Question

Describe how the 5 (five) COSO components play their roles in the AIS

Answer 1

The primary objective of accounting information is to control threats. Threats refers to an occurrence of potential adverse or unwanted events that may adversely affect accounting information system and ultimately to the organization. Thus, management adopts proactive approach so that it can eliminate threats from the system before their occurrence. In case, threats already occurred, it requires accountants to detect, correct as well as recover from the effects of threats as soon as possible. This requires management to implement internal controls that assures efficient implementation of AIS. One of the widely used control framework is COSO. The five components of COSO Framework are:

1. Control Environment: control environment here refers to an internal control environment. It includes Management’s Philosophy, Human Resource Policies and Procedures, Organizational Structure, Management’s operating style, commitment to ethical values and integrity, commitment to competence, Assignment of Authority and Responsibility and so on. The main purpose of control environment is to lay the strong foundation for the establishment of sound internal control system on the basis of organization’s philosophy, shared values, directed leadership and assignment of authority and responsibility.

2. Risk Assessment: Before undertaking the process of risk assessment, company-wide and processes level objective are defined to use them as standards in the risk assessment process. Here, the perspectives and types of risk are analyzed and accordingly risk response is adopted. The risk identification and assessment process should be undertaken at regular interval at all organization’s levels and functions.

3. Control Activities: control activities include segregation of duties, design and use of documents and records, proper authorization of records and transactions, safeguarding data, physical and independent checks on performance, safeguarding assets, and so on. These activities and mechanisms required for controlling should be proactively designed so that the threats could be addressed and mitigated easily and timely.

4. Information and Communication: The information regarding the identification of risks as well as their controlling to achieve organization objectives, should be communicated to relevant authorities and departments should be communicated through the established proper channel.

5. Monitoring: There should be continuous monitoring of internal control system and if threat is identified, then the corrective actions should be initiated on time. Monitoring can be done by implementing effective supervision, internal audits, installing fraud detection software, tracking software and mobile devices, applying responsibility accounting systems and so on.