal audit function that reports to the
governing body of the corporation. Staffs that d\report to CFO would likely to be subject to
bias and lack objectivity since the controls are likely designed and at least partially
implemented by that staff.
 According to COSO, Tone at the Top is established by Senior Management and the BOD of a
Company. Accountability and Communication are important aspects of COSO that are
established by the “tone at the top”. the proper tone at the top helps a company to do:-
o Create a compliance supporting culture that is committed to ERM
o Navigate grey areas where no specific compliance of guidelines exists
o Promote a willingness to seek assistance and report problems before it is too later
for corrective action.
 Establishing a “Code of Conduct” will help to communicate the “Tone at the Top” to all
employees. The contents likely include
o Codes of Conduct Frequently include prohibitions against conflicts of interest
o Codes of Conduct often include guidance on gifts and gratuities
o Codes of Conduct will generally stipulate that information is privileged and should
be kept confidential.
 The existence of a published code of ethics and periodic acknowledgement that ethical
values are understood is evidence of development of ethical values and ensuring that those
values are understood and taken seriously.
 The Board of Directors has a fiduciary responsibility to act on behalf of and in the best
interest of the corporation.
  The Board of Directors are not primarily charged with acting as an agent of the corporation.
Employees for e.g are agents.
 The Officers/Executives are primarily charged with acting as an executive in fulfilling their
responsibility to the corporation.


The Organizational structure principle says that reporting relationships should not undermine the
commitment to effective financial reporting and internal control. Maintaining reporting
independence of the Internal Auditor is one way to apply this principle i.e Internal auditors should
not report to CFO.

Management’s Operating Style typically relates to the manner in which employees regard the
importance of internal controls. This relates more to work ethic and commitment to effective
financial reporting rather than the specifics of ethical behaviour. Management’s Philosophy and
operating style support achieving effective internal control over financial reporting.

The Board of Directors Principle says that the board should be actively involved in overseeing the
implementation of both financial reporting and internal controls. The principle relates more to
leadership than to reporting relationships.

The Authority & Responsibility Principle says that authority and responsibility should be delegated to
individuals within the organizational structure as appropriate to maintain effective Internal Controls.
The authority and responsibility of individuals can be undermined by flaws in the organizational
structure.

The human resources principle says that HR policies and procedures should be compatible with
effective financial reporting and IC. Competence, not reporting structures is emphasized by this
principle.

CRIME

Control Environment

o The control environment component of the internal control integrated framework

includes principles such as financial reporting competencies, NOT objectives, human
resources, orgn structure etc.
o The Control Environment of the Internal Control Framework represents the
processes, structures and standards that provide the foundation for the
establishment of the entity’s Internal Control System.

Risk Assessment

o The Riska assessment component of the internal control integrated framework

includes principles such as financial reporting objectives, risks and fraud risk.
Information & Communication

o Involves the identification, capture and exchange of information.

Monitoring Activities

o Monitoring activities involve assessing internal control performance in a timely

manner and taking corrective actions if necessary.
o Internal Controls should always be monitored for the purpose of addressing changes
to risks
o