CHAPTER 5:

CONTROL
FRAMEWORKS
The COSO Frameworks: ICF and ERM

1980s > National Commission on Fraudulent Financial Reporting >

COSO (Committee of Sponsoring Organizations)
chaired by James C. Treadway
Among the issues identified was the absence of a comprehensive
internal control framework.
sponsored by five professional associations: The Institute of Internal
Auditors (IIA), American Institute of Certified Public Accountants
(AICPA), American Accounting Association (AAA), Institute of
Management Accountants (IMA), and Financial Executives Institute
(FEI).
> COSO (Committee of Sponsoring Organizations)
a private sector initiative formed in 1985 to sponsor
this National Commission on Fraudulent Financial
Reporting.
established by five of the largest accounting, auditing,
and finance oversight committees in the United
States.
COSO’s goal: Improve the quality of financial
reporting.
 
2013 COSO Internal Control—Integrated Framework

• contains 17 principles
representing the
fundamental concepts
associated with each
component.
• typically represented in the
form of a cube.
 1. CONTROL ENVIRONMENT

refers to the workplace environment, characterized by the way the organization is structured,
the manner of leadership, the degree of openness, management’s operating style, having and
practicing the tenets of its code of ethics and statement of values.
The tone at the top is set and promoted by the board of directors and senior management, and it
refers to the general attitude, integrity, and ethical practices of these individuals.
Organizational culture is the collection of learned beliefs, traditions, and guides for behavior
shared among members of the organization.
Happy employees deliver higher quality customer services.
Control Environment also includes the activities related to the competence and development
of personnel, the assignment of authority and responsibility, and the organizational structure.
Employee reporting lines and accountability requirements are also shaped by reporting lines,
and these play an important role in the effectiveness of internal controls.
Management establishes a risk management philosophy and the entity’s risk appetite, forms a
risk culture, and integrates ERM with related initiatives.
• It is important to remember that culture plays a key role defining the control
environment. According to Trompenaars, organizational culture includes 3 key
elements:
1. The general relationship between employees and their organizations
2. The vertical or hierarchical system of authority defining superiors and
subordinates
3. The general views of employees about the organization’s destiny, purpose,
and goals, and their place in it

The following are some examples of unethical behavior that auditors should be on
the lookout for:
• Undue emphasis on bottom-line performance
• High-pressure sales tactics
• Kickbacks or bribes
Communication, Consistency, and Belief in the Message
It is very important for management to communicate clearly, consistently,
and often what is allowed and what is not. By setting clear expectations
there is a better chance that they will be followed.

Form over Substance

The five principles of the Control Environment are as follows:
• Principle 1 – Commitment to integrity and ethical values
• Principle 2 - BOD exercises oversight responsibility
• Principle 3 - Establish structure, authority, and responsibility
• Principle 4 - Commitment to competence
• Principle 5 - Enforce accountability
Entity Level Controls
Entity level controls are used to determine if an organization’s values, systems, policies, and
processes would enable or dissuade fraud and encourage proper conduct.
Auditing the entity’s framework requires the examination of tangibles and intangibles.
A person’s behavior may be different in unique situations, as the person acts in part in
response to the environment.
Lewin’s equation, states that behavior is a function of the person and the environment.
B = f (P, E) where B = person’s behavior; P = person; E = environment
Internal auditors must work with management to make sure there are clear standards of
performance, that rewards and sanctions are clearly communicated, and that employees are
managed and aligned effectively.

Tone in the Middle

dictates workplace conditions leading to customer and employee satisfaction, turnover,
profits, and the achievement of goals and objectives.
 2. RISK ASSESSMENT

Risks - events that can jeopardize the organization’s ability to achieve its objectives.
Risk assessment - the process of identifying, assessing, and measuring risks to the
organization, program, or process under review
COSO indicates in its 2013 IC-IF that the organization is subject to a variety of events
Risk assessment involves a dynamic and iterative process of identifying, analyzing, and
deciding how best to respond to these risks in relation to the achievement of
objectives.
Management specifies objectives within three separate but related categories:
Reporting
Compliance
Operations
The SMARTER Model for Effective Goals
The link between audit findings and business objectives
Effects of Risk
• Loss of assets
• Negative publicity
• Erroneous decisions
• Customer dissatisfaction
• Fraudulent financial or operational reporting
• Erroneous record keeping and accounting
• Noncompliance with rules and regulations
• Purchase of resources uneconomically
• Failure to accomplish established goals
 
3. CONTROL ACTIVITIES
Controls are actions established through policies and
procedures that mitigate the likelihood and/ or impact of risks.

Controls can be manual

Automated control
Some controls are a combination of manual and automated
Control activities can be categorized as:

Preventive
Detective
Directive
Compensating
4. INFORMATION AND COMMUNICATION

• Communication helps to improve motivation,

builds trust, creates a shared identity and
corporate culture, and engenders engagement.
• Information is also necessary for the organization
to perform internal control activities that support
achievement of objectives
Bruce Berger states that internal communication
occurs on multiple levels:

1.Interpersonal or face-to-face (F-T-F)

communication
2.Group-level communications
3.Organizational-level communications
5. MONITORING ACTIVITIES
consist of ongoing, separate or a combination
of evaluations used to determine whether each
of the five components of internal control is
present and functioning.
IT Frameworks
 COBIT Control Objectives for Information and Related
Technology) and GTAG (Global Technology Audit Guides)

 Establishing IT  are practice guides who

 Project management direction
 Purchases
 Training end users
provide detailed
guidance for conducting
internal audit activities
ITIL ( Information Technology Infrastructure Library)
• defines the organizational structure and skill
requirements of an IT organization and standard
management procedures and practices to manage
an IT operation.
ISO (International Organization for Standardization)
• is an independent, nongovernmental organization.
Through its 162 national standards groups, it brings
together experts to share knowledge and develop
voluntary standards that support innovation and provide
solutions to global and business challenges.
CMMI (Capability Maturity Model Integration)
• It is widely used in
project management,
software development,
process assessment,
and performance
improvement within a
project, division, or an
entire organization.