How to Assess the System of Internal Control

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I am in the process of reviewing and commenting on the latest set of draft guidance from COSO. (You may have seen my post on their SOX guidance; I am still waiting for someone to tell me that I am wrong in my assessment).

The core of the internal controls guidance is, in my opinion, how you assess the adequacy of the system of internal control.

In this post, I am going to review the process I follow in assessing the system of internal control. I will include references to the latest version of the draft framework, but the purpose of this post is not to comment on how the assessment of internal control is handled in the draft: it is to set the basis for such a commentary.

Let’s start with the definition of internal control. While I realize some disagree with the COSO definition, it’s certainly a good place to start (¶ refers to the paragraph number in the COSO draft):

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance (¶14)

From this, we can derive what constitutes an effective system of internal control. While it is pretty obvious, I will refer again to an excerpt from the COSO draft:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. (¶86)

There are two keys to this:

1. Controls provide reasonable assurance that risks are reduced to an acceptable level, and

2. Only reasonable assurance can be achieved because:

a. As COSO explains, in the original draft and in the updated one, the system of internal control is subject to human error and susceptible to collusion

b. Objectives may be poorly defined

c. The identification and assessment of risks to the achievement of objectives is subject to error

This is a critical point: The system of internal control does not provide assurance directly on the achievement of objectives. It provides assurance that risks to the achievement of objectives are acceptable.

So, there is always a risk, which management and the board have accepted, that objectives will not be met.

Another key point is this: If there are too many controls, then the objective of efficient operations is not met!

So while it is important to consider effectiveness, it is also important to consider efficiency.

The bottom line is this: “An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories”. (¶86)

In order to achieve this, you need:

1. Clearly defined objectives

2. A well-executed risk assessment that defines the risks to achievement of objectives

3. Definition (which is preferably formal) of the level of risk that management and the board are willing to accept

4. A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels

5. An efficient combination of controls

So, what do you think? Do you agree or disagree?

I will review in a later post how the COSO draft handles the topic.

Posted on Oct 18, 2012 by Norman Marks

Share This Article:    

  1. I totally agree with you Norman. 

  1. Dear Norman,I find it interesting and appropriate that you include the criterion of efficiency when discussing effectiveness, that is, effective internal controls. If effectiveness is about "doing the right thing" and efficiency is about "doing it well" I wonder whether you might consider a third "E", that is, economy. Or, is the criterion of "doing it cheaply" or "doing it economically", which may sound better, to be ignored. Or, is that subsumed in the dimension of "efficiency". Interested in your thoughts on this.Best regards,Rainer

  1. Mark

    I consider this approach to limited . I believe an assessment  of an internal control system also include :

    an assessment that adequate   policy and procedures , international standard have been developped  and are being used during the activities performed in other to reach the objectives  

    An assessment if management has adequately checked that the controls in the procedures are properly executed and have developped a priority list of continues improvements

    an assessment of the tone of the top and ethical behavior culture in the company


    may be that is what you said in point 4 but I believe that this point 4 needs to be more explain in enough detail

  1. I more or less agree with Jan. Point is that you don't make the connection to the 'COSO cube'.

    I consider his 'assessment' to be part of investigating the 'control environment'. This is also part of IFAC guidelines on auditing (IAS). I don't know if his other remarks cover 'information and communication' and 'monitoring' sufficiently.

    Then I also mis 'monitoring'. I have been involved in some engagement regarding risk management and controls in which managers (below C-level) stated that they were aware of some objectives, but neglected them as the performance on these objectives was not monitored and they had a hard job in meeting other objectives they had to report about.




  1.  Jan and Frans,

    The COSO Cube and 1992 Framework tell you where you will find the controls you need, but how will you know when you have either too many or too few? I am suggesting that you need a combination that reduces the level of risk to objectives to acceptable levels.

    Do you agree that you can have controls in each Component without having controls that work effectively to modify risk to acceptable levels?

  1. Internal control itself can not eliminate risk on its own unless Tone At The Top and Good Goverenance, corporate policies and procedures are followed and practice religiously. If the company policies and procedures are weak then internal control could not do do much. If the policy is strong but not reviewed and updated regularly in response to internal and external risk then that policy would not be effective. If policy is strong but management action is poor then internal control itself can not eliminate risk. So it is collecitve effort that Company needs to apply to mitigate the risk.

  1.  Kai, these are all part of internal control per the COSO Internal Control Framework of 1992. As described in that widely accepted framework, the system of internal control has 5 Components: Control Environment (which includes tone at the top and board oversight of internal control), Risk Assessment, Control Activities, Monitoring, and Communications.

  1. Norman:

    I agree with you completely that the purpose of controls should be to reduce the level of risk to acceptable levels. What I don't see in the COSO internal control framework or ICFR is an approach that puts visibility on the level of retained risk or the process used to assess whether that level of retained risk is acceptable.

    I continue to promote the simple idea that effective controls = a tolerable level of residual risk linked to achievement of objectives acceptable to senior management and the board in pursuit of the organization's objectives.  The primary caveat I have is that more than what has historically been called "controls" should be considered.  When "controls" are used as terminology there should be clarity what risk or risks it "treats" and whether it is mitgating risk liklihood, consequence or both.  All viable forms or risk treatment should be considered including risk transfer/risk share/risk finance/risk accepance/risk avoid options.  A link to a presentation at the IIA GRC Conference is below for those interested.

    It is indeed unfortunate that, in spite of pleas from knowledgeable experts around the world in response to the Dec 2010 exposure draft, COSO has rejected integration of enterprise risk and control management.


  1.  Tim, thanks for the support and comment.

    Can you provide additional detail on how the description of the Risk Assessment Component is lacking in the updated draft? There is discussion of inherent vs. residual risk and the need to compare residual risk to tolerances.

  1. Norman/Tim, excellent pushing the envelope. "System of internal control" ? What the Heck!
  1. Norman:

    I recognize that "Risk Assessment" is represented as a category within COSO 92 and the 20+ year update.  The real question is whether risk management should be dominant over a narrow range of risk treatments called "internal controls". The notion that "controls" should dominate has been the position that US Congress via the wording of SOX 404, COSO the Committee and the SEC have taken to date. I  respectively disagree with that decision.  The paper that my daughter Lauren and I authored that was presented to Congress and the SEC on the need to make ERM dominant over IC can be accessed at:

    Although I understand COSO 92 was intended to be used for a much wider purpose than ICFR, the reality is that, because the SEC endorsed it as suitable for ICFR, it came in to much wider use.  Before that happened in 2003/4 there was very little real adoption of COSO per IMA research for the broader set of objectives necessary for success.  Do you know of any company that uses COSO to help them improve customer service, product quality, safety, environmental compliance in a tangible demonstrable way?. 

  1.  Tim, the new draft only says you need to respond in some way if the risk is not something you are willing to accept or avoid.

    Can you look at that section and provide comment, so we can help the authors upgrade it? It is in all our interests to help them deliver a quality product that adds value whatever the set of objectives.

  1. I completely agree with the article. A lot of auditors (Internal and external) seem to forget that controls are intended to provide reasonable assurance and sound the alarm for isolated non-recurring, non-intentional, and non-material omissions in the control system. When their reports reach high level decision makers, it often leads to over-controlling, where an organization looses sight of its objectives, diverting its focus on controls as a goal themselves. Efficiency is lost, people start losing their motivation, and wonder what the point of a number of the controls in the system is. Not to mention that a number of good transactions are blocked or rejected for trivial issues. That is when the controls of an organization potentially start contradicting and undermining the achievement of its vision and mission.
  1. Norman:

    I will be providing detailed comments to the COSO re-exposure draft before the Nov 16th deadline in the hope there is some genuine willingness to listen. Based on the changes made to the re-exposure draft in response to the scores of comments to the Dec 2010 ED I am not optimistic but haven't given up hope. 

    Based on what I have seen in practice few firms using COSO for ICFR have attempted to evaluate and rank composite uncertainty of an account balance being materially wrong.  In fact, we regularly see firms that claim to be using COSO spent little or even no time documenting and measuring specific risks that threaten the objective of reliable financial statements, specific disclosure line items or notes.   The fact there is a risk assessment category in COSO and a few minor remarks linked to risk is not likely to change this.  COSO needs to significantly elevate the risk assessment element.  The easiest way to do this is to integrate COSO ERM and COSO integrated internal control.  COSO has stated they are unwilling to do this.  The reasons stated by COSO for not being willing to integrate are vague in my view. 

  1. I agree with all your comments, specifically regarding the efficiency aspects of this ICOFR "issue", coming from a SOX compliance background where at the beginning (2004-8) the whole universe was taken into consideration due to lack of guidance, I always said that I was not in the business of making my auditee's life more complicated than already was.  An integral component of my Risk Assessment at the beginning of each year was to conduct a Control Rationalization to determine my key controls, however, common sense should be used when performing a Control Rationalization because even if an IC is in place it doesn't have to be taken into consideration if there is a more effective compensating control/s somewhere else.  During that time is a good time to discuss with the auditees process improvements and specifically to ask for their opinions as they were the ones in the "trenches" per se. My concern is that those far removed from the actual processes lose perspective of what is important, more efficient, etc. Taking into consideration the input from the process owners "effectiveness and efficiency" can be achieved.  Therefore my opinion is that the 5 things you need for an effective and efficient system of Internal Controls MUST include a Control Rationalization conducted with the input of the process owners. 

  1. You refer to an objective relating to one, two, or all three categories. What are the categories of which you speak?
  1.  Frank, the draft refers to operations, reporting, and compliance.

  1. Thank you Norman.

Leave a Reply