Technical Definitions

Risk

Oxford English Dictionary:
(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.

The IIA and COSO:
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Governance

The IIA:
The combination on processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Specifically, the board’s governance process must:

  • Promote appropriate ethics and values within the organization;
  • Ensure effective organizational performance management and accountability;
  • Communicate risk and control information to appropriate areas of the organization; and
  • Coordinate the activities of and communicating information among the board, external and internal auditors, and management.

Internal Control

1.  Definitions

Oxford English Dictionary (Control):
The action or fact of holding in check or restraining; restraint. The fact or power of directing and regulating the actions of people or things; direction, management; command.  Prevention or limitation of the spread of disease or a noxious agent.

The IIA:
Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.​

COSO:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Internal control is:

  • Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance;
  • A process consisting of ongoing tasks and activities—a means to an end, not an end in itself;
  • Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control;
  • Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors; and
  • Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or … process.

This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing abasis for application across organizations that operate in different entity structures, industries, and geographic regions.

2.  Guidance
 

FCIAA Control Objectives

The FCIAA requires State Universities to establish and maintain a system of internal controls which shall provide [reasonable] assurance that:

  1. resources are utilized efficiently, effectively, and in compliance with applicable law;
  2. obligations and costs are in compliance with applicable law;
  3. funds, property, and other assets and resources are safeguarded against waste, loss, unauthorized use, and misappropriation;
  4. revenues, expenditures, and transfers of assets, resources, or funds applicable to operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the State's resources; and
  5. funds held outside the State Treasury are managed, used, and obtained in strict accordance with the terms of their enabling authorities and that no unauthorized funds exist.

COSO Internal Control Components
 

The COSO Internal Control—Integrated Framework (2013) (“Framework”) sets forth requirements for an effective system of internal control, which provides reasonable assurance regarding achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to operations, reporting and/or compliance.  An effective system of internal control is achieved with all five of the following components, operating together in an integrated manner, collectively reducing, to an acceptable level, the risk of not achieving an [(organizational)] objective.

  • Environment (culture and tone at the top)
  • Risk Assessment
  • Activities
  • Information and Communication
  • Monitoring (controls that assess controls)

All five of these components together are relevant to an entity’s operations, external and internal reporting, and compliance.

The Framework recognizes that while internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgment or decisions, or external events that can cause an organization to fail to achieve its goals. Management should be aware of the limitations when establishing and maintaining their system of internal controls so as to minimize such limitations.

Source: COSO Internal Control—Integrated Framework (2013) Executive Summary, May 2013.

Characteristics & Examples of Internal Controls:
 

Characteristics of Internal Controls:

  • Preventative/Detective
  • Automated/Manual
  • Entity-wide (e.g. Code of Ethics, Hotline, the Tone at the Top) / Activity-based (Transactional, Operational, etc.)
  • Objective/Subjective

Examples of Internal Controls:

  • Formalized Organizational Governance and Risk Management programs
  • Policies and Procedures
  • Authorizations (delegation of authority)
    • Segregation of Duties (SOD) (authorization, custody, recordkeeping, reconciliations/audits)
    • Monitoring / Independent Reviews
    • Physical Security (locks)
    • Logical Security (passwords)
    • Documentation and Audit Trails
       

Laws Impacting Internal Controls: 
 

Public Company Accounting Reform and Investor Protection Act of 2002 (AKA the Sarbanes-Oxley Act of 2002 “SOX”)

To restore public confidence in corporate governance of publicly-traded companies (companies with stock traded on U.S. exchanges regulated by the U.S. Securities and Exchange Commission (SEC), this law created the following key provisions:

  • Internal control assessments and certifications
  • Fines and criminal penalties (specified max up to $5 million for individuals and 25 years, $25 million for corporations)
  • Whistleblower protection
  • Foreign Corrupt Practices Act of 1977 (FCPA)
    • Anti-Bribery objective (bribery of foreign officials)
    • Books and records requirements
    • Internal controls, including control of assets