The Committee of Sponsoring Organizations (COSO) of the Treadway Commission have suggested that ( : " Senior executives have long sought ways to better control the enterprises they run. Internal controls are put in place to keep the company on course toward profitability goals and achievement of its mission, and to minimize surprises along the way. They enable management to deal with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth. Internal controls promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial statements and compliance with laws and regulations. Because internal control serves many important purposes, there are increasing calls for better internal control systems and report cards on them. Internal control is looked upon more and more as a solution to a variety of potential problems ".

Where there are risks to the achievement of objectives, which mean failure is a strong possibility, controls have to be put in place to address these risks. If not failure becomes likely. At the same time, controls cost money and they have to be worthwhile. A lot depends on the risk appetite and what is considered acceptable as opposed to the organization and its stakelhoders.

Poor controls lead to losses, scandals, failures and damage the reputation of organizations in whatever sector they are from. Where risks are allowed to run wild and new ventures are undertaken without a means of controlling risk, there are likely to be problems.


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued Internal Control-Integrated Framework to help businesses and other entities assess and enhance their internal control systems.

This framework has been recognized by executives, board members, regulators, standard setters, professional organizations, and other as an appropriate comprehensive Frameworkfor Internal Controls.

The internal control process begins with management's setting financial reporting objectives relevant to the company's particular business activities and circumstances.

Once set, management identifies and assesses a variety of risks to those objectives, determines which risks could result in a material misstatement in financial reporting and determines how the risks should be managed through a range of control activities.

Management implements approaches to capture process and communicate information needed for financial reporting and other components of the internal control system. All this is done in context to the company's control environment, which is shaped and refined as necessary to provide the appropiate tone from the top.

These components are monitored to help ensure that controls continue to operate properly over time.

The COSO components include:

-Control Environment: which is an indicator of the level of control consciousness of the company. It is the basis for all the other components providing direction, discipline, and structure.

-Risk Assessment: represents the identification and analysis of relevant risks to achieving objectives. This component forms the basis for how risks should be identified, managed, and reported.

-Control Activities: are embedded in the operational and financial processes and ensure that necessary actions are taken. - Information and Communication: identifies, captures, and communicates upstream and downstream data and information.

-Information and Communication: Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilites. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilites must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

-Monitoring: refers to the process that assesses and evaluates process effectiveness, efficiency and compliance in addressing the internal control objectives. Included within the monitor component of COSO is the responsibility to report on the company's internal control posture.



The extent to which any organization's internal control system is effective is limited to those individuals designing, implementing, and performing the controls.

Individuals within an organization must be aware of their responsibilities and limits of authoritiy. This can potentially limit the effectiveness of the internal control system due to supect judgment, decision making, and human error. Moreover, implementing internal controls must be considered within the constraints of their cost-benefit; the relative costs of implementing a particular control must not outweigh the benefits of its implementation.

Internal control is also limited by external forces that cannot be controlled by the organization such as guranteed returns on investments, natural disasters, change in regulatory enviorenment, etc. Properly designed internal control systems will, however, provide reasonable assurance that management will be made aware of these events in a timely manner and will facilitate remediation processes.

Other limitations of internal control include collusion of two or more people and management override of the internal control system.

Keep in mind that, in order to be effective, the internal control system needs to be aligned with the organization's objectives such that performance of control activities necessary to achieve the objectives are properly designed, implemented, and executed.

For further information on COSO go to