What are the COSO Five Components of Internal Control

Internal control is a very important thing for companies, for their management, and which aims to make it possible to better control all the processes implemented by the company to achieve its objectives.

Definition of internal control

Internal control can be defined as all the securities that contribute to the control of the company. His goal is twofold:

• Ensure the protection, safeguarding of the heritage and the quality of the information
• Ensure compliance with laws and regulations.
• Ensure the application of the instructions of the management to improve the performance of the company

Internal control is embodied in the establishment of methods, rules and procedures within the company. Internal control is very important in terms of accounting and its probative value, it must ensure that:

• All the facts must be recorded and the accounts must be complete
• The accounting is in accordance with the accounting rules and principles
• The larger a company is the greater the internal control mechanisms within it

Internal control pursues a global objective, the control by an organization of its activities. It is explained below via the COSO methodology. Although it is not the only one dealing with internal control, it is very widespread and is adapted to structure the control of risks related to the management of public policies.

COSO Five Components of Internal Control

The COSO repository declines internal control into four operational objectives:

• Compliance with laws, regulations, contracts
• The protection of heritage, in a now broadened meaning that includes, in addition to the assets of the organization, its agents and its image
• The reliability and integrity of financial and operational information (reliable and verifiable, comprehensive, relevant, available)
• The effectiveness and efficiency of operations

Thus COSO classifies five components of internal control that an organization must define and implement in order to better control its activities. These 5 components of devices are broken down for each of the 4 objectives described above and at all levels of the organization: entity, directorates, operational units, operators (controlled entities).

1. An Internal Environment Conducive to risk Control

It is based on:

• A commitment of the managers in terms of integrity and ethics
• The steering of the activities
• An appropriate organization (the different governance bodies fully fulfill their role)
• A clear definition of responsibilities and powers
• Formalized and disseminated procedures
• Mobilization of skills

2. A Risk Assessment

This one comprises two times:

• The identification of risks based on an analysis of activities, both at the overall level of the organization and at the detailed level of each of its activities
• Prioritizing these risks according to their impact in terms of issues for the organization

3. Existing Control Activities

This may cover:

• This must be proportionate to the stakes,
• They can be transverse to the body, to face general or activity-specific risks,
• They are of various natures: setting up a procedure, a method, mutual control action or supervision

4. Information & Communication

It covers:

• The quality of the information (content, availability, update, accuracy, accessibility) necessary for internal control,
• The quality of information systems, strategic and integrated with operations,
• The definition of the rules and methods of internal communication (involvement of the general secretary in internal control, good knowledge of the internal control system by the agents),
• External communication (information outside the organization on the implementation of the internal control approach)

5. Monitoring

It is based on:

• The appropriation of internal control by each manager who must lead him to define Set up and control the risk management systems within his area of ​​responsibility
• Raising the awareness of those responsible for the nature of internal control (control of activities) and what they must do to implement it, so as to allow this appropriation
• ongoing updating (updating) processes of internal control systems
• Evaluation mechanisms (internal continuous and external ad hoc, including internal audit)

Internal control is characterized by the existence within an entity of an organization system with persons responsible for its implementation. This device must provide:

• An organization with a clear definition of responsibilities that has adequate resources and expertise and is supported by appropriate procedures, information systems, tools and practices
• The internal dissemination of relevant, reliable information, the knowledge of which enables everyone to exercise their responsibilities
• A system to identify and analyze the main identifiable risks with regard to the company’s objectives and to ensure the existence of procedures for managing these risks;
• Control activities proportionate to the issues specific to each process and designed to reduce risks likely to affect the achievement of the Company’s objectives
• A permanent monitoring of the internal control system and regular reviews of its effectiveness

One could easily believe that internal control is the business of the company’s managers, but it is: this device must concern all the people of the company (managers and employees) to be effective. The managers are responsible for defining, promoting and monitoring the system best suited to the situation and the activity of the company. Employees must have the knowledge and information necessary to establish, operate and monitor the internal control system in relation to the objectives assigned to them.