Introduction to Internal Control Framework

New and rapidly changing business models, economic and competitive environments, globalization, greater use and dependence on technology, increasing regulatory requirements and scrutiny, shifting customer demands and priorities, and restructuring for future growth which drives senior executives thinking towards Internal Control—Integrated Framework helps entities to achieve their goals and objectives and, to sustain and improve the performance at operational level by changing business and operating environments, mitigating risks to acceptable levels, and supporting sound decision making at higher level in Software Development Companies of India.

COSO stands for “Commission of Sponsoring Organizations” a private commission chartered to research and report on improving quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO has prepared a document in 1992 on the Internal Controls-Integrated Framework. Because, internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal Control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Designing and implementing an effective system of internal control can be challenging; operating that system effectively and efficiently every day can be daunting. New and rapidly changing business models, greater use and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and other challenges demand any system of internal control to be agile in adapting to changes in business, operating and regulatory environments.

This definition reflects certain fundamental concepts. Internal control is:

• Geared to the achievement of objectives in one or more categories-operations, reporting, and compliance
• A process consisting of ongoing tasks and activities-a means to an end, not an end in itself
• Effected by people-not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
• Able to provide reasonable assurance-but not absolute assurance, to an entity’s senior management and board of directors

An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of directors of IT Companies use judgment to determine how much control is enough. Management and other personnel use judgment every day to select, develop, and deploy controls across the entity. Management and internal auditors, among other personnel, apply judgment as they monitor and assess the effectiveness of the system of internal control.

The Framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. It does so by providing both understanding of what constitutes a system of internal control and insight into when internal control is being applied effectively.

For management and boards of directors, the Framework provides:

• A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of entity, operating unit, or function
• A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal control—principles that can be applied at the entity, operating, and functional levels
• Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate together
• A means to identify and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures
• An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives
• An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity’s objectives

For external stakeholders of an entity and others that interact with the entity, application of this Framework provides:

• Greater confidence in the board of directors’ oversight of internal control systems
• Greater confidence regarding the achievement of entity objectives
• Greater confidence in the organization’s ability to identify, analyze, and respond to risk and changes in the business and operating environments
• Greater understanding of the requirement of an effective system of internal control
• Greater understanding that through the use of judgment, management may be able to eliminate ineffective, redundant, or inefficient controls

Internal control is not a serial process in Software Development Companies but a dynamic and integrated process. The Framework applies to all entities: large, mid-size, small, for-profit and not-for-profit, and government bodies. However, each organization may choose to implement internal control differently. For instance, a smaller entity’s system of internal control may be less formal and less structured, yet still have effective internal control.