Risk Assessment, Controls and Risk Management
Internal Control Definition and Objectives
According to the COSO internal control is a method, or process, that is carried out by an entity's board of directors,
management and other personnel that is designed to provide reasonable assurance that the company's objectives in the
following three categories will be achieved:
1) Effectiveness and efficiency of operations
2) Reliability of financial reporting
3) Compliance with applicable laws and regulations
Who Is Responsible for Internal Control?
- The board of directors is responsible for overseeing the internal control system, providing governance, guidance and
- The CEO is ultimately responsible for the internal control system and the "tone at the top".
- Senior managers delegate responsibility for establishment of specific internal control policies
- Financial officers and their staffs are central to the exercise of control
- Internal auditors play a monitoring role. They evaluate the effectiveness of the internal controls
- Virtually all employees are involved in internal control
Note: Internal auditors evaluate the effectiveness of the control systems and contribute to their ongoing effectiveness, but they
do NOT have the primary responsibility for establishing or maintaining the control systems.
Components of Internal Control
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
Component 1: The Control Environment
Is the foundation for the other components, It provides discipline and structure, it encompasses “include” the attitude
and action of the board of directors and set “tone at the top”, it set of:
Its ability to provide the necessary information flow to manage its activities.
Adequacy of definition of key manager’s responsibilities, and their understanding of these
-integrity and ethical values:
-Existence and implementation of codes of conduct and other policies regarding acceptable
business practice, conflicts of interest, or expected standards of ethical and moral behavior.
-Management philosophy and operating style:
-Nature of business risks accepted, e.g., whether management often enters into particularly
high-risk ventures, or is extremely conservative in accepting risks.
-Frequency of interaction between senior management and operating management.
-Attitudes and actions toward financial reporting, including disputes, misapplied accounting
principles, important financial information not disclosed, or records manipulated or falsified).
-Human Resource Policies and Practices: include hiring, orientation, training, evaluating, counseling, promoting and