Home > Risk > How to assess the effectiveness of internal control

How to assess the effectiveness of internal control

The new draft internal control framework (ICF) from COSO includes guidance on how to assess whether the system of internal control is effective.

In this post, I am going to try to summarize what the document says. I then will ask your views on whether you agree with this way of assessing the adequacy of internal control. (BTW, I am going to limit the discussion to COSO lingo and not introduce any ISO or other terms.)

We have to start with the definition of internal control, which is unchanged from the 1992 edition:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of reporting.
  • Compliance with applicable laws and regulations.”

Before taking on the issue of evaluation, let’s look at two key phrases in the definition above: “reasonable assurance” and “objectives”:

Reasonable assurance

The discussion in the draft of “reasonable assurance” (in paragraphs 21-22) does not use risk management terms. (What I mean by that is that it doesn’t talk about ensuring the risk to the achievement of objectives is acceptable, within organizational tolerances). It simply acknowledges that factors outside the system of internal control (such as human error or judgment) can affect achievement of objectives. As a reminder, here is the definition of enterprise risk management from the COSO ERM framework:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”


In paragraph 30, the ICF draft provides a nice summary:

“An organization establishes a mission, sets strategies, establishes the objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity.”

It is arguable whether objectives such as obtaining a 30% operating margin, growing revenue by 10%, or improving customer satisfaction by 10% can be readily placed within the three categories of objectives identified in the draft.

The COSO ERM framework adds a fourth category of objectives to the three in the ICF. It describes the four as:

  • Strategic – high-level goals, aligned with and supporting its mission
  • Operations – effective and efficient use of its resources
  • Reporting – reliability of reporting
  • Compliance – compliance with applicable laws and regulations.

The examples of business objectives I listed earlier would presumably fit under “Strategic”. I can’t explain why the ICF draft does not include this category. In lieu of a Strategic category, they would have to fit in the Operations group.

Assessing internal control effectiveness

The draft ICF starts the discussion at paragraph 71:

“An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. To have an effective system of internal control relating to one, two, or all three categories of objectives each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective.”

As a reminder, the three categories of objectives are Operations, Reporting, and Compliance. The five components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

The assessment flow continues at paragraph 76:

“In assessing whether the system of internal control is effective, senior management and the board of directors determine to what extent the principles and, in turn, the corresponding attributes associated with each component are present and functioning.”

For each of the five components, the draft ICF describes principles: 5 for Control Environment, 4 for Risk Assessment, 3 for Control Activities, 3 for Information and Communication, and 2 for Monitoring – a total of 17.

Moving to 78:

“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning.”

The key

As I read it, the draft is saying:

  1. To have an effective system of internal control, the risk of not achieving an objective is reduced to an acceptable level. CHECK
  2. For the risk to be acceptable, all 5 components must be present and functioning. QUESTIONABLE
  3. The way to assess whether each component is present and functioning is to examine whether the related principles are achieved. OK IN PRINCIPLE (pun intended)
  4. If any of the principles are not achieved, you need to assess the deficiency as to whether the related component is present and functioning. OK

The issues

My major issues are:

  1. I struggle with the categories of objectives. I think we are better off talking about achieving the organization’s strategies and objectives to create value, rather than confusing the issue with 3 categories that don’t clearly match to an entity’s strategic plan.
  2. I am not persuaded that all 5 components must be present and operating effectively for the risk to be considered acceptable. I am sure that one or more may be ineffective, but the nature of the objective and the other controls mean that the risk level is not excessive.
  3. I fear that the 17 principles will become a checklist.

My preference

  1. Eliminate the three categories of objectives and replace them with one: the achievement of the entity’s strategies and objectives for creating value. Failures in reporting or compliance, if significant, will result in a failure to achieve strategies and objectives (via penalties, loss of share value, etc.)
  2. The system of internal control – as a whole – may be considered effective if the risk to the most significant objectives (i.e., not necessarily all of them) is reduced to an acceptable level. It may be effective even if:
    1. The risk of non-achievement of minor objectives is higher than acceptable, or
    2. The risk of non-achievement is only marginally high for a limited number of objectives, and acceptable when considering the overall success of the organization
    3. Require judgment as to whether the overall risk to achievement of strategies and objectives is acceptable, considering the combination of controls within and across all 5 components.
    4. Retain the principles, but change the language to say that these should be considered if there is a desire to assess each component individually. Remove the inference that we now have a checklist of 17 items.

In other words, simplify the assessment flow to answering one question:

Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?

This question can be applied to the strategies and objectives for creating value – as a whole, for a group of strategies/objectives, or for individual strategies/objectives.

Do you agree? If not, please share your views.

  1. January 9, 2012 at 2:43 PM

    Norman, as you know I advocate along these lines and agree that our focus should be on value creation (bets/investments you are making) and value preservation (maintain and improve what you have already built).

    • Norman Marks
      January 9, 2012 at 3:45 PM

      Mike, thanks. Did you vote?

  2. Scottie Nix
    January 9, 2012 at 4:49 PM

    Norman, I voted and I like the idea of having a checklist to use. Too much guidance is too broad for the practitioner to actually apply. Although your question is right on target…”Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?” That is the big question. As an auditor I don’t have time to sit and contemplate this for each audit. I need something that lets me comply with the standards and quickly reduces the risk that as an auditor I won’t actually assess the internal controls of my project because I was sitting and thinking about them instead of evaluating them. I think this guidance is very good at helping me wade through the internal control risk minefield and get some audit procedures created that help me be assured I have addressed internal controls in my work.

  3. Deb
    January 9, 2012 at 9:44 PM


    In this instance, I’d tend to agree more with Scottie. Your perspective is undoubtedly valid, especially the take on absence of strategic objectives from the COSO list. And I believe this is one area – governance and strategy setting – where IA and ERM absolutely need to be wading in. However, is COSO-ICF the tool to aid that process? I’ve my doubts – it’s a much greater battle, depending a lot on amorphous things like tone at the top (internal) and organizational context (external).

    But coming to the execution level, however much we like to mull over conceptual issues, it’s always nice to have a guidance to devise a checklist, to aid the audit/ control process. I agree with your views that not all COSO principles may be relevant, or at least not relevant/ risk significant to the same degree, for a conclusion as to the adequacy of internal controls. But then I always have the leeway (if I’m not lazy) to adapt the principles to my own economic/jurisdictional/business/organizational context. After all, at its heart, COSO would still be a framework (despite the whole-hearted, some may say misplaced, endorsement of SoX), and how we use the tool remains our prerogative.

    My 2 cents.


    • Norman Marks
      January 10, 2012 at 7:09 AM

      Hi Deb, thanks for the comments. Did you vote?

      • Deb
        January 13, 2012 at 2:11 AM

        Yes, Norman. I did vote – #1 (though I had some reservations, but couldn’t go wholeheartedly with the other options either).

  4. Frans Kersten
    January 10, 2012 at 7:35 AM

    The definition of IC has been changed, although in a subtle way: the word “financial” has been skipped before “reporting”. This is also dealt with in the introduction where they state that separate guidance will be supplied on IC with regard to financial reporting.
    I did expect that the COSO-ERM would be used to adapt the IC framework.
    Although I prefer you’re approach I don’t believe I can fully agree. I believe the IC is also NOT effective if certain controls of which management explicitly claim that they should be present (and why they claim to be ‘in control’) is not present at all or not functioning as it should be.
    You may however argue that this still fits in ‘not meeting the objectives’.

  5. H. Mohamed Saleem B.TECH, CIA
    January 10, 2012 at 9:06 PM

    Norman, Thanks for your concise review comments.

    Yes. I agree to your view that ICF should include Strategic Objective so that controls surrounding the Strategic Objectives shall be designed and implemented by the management to reduce the risk. Probably most of the recent failures could be associated with either absence / failures of such control.

    However, I don’t subscribe to your view for replacing all the three objectives by one Single Objective. Because, having such specific objectives pertaining to Strategic (if included) , Operational , Reporting and Compliance gives a balanced focus which otherwise have a potential to be compromised.


  6. Melvin Pang
    January 11, 2012 at 9:10 AM

    I agree with Saleem’s point of view to sustain the three objectives…as in any company or corporate, the Operational, Reporting and Compliance objectives are fundamentals alignment & enforcement in achieving the company’s Strategic Objectives.

  7. Faraz Ashraf
    January 12, 2012 at 3:46 PM

    I am more conservative in my approach to assessing and monitoring internal controls. CoSo Guidelines are more clear and detailed.

  8. Norman Marks
    February 11, 2012 at 8:22 AM
  9. January 22, 2013 at 10:28 AM

    Hello Norman, I just stumbled across this post of a year ago. It is particularly relevant to a software system I am in the process of developing for the purpose of measuring effectiveness of internal controls. I will be grateful for a few minutes of your time (and also any other internal control professional reading this) in a short telephone conversation to verify if I’m on the right track. Thanks. Neil Leigh neil.leigh@objectivepolicy.com

  10. Mitsy Scott-Hamilton
    July 7, 2013 at 8:20 PM

    Hi Norm, I too am one year late on this post. However I fully endorse your arguements of including the assessment of the strenght and achievement of the company’s strategic objectives. The bottom line is the comapny’s strategic objectives is what charts the direction of the organization. As such, if internal controls are not drafted to ensure the achievemnt of these objectives then the effectiveness, efficiency and economy of the organization is compromised. Until is clearly understood by management then the weak performance of some organizations will continue.

  11. March 3, 2014 at 7:07 PM

    Hello are using WordPress for your blog platform? I’m new to the blog world
    but I’m trying to get started and set up my own. Do you need any html coding
    expertise to make your own blog? Any help would be really appreciated!

  12. May 27, 2014 at 11:17 PM

    Reblogged this on GRC and Process and commented:
    How to assess effectiveness of internal control

  1. August 21, 2014 at 10:21 PM
  2. December 28, 2020 at 10:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: