Introduction: World over, the domain of internal control is of great interest and importance to auditors, managers, accountants and legislators while they are attempting to carry out their respective function, roles and responsibilities. The public gaze is on them to ensure a fair play and it has become all the more important with the onset of Governance in the corporate arena. This avowed object has resulted in the development of several tools and documents to understand and evaluate internal control processes of various business entities. Two decades of efforts by professionals in the field have resulted in defining, assessing and reporting on concepts of internal control. The four important internal control documents generated by professional bodies include- Consideration of internal control structure in financial statement audit (SAS 55 -1988) as amended by SAS 78 (1995) – developed by the American Institute of Certified Public Accountants; System's auditability and control (SAC- 1991) as revised in 1994- developed by the Institute of Internal Auditor’s Research Foundation; Committee of Sponsoring Organisations of the Treadway Commission's - Internal control an integrated framework (COSO -1992); Control objectives for information and related technology (COBIT-1996)- developed by the Information Systems Audit and Control Foundation. Applicability of Conceptual Documents: Although each of the above documents has been released at different points of time, they have evolved by relying on the earlier documents. However, they have their own individual audience, while the platform on which they perform basically remains 'internal control'. While COBIT provides a tool for business process owners to efficiently and effectively discharge there IS Control responsibilities, SAC provides assistance to internal auditors on the control and audit of information systems and technology. COSO on the other hand is a management tool to evaluate control systems, report and improve them. SAS 55 and SAS 78 provide guidance to external auditors, on the impact of internal control on the planning and performing an audit of an organization's financial statements. The set of tools, to evaluate an entity's internal control system, developed by COSO is offered with a management perspective. Therefore, the internal auditors and statutory auditors would immensely benefit by urging the management to go in for it, and help them document and gradually build internal controls prevailing in the business entity. Thereby, the auditor’s limited time gets focussed on critical issues. This paper therefore attempts to briefly discuss issues emanating from it. The COSO Committee: The Committee of Sponsoring Organisation of Treadway Commission was constituted by Professional bodies, which oversaw the development of the tools to evaluate the internal controls prevailing and practised, by different business enterprises. The representative bodies included: i) American Institute of Certified Public Accountants ii) American Accounting Association iii) The Institute of Internal Auditors iv) Institute of Management Accountants v) Financial Executives Institute Scope and Limitation of COSO Tools: The tools so developed are only a guide and the users will have to develop their own tools specific to each organisation. But the familiarity of the developed tools will aid professionals in sharpening them further, to suit specific entities. The facts and circumstances vary between industries and enterprises. Therefore it is obvious that evaluation methodologies and documentation techniques have to necessarily vary. The tools developed under COSO can be used as a starting point in professional assignments and endeavors. This can then lead to the development of innovative models to properly reflect facts, conditions, risks etc., relevant and unique to each enterprise or industry. Further, the tools have to be tailored to suit small and medium enterprises, which have controls exercised differently. Also, information technology environment has a dominant role to play in shaping the tools of an enterprise today, and it would therefore be useful to borrow relevant portions from other control documents as well. This paper proposes and attempts to take the reader through the broad framework of the COSO tools. If auditors, management or other users are motivated to frame tools either on their own or through the use of COSO tools, then this paper would have achieved its objectives and served its purpose. Internal Control defined: The COSO report defines internal control as: a process, initiated by the board of directors, management and other personnel in an organisation, designed to provide reasonable assurance regarding the achievement of its objectives in the following areas- i) Effectiveness and efficiency of operations ii) Reliability of financial reporting iii) Compliance with applicable laws and regulations The tool however cannot be a substitute for the management, as the people involved in it have to continuously anticipate changes in the external and internal environment and modify tools on an ongoing basis. Therefore, the tools developed under the COSO rules evaluate internal controls in a business entity as of a point in time as opposed to, for a period of time. Functions enabled by use of COSO Tools: In achieving the above objectives of a business enterprise, the tool provides flexibility of using the tool in carrying out various functions both for the management and the auditors. Specifically, the tool looks at evaluations at various levels and components as detailed below: Evaluating different components of an enterprise either individually are all of them together. Evaluating category/categories of controls in an enterprise. Focussing on individual activities of the enterprise. The way control is exercised in any enterprise will depend upon the organisation structure and the communicating channels employed. Hence, the generic tool can only be illustrative and may require modifications to suit the control environment of every organisation. Generally speaking, the tools have been focussed to cater to the following 6 interrelated components of a business environment: Control Environment Risk Assessment Control activities Information and Communication Monitoring Overall internal control System evaluation CONTROL ENVIRONMENT Broadly, the control environment focuses on the following seven sub-set areas: i) Integrity and Ethical Values ii) Commitment to Competence iii) Board of Directors or Audit Committee iv) Management's Philosophy and Operating Style v) Organisational Structure vi) Assignment of Authority and Responsibility v) Human Resource Polices and Practices Integrity and Ethical Values: The coverage of integrity and ethical values sets into motion the philosophical values of the enterprise together with the moral guidance of the management to its employees. It encompasses such factors that provide a foundation for other components. Generally speaking, the tool looks into the existence of the code of conduct, policies regarding acceptable business practices, conflicts of interests and/or standards of ethical and moral behavior. The whole gamut of the interaction within the organisation and with the external environment is sought to be documented through this tool. In fact, this is also an attempt to determine to what extent the above virtues are communicated to the internal and external participants of the organisation. The tool also takes into cognizance of the appropriateness of remedial action taken in response to departures from approved policies and procedures and the attitude of the management towards intervention or overriding established controls. The tool evaluates finer aspects of integrity and ethical values, as deep as - Illegal and improper payments Anti-competitive guidelines Insider Trading A host of such issues that fall within the ambit of integrity and ethical values are evaluated and comments, if any, are noted alongside each one of those queries. Such observations/comments made, for each of the critical queries in a sub-set area, are summarised and noted down in a box. Commitment to Competence: In this ever-changing world, organisations are exposed to Darwin's theory - 'survival of the fittest'. It, therefore, becomes essential for the management and audit to determine the management's commitment to competence of knowledge and skills. The tool speaks of the formal and informal job descriptions and the knowledge and skills needed to perform the jobs adequately. The tool is, therefore, an evidence gathering process to determine the management's perception of competence, knowledge and skill. It is not enough if the management decides to determine the employees' skill level for each job, but most translate this into action. The tool therefore considers - Management's analysis of skills for each job; Extent of judgement and the extent of supervision that is needed for each job. Extent of evidence available for management's commitment to competence. Board of Directors or Audit Committee: The oversight function of the Board of Directors or the Audit Committee has the object of constructive challenge to management's planned decision. The tool presupposes the independence of the Board or the Audit Committee from the management. Issues like knowledge and experience of directors, frequency and timeliness of meetings, compensation, appointment and termination of executive officers are all points of focus for the auditor in determining the efficiency and effectiveness of oversight functions. The tool looks at the processes involved in informing the Board of vital issues relating to the company's performance. It also documents the manner in which the Board or the Audit Committee takes them up in ensuring effective internal control. More specifically, the internal audit function uses the tool to obtain evidence on the following aspects - Board Committee, Meetings and Membership; Board's Commitment to challenge the decisions of the management; Knowledge and industry experience of the members; Minutes of the Board Committee Meetings- effective implementation of the decisions taken; Reporting and follow-up procedures. Management's Philosophy and Operating Style: The Philosophy and Operating style has a pervasive effect on the day-to-day working of the organisation. The Auditor has to exhaustively build in queries to document evidence on the style of functioning of the management. The coverage includes: Nature of business and risks accepted Personnel turnover in key functions Management's attitude towards accounting and data processing to ensure Safeguarding of assets, Control over-risk Effectiveness and efficiency of operation. Attitudes and actions towards financial reporting. To be more specific, the auditor collects evidence by querying on issues like- Management's approach to risky ventures and the processes involved in analyzing them; Retention ability of key personnel; Procedures and polices of accounting functions and the seriousness with which the management is involved in its formulation; Perception of the management to inappropriate practices. Organizational Structure: The tool contemplates an organisational structure that is neither simple nor is complex to inhibit the necessary flow of information. The structure should be such that executives should fully understand the control responsibilities and should possess experience and knowledge commensurate with their positions. The tool, therefore, is designed to concentrate on the appropriateness and ability of the organizational structure to provide information flow for management's decision process. It discusses issues relating to – Key managers and their responsibilities with a proper understanding of the same. Knowledge and experience of key managers Reporting relationships Flexibility of the organizational structure to be subject to modifications in view of changed conditions The broad framework listed above will focus on issues such as: Centralization and decentralization of duties and responsibilities; Reporting relationships to take into its fold the effectiveness of formal, informal, direct or matrix approach to communication among employees; Structural changes on account of change in technology and changes in external environment due to competition and regulatory requirements. Assignment of Authority and Responsibility: This provides the basis for accountability and control. Since authority and responsibility are two faces of the same coin, they have to be clearly defined to set forth roles for individuals in the organisation. This tool deals with various aspects of authority and responsibility to deal with organisational goals and objectives. Specifically, the following concepts are covered under this tool: Responsibility and delegation of authority relating to operating functions Regulatory requirements Responsibility for information systems and authorizations for changes Control related standards and procedures including job descriptions Adequate work force with requisite skill levels Appropriateness of delegated authority in relation to assigned responsibilities. In other words, issues relating to an appropriate balance between authority needed to get any job done and the involvement of senior personnel wherever needed, are clearly visible in organizations where authority and responsibility are given a logical relation. In such organizations employees or empowered to correct problems or implement improvements when empowerment is accompanied by competence and clear boundaries of authority. The documentation process under this tool requires eliciting response from employees in the organisation. Human resource Policies and Practices: An enterprise recruits people in the process of achieving its goals. People are the most important resource in an organisation while the organisation strives towards its goals. Hence, it is all the more important to have appropriate policies and practices in recruiting and retaining competent people. While gathering evidence on policies, practices and procedures of human resource planning, the internal auditor shall employ this tool covering the following aspects: Policies and procedures for hiring, training, promoting and compensating employees. Awareness of their responsibilities and their expectations. Remedial action towards departures from approved policy. Adherence of personnel policies to ethical and moral value of the organisation. This tool peeps into a host of issues relating to human resources policies and practices of the organisation. The qualitative factor of the auditee client depends upon the quality of its employees. Integrity and ethical values ingrained among the employees and the level of motivation instilled in them determines the future prospects of the business. Hence specific steps taken by the management in retaining competent personnel in the organization, needs to be documented to gather evidence about the prevailing practices. RISK ASSESSMENT The entities Risk Environment is also important from the point of view of internal audit. The Risk Environment encompasses both the entity level risk and the activity level risk. Therefore the risk assessment process should take into consideration both external and internal factors that could impact and impair the achievement of the entity’s objectives. Risk identification includes examining external factors such as technological development, competition and economic changes and internal factors such as personnel quality, nature of entity’s activities and the characteristics of information system processing. The risk analysis involves estimating the significance of risk, assessing the likelihood of the risk occurring and considering how to manage and mitigate risk. The sub-sets in the Risk Assessment Process include: Entity wide Objectives Activity level Objectives Risks Managing change Entity wide Objectives: In order to have an effective control, the business entity should have established objectives. They also serve the purpose of identifying the risk environment. The entity wide objectives are broad statements of its expectations and desires to achieve specific long-term results. They are supported by strategic plans and it is imperative for the internal auditor to take stock of such objectives in the process of risk assessment. The areas of focus would include: Broad Statements and guidance on what the entity desires to achieve and its documentation thereof. Communication of entity wide objectives to the employees and the Board. The extent to which the strategies of the organisation are aligned to entity wide objectives. Consistency of activities such as business plans and budgets with entity wide objectives, strategic plans and current conditions. This is important to identify whether there is an effective allocation of resources and priorities have been established to carry on the business based on the overall objectives. Plans and budgets will form an important component of this tool and the evaluator drills deep into this subject to find out whether they are realistic and are meticulously being adhered to. Activity level Objectives: Activity level objectives are organisational goals, which are subject to specific targets and dead lines. Every significant activity should have specific objectives and it is needless to say that they have to remain consistent with other activity level objectives. Since the activity level objectives have significant impact on the day-to-day business processes, the internal auditor has to delve into this area, at greater lengths, in order to gather useful evidence. Queries in this area will include: Coherence of activity-level objectives with entity wide objectives and strategic plans. Consistency of activity-level objectives with each other. Relevance of activity-level objectives to all significant business processes. Involvement of various levels of management in objective setting. Earmarking of resources in achieving activity level objectives. The generic business model provides an insight into the list of activities for which the objectives are to be set. An illustrative list of such objectives would include: Core business Activities Support Activities Processes Inbound Operations Outbound Marketing & Sales Service Procurement Human Resources Technology Devpt. Enterprise Management External Relations Administrative Services Information Technology Risk Management Legal affairs Planning Costing Accounts Payable Accounts Receivable Funds Processing Fixed Assets Processing Reconciliation Pay roll Tax compliance MIS Reporting This sub tool although is exhaustive in its coverage requires the identification of such objectives that are essential in critical success factors for the achievement of entity wide objectives. It is important that not only managers participate in establishing activity level objectives but also support them without any “hidden agendas”. In other words the tool looks at procedures for resolving disagreements and thereby ensuring that activities are complementary and reinforcing thus making activity level objectives economical in its approach. Risks: As already described above, the entity must identify process to understand risks both within and outside the organisation. It is the role of the internal auditor to determine the effectiveness of the business entity’s risk assessment processes and steps taken to manage anticipated risks. As an approach to this, the internal auditor or the management will document the following aspects to come to his/its own conclusions on risk assessment processes and aspects relating to them. Adequacy and effectiveness of identifying risks arising from external sources: Examples will include: Supply Sources Technology Changes Creditors Demands Competitors Actions Economic Conditions Political Conditions Regulation Natural Events Adequacy and effectiveness of identifying risks arising from internal sources relating to: Human Resources Financing Information Systems The process of risk identification and assessment has to be carried out with respect to each significant activity level objective. It is also important that appropriate levels of management are involved in analyzing the risks and business continuity plans are prepared to take care of contingencies. Managing Change: It is not enough to identify and assess risks in business entities but it would be necessary to adapt to changes in the external environment to manage risk. The entity’s activities evolve and change as the economic, industry and regulatory environments change. The internal auditors will have to identify whether mechanisms exist to identify and react to changing conditions in the external environment. The audit function will look into the mechanisms that anticipate and identify changes as a matter of routine and also such changes that have a dramatic and pervasive effect on the activities of the business. The existence of clear segregation with respect to responsibilities in managing change within the organisation is verified and documented. Broadly, the coverage will look at potential changes in the following areas, which will have a pervasive effect on the organisation as a whole: Changed operating environment New personnel New or Redesigned Information Systems Rapid Growth New Technology New Lines, Products, Activities and Acquisitions Corporate Restructuring Foreign Operations Each of the above sub-set areas has specific risk issues associated with it on account of changes that happen from time to time. Routine changes are addressed as part of the normal risk identification and analysis process, while risks associated with business opportunities and competition are addressed at sufficiently high levels in the organisation. Critical issues have to be raised to identify the impact of changes on the above matters and its effect on the profitability and economic viability of the business. The audit function needs to oversee the steps taken by the management, in managing change, keeping in view of the long-term sustainability of the business entity. CONTROL ACTIVITIES Control activities are implementation procedures drawn from wide range of policies to ensure that management’s philosophy and directives are put into effect. As a result, the perceived business risks are addressed to achieve entity’s objectives. The object of scrutinizing this set of activities is to ensure that the entity has a set of policies and procedures that are sufficient in achieving the entity’s objectives. The internal audit also has to verify whether the controls have been properly understood, are in place and are being applied properly. Just as risks are assessed for every relevant objective, so also every such risk should have associated control activity to take care of the identified and assessed risk. In other words, control activities have a set of policies and procedures that ensure employees carryout management directives. In achieving this, the activities involve review of control system, physical controls, segregation of duties and information system controls. Information system controls include general controls and application controls. General controls are those that cater to access, software and system development. On the other hand application controls are those, which prevent errors, entering into the system. In fact, the system provides for detection and correction of errors on a timely basis. The audit function will query to identify whether the control activities are in place and are being applied properly. Considerations in this direction will include- Controls described in policy manuals are actually applied and are applied the way that they’re supposed to be. Appropriate and timely action is taken on exceptions or information that requires follow-up. Whether supervisory personnel review the functioning of controls on a timely basis. INFORMATION AND COMMUNICATION The entity obtains information and communicates it to management and employees depending upon its relevance. The information system identifies, captures and reports financial and operating information as a matter of control. Personnel receive the information and act according to their rolls in the internal control system. Problems if any are reported to the top management with the object of seeking guidance in discharging their duties. External parties also provide information or communicate with the organisation in the normal business process. All these are part of information and communication systems of a business entity. The point of focus in this tool is both on information and communication, which are dealt with separately. Information: The auditor will have to concentrate on the efficiency and effectiveness of the enterprise in identifying, capturing and processing data or information for the business. He has to raise queries to look into the following aspects relating to information systems: Existing systems in obtaining external and internal information and the manner in which it is passed on to the management or to the right people. Alignment of information systems based on strategic plans. Management’s commitments of resources, human and financial, in development of necessary information system. Communication: Communication is inherent in information processing. Effective communication involves flow of relevant information across the organisation and also with external parties. Audit shall look into the following aspects for ensuring an effective communication system in the organisation: Communication of duties and control responsibilities to employees effectively. Receptivity of management to employees’ suggestions. Adequacy of communication across organisation (Ex: between Procurement and Production activities) Openness and ethical behavioural standards with external parties. Timely and appropriate follow-up action. MONITORING Management monitors the control system by reviewing the output generated by regular control activities and by conducting special evaluations. Regular control activities include comparing physical assets with recorded data and reports given by internal and external auditors. Deficiencies identified during regular control activities are reported to in-charge supervisors while those identified during evaluations are communicated to higher levels of management. The tool looks at monitoring with a three-dimensional approach. It includes: Ongoing Monitoring Separate Evaluation Reporting Deficiencies Ongoing Monitoring: As we generally understand ongoing monitoring occurs in the ordinary course of business and this is an important area for internal auditors to assess the quality of internal control system of the organisation. The areas that need to be looked into by audit with specific queries on each area includes: Obtaining evidence about the existence and sufficiency of internal control procedures. Corroboration of communications from external parties with internally generated information. Reconciliation and Physical verification of assets and liabilities. Response to internal and external auditors, recommendations. Training programs Effectiveness of internal audit activities. Separate Evaluation: The need for separate evaluation arises only to understand whether the existing internal control system is sufficient and effective under changed conditions of risk and business environment. The areas to be covered for determining the appropriateness of separate evaluation will include: Scope and frequency of separate evaluations of internal control systems. Appropriateness of evaluation processes and its methodology. Appropriateness of level of documentation. Reporting Deficiencies: Deficiencies in internal control should always be reported to the top management and if necessary, they may have to be carried to the Board or to the Audit Committee. The auditor has to review the existence of reporting procedures as and how the deficiencies come to light from within and outside the organisation. Specifically, the audit will deal with: Mechanism for capturing and reporting identified internal control deficiencies. Reporting protocols Follow-up action OVERALL INTERNAL CONTROL SYSTEM EVALUATION When the internal audit function has completed a segment-wise review, the results will be concluded at the end of each segment by way of preliminary conclusions and actions needed to overcome deficiencies. Based on such preliminary conclusions, overall internal control system evaluation chart will be drawn up. The evaluation chart will contain 5 internal control components described above to document the inference drawn by the internal auditor in respect of each of these components. The management’s view on the segmental conclusions will form the basis for an overall conclusion by the internal auditor. The COSO report also identifies the limitations of internal control systems in an organisation. These limitations may be the result of deficiencies in human judgement, misunderstanding of instructions, errors, over-ride by management, employees’ collusion and cost/benefit considerations. Addressing these limitations from time to time is a management function and its effectiveness will be decided based upon the manner in which the 5 components described above are functioning effectively in the process of operations, financial reporting and compliance. Conclusion: The use and application of COSO Tools has always been relevant from the point of view of any organized management processes. Many of the issues discussed above are being implemented in one form or the other but does not reflect itself in any standard form. Hence, the use of COSO Tools would aid the management to systematically document processes that would ultimately provide a benchmark for further improvement. The relevance of these tools becomes all the more important in the atmosphere of Corporate Governance, where the processes have to be elaborately portrayed through established written practices. The economic meltdown affecting various industries across the world also reiterates the need for an effective control through internal control mechanism, which would anticipate risk in the external environment at a very early stage. Probably, in situations like this COSO tool would prove to be handy and useful to large business conglomerates across the globe. By K.S. Ravi