New and rapidly changing business models, economic and
competitive environments, globalization, greater use and dependence on
technology, increasing regulatory requirements and scrutiny, shifting customer
demands and priorities, and restructuring for future growth which drives senior
executives thinking towards Internal Control—Integrated Framework helps
entities to achieve their goals and objectives and, to sustain and improve the
performance at operational level by changing business and operating environments,
mitigating risks to acceptable levels, and supporting sound decision making at
higher level in Software Development Companies of India.
COSO stands for “Commission of Sponsoring Organizations” a
private commission chartered to research and report on improving quality of
financial reporting through business ethics, effective internal controls and
corporate governance. COSO has prepared a document in 1992 on the Internal
Controls-Integrated Framework. Because, internal control has different meanings
to different parties, COSO tries to establish a common definition and standard
that can serve such parties. Under COSO’s report, (quoted from July 1994
Edition of COSO Internal Controls-Integrated Framework, “COSO Report”),
“Internal Control is broadly defined as a process, effected by an entity’s
board of directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following
categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Designing and implementing an effective system of internal
control can be challenging; operating that system effectively and efficiently
every day can be daunting. New and rapidly changing business models, greater
use and dependence on technology, increasing regulatory requirements and
scrutiny, globalization, and other challenges demand any system of internal
control to be agile in adapting to changes in business, operating and
regulatory environments.
This definition reflects
certain fundamental concepts. Internal control is:
- Geared to the achievement of objectives in one or more categories-operations, reporting, and compliance
- A process consisting of ongoing tasks and activities-a means to an end, not an end in itself
- Effected by people-not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
- Able to provide reasonable assurance-but not absolute assurance, to an entity’s senior management and board of directors
An effective system of internal control demands more than
rigorous adherence to policies and procedures: it requires the use of judgment.
Management and boards of directors of IT Companies use judgment to determine how much control is enough. Management
and other personnel use judgment every day to select, develop, and deploy
controls across the entity. Management and internal auditors, among other
personnel, apply judgment as they monitor and assess the effectiveness of the system
of internal control.
The Framework assists management, boards of directors,
external stakeholders, and others interacting with the entity in their
respective duties regarding internal control without being overly prescriptive.
It does so by providing both understanding of what constitutes a system of
internal control and insight into when internal control is being applied
effectively.
For management and boards of directors, the Framework
provides:
- A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of entity, operating unit, or function
- A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal control—principles that can be applied at the entity, operating, and functional levels
- Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate together
- A means to identify and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures
- An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives
- An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity’s objectives
For external stakeholders of an entity and others that
interact with the entity, application of this Framework provides:
- Greater confidence in the board of directors’ oversight of internal control systems
- Greater confidence regarding the achievement of entity objectives
- Greater confidence in the organization’s ability to identify, analyze, and respond to risk and changes in the business and operating environments
- Greater understanding of the requirement of an effective system of internal control
- Greater understanding that through the use of judgment, management may be able to eliminate ineffective, redundant, or inefficient controls
Internal control is not a serial process in Software Development Companies but a
dynamic and integrated process. The Framework applies to all entities: large,
mid-size, small, for-profit and not-for-profit, and government bodies. However,
each organization may choose to implement internal control differently. For
instance, a smaller entity’s system of internal control may be less formal and
less structured, yet still have effective internal control.
Hi
ReplyDeleteNice post. Thank you for sharing such informative information with us.
ISO 27001 – ISMS
ISO 27001 – ISMS was created to help manage information security, define expectations to mitigate risks and prevent negative consequences.
ISO 27001 – ISMS