Question

Discuss the five components of the COSO Framework for Internal Controls and explain why each of these components is important. Use the COSO framework updated in 2013 instead of the version in the textbook,

Answer 1

The five components of COSO Framework are as follows:

• Control Environment: Control Environment includes management's attitude and perspective towards the seriousness of the Internal controls. This consists of Organisation structure, ethical values, HR policies, commitment to competence by board etc.
  Importance - This is important as this gives a vision and a broader direction to the internal control efforts of the organization. Also, it shows the commitment and seriousness of the management towards such efforts.
• Risk Assessment - This involves clear and precise assessment of present risk scenarios of the organization and company-wide / process level objective of the organization. Only after once we determine the objective, we would be able to assess risks.
  Importance - This is important as internal controls are made only to mitigate and treat the risks faced by an organization. Therefore, risk assessment is the first step before we move ahead with the internal control process.
• Control Activities - These are exact policies and procedure laid out by the management based on the risk assessment that the organization has to follow. This includes various plans like Business Continuity plans and backup plans as well.
  Importance - This is the framework where the real execution happens and things/ideas come to reality in form of set structures. Without this exercise, it would not be possible to bring out any real tangible benefits out of the whole COSO framework.
• Information and communication - This ensures and does an overview of the flow of information and communication channels within the organization. How effective really is the communication within the organization?
  Importance - In this globalized and dynamic business environment information is the key to better business decisions. Therefore, internal controls have to ensure that correct information is available at the right time to the right person to make sound business decisions.
• Monitoring - This involves continuous monitoring of the existing internal controls and finding scope for improvements within the same. Reporting deficiencies and lack of information etc.
  Importance - It would not be correct to assume that whatever done at the first instance is the best possible solution. There is always some scope of improvement. Monitoring fits that role well. It regularly finds deficiencies in the existing systems and reports variable scope of improvements as per the dynamic changes in the environment.