7 The COSO framework: control environment

The first internal control component in COSO’s framework is the control environment. This consists of the processes and structures that reflect the overall attitude of an entity’s owners, directors and senior managers towards internal control and its importance.

Specific elements of the control environment include integrity and ethical values, management’s philosophy and operating style, commitment to competence, the role of human resources department, organisational structure, board of directors or audit committee, holding individuals accountable for their responsibilities.

Integrity and ethical values.

Integrity and ethical values refer to how ethical standards are communicated and reinforced within the organisation. This specific element of the control environment sets the tone ‘at the top’, establishes standards of conduct, and evaluates adherence to standards of conduct. It also includes management’s efforts to remove or reduce incentives to commit fraud or money laundering and the actions taken by management when unacceptable conduct occurs in firms.

Management’s philosophy and operating style.

Management’s philosophy and operating style are important components of the control environment. Management clearly signals to employees the importance of internal controls through its activities. For example, risk will be potentially high if management is taking risks, setting unrealistic goals, putting pressure on employees to achieve unrealistic targets, acting dishonestly, or treating employees without fairness and respect.

Commitment to competence.

Competence is the knowledge and skills necessary to accomplish the job. An organisation should demonstrate a commitment to appointing, developing, and retaining competent individuals in alignment with the organisation’s objectives. This requires organisations to recruit and retain suitable candidates, evaluate their competence, and address shortcomings by investing in staff development.

Board of Directors and Audit Committee.

The FRC (2016, 2018) emphasises the importance of board competence to ensure effective corporate governance and controls. It recommends that the board and its committees (e.g. audit committee, remuneration committee and nomination committee) have the appropriate balance of skills, experience, independence, and knowledge of the organisation to enable them to perform their duties and responsibilities effectively.

The organisation should provide the necessary resources for developing and updating its directors’ knowledge and capabilities and also establish the committees to monitor.

The role of the human resources department.

Arens et al. and Kassem both focus on the human resources department, noting that this plays an essential role in maintaining an effective control environment. The human resources department should have adequate processes in place for conducting relevant background checks on relevant personnel before accepting them to the firm. The human resources department should have clear and fair policies covering staff evaluation, training and development, compensation, and promotion.

Organisational structure.

Arens et al. (2014) recognised that having a clear, simple organisational structure is also important in establishing an effective control environment. Organisational structure clarifies who should report to whom and who is responsible for what. An organisation should consider all structures of the entity, establish reporting lines, and define and assign appropriate authorities and responsibilities in the pursuit of the firm’s objectives.

The board of directors and audit committees’ participation is vital in ensuring an effective control environment. The board of directors should demonstrate independence from management and exercise oversight of the development and performance of internal controls. The board is also responsible for ensuring that management implement proper internal controls and financial reporting processes.

An effective board should provide oversight of all five components of the COSO internal control system. It should stay involved in the organisation’s affairs, continually assess, and monitor management’s activities, reduce the risk of management overriding the internal control system and create an audit committee that is charged with the responsibility for overseeing the company’s financial reporting.

Holding individuals accountable for their responsibilities.

Finally, an organisation should enforce accountability through structures, authorities, and responsibilities. It should establish performance measures, incentives, and rewards, consider excessive pressures on employees at all levels and evaluate performance and reward or discipline individuals in firms.