9  The big picture - internal control concepts

Let’s say you plan to go on a hiking expedition with friends. You’ll have to pack your luggage. Ideally, you would come up with some broad categories that will make your packing more efficient and effective. What can these categories be? Maybe something like ‘food’, ‘clothes’, ‘equipment’, ‘other’. This categorization would help you make the following list: food (water, crackers, protein bar), clothes (one full change-of-clothes, rain jacket), equipment (hiking shoes, trekking poles), other (first-aid kit, lighter, map). The broad categories that I describe, food-clothes-equipment-other can be seen as a framework that guides your list-making. Without using broad categories within a framework, you might have forgotten some items like the map or the rain jacket. Then, you would not have achieved your hiking goal of having and enjoyable hike.

Similarly, the internal control domain uses frameworks to guide organizations in the design of effective internal control systems. What follows in this chapter is the description of two important internal control frameworks, the COSO framework and the information-based framework for control.

9.1 Casa of COSO

In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Internal Control - Integrated Framework (Sponsoring Organizations of the Treadway Commission et al. (2013)), a framework which was to become one of the most used resource for designing and implementing internal control systems. As we all know, what gets defined, gets understood (actually, I just made that up). But one could argue that COSO had such a big impact because of the fact that it defined internal control. The definition of internal control given by COSO is as follows: ‘internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance’. Basically, every organizational objective within the area of operations (the effectiveness and efficiency of an organization’s operations), reporting (internal and external financial and non-financial reporting) and compliance (adherence to applicable laws and regulations) would become the playing ground of internal control. This lead some authors to decry that there is a control explosion (Maijoor (2000), Power (2004)). We’re not going to argue here whether the explosion is true or not. What I think it is important for you to know is the fact that internal control appears in every organizations, so knowing about internal control is relevant for your future professional career.

Besides defining internal control, COSO also defines five interrelated components of internal control:

1. Control environment. The control environment is the organization’s culture (e.g., ethical values, management philosophy) with respect to internal control. Whenever we see a bad control environment (e.g., ‘The Volkswagen Diesel Emissions Scandal and Accountability - Where Were the Auditors and Attorneys during the Sustainability Charade?’), we can be suspicious of internal control.
2. Risk assessment. Risk assessment comprises of three stages: risk identification (identify the future uncertain events that may have negative consequences), risk analysis (assess the likelihood and impact of each risk), and risk evaluation (categorize each risk so that appropriate action can be take with respect to that risk). Adding a risk response to risk assessment leads to the wider concept of risk management. Risk responses can be to eliminate the underlying activity that leads to risk, to share the risk (e.g., insurance) or to reduce the risk by using control activities.
3. Control activities. There are many classifications of control activities, from preventive controls (e.g., control the risk of hiring unqualified employees by setting procedures for hiring personnel) to detective controls (e.g., control the risk of fictitious sales by performing analytical reviews to estimate the expected sales number), and from direct controls (e.g., control the risk of employees making bad products by checking their work) to indirect checks (e.g., control the risk of offering low quality educational programs by using student evaluation).
4. Information & communication. Being in control, or being able to achieve organizational objectives, is fundamentally intertwined with information & communication. Think of a chef in a restaurant, aiming to serve a delicious dinner to customers. In order to achieve her goal, the chef needs to communicate clear information to the kitchen staff (e.g., how should the dishes be assembled, how to adapt the dish to individual orders). For example, a restaurant can use a checklist to make sure every dish is prepared well. I’m not inventing this. If you want to see how checklists are used in restaurants to avoid mistakes, check the book of Atul Gawande ‘The Checklist Manifesto: How To Get Things Right’
5. Monitoring. Monitoring fundamentally asks - are the controls functioning? Let’s take the example of a restaurant who, instead of using a checklist to make sure every dish is prepared well, uses verbal communication. So, the chef just shouts out instructions of how every dish should be prepared. Would the SHOUTING, as a communication medium, lead to the achievement of organizational goals? Maybe, but most likely not - some stressed junior might forget to put salt in the dish. Monitoring should be put in place (e.g., track how many dishes are returned) to see if control mechanisms (i.e., the procedure of shouting requirements for dishes) are functioning.

We can think of these five components as parts of a house Figure 9.1 . The foundation of the COSO house is the Control environment and the Monitoring is on its roof to make sure that the risk assessment, control activities, and information & communication function as expected. Information & Communication touches all the other four areas of internal control (like the walls of a house) and the Risk assessment is matched against the Control activities (like the windows of a house). By covering all the five areas delineated by the COSO framework, organizations can be more confident that they are implementing good systems of controls.

Figure 9.1: La Casa del COSO

9.2 Information-based framework for control

A different framework aimed at the design of effective internal control, uses an information-based perspective of control (Vaassen and Meuwissen (2020)). The information-based framework of control aims to be more actionable, relative to the COSO framework, because it delineates specific domains where control is needed and specific goals for each domain (Figure 9.2).

Figure 9.2: Information-based control framework which links the domains which should be controlled to control goals

According to the information-based control perspective, control affects the following domains of the organization:

• the business domain. This domain refers to what a company does to create value (e.g., selling services)

• the information & communication domain. This domain refers to the information that is provided to the business domain

• the data domain. This domain refers to the data used for information provision

• the information & communication technology (IT) domain. This domain refers to all the electronic media used (e.g., hardware, software) to input, process, store and provide data and to support and enable communication

The underlying theory behind the information-based control framework is that all four domains need to be aligned. If something changes in one domain, the other domains need to change too.

Let’s apply the information-based control framework to the fitness industry. The fitness industry moved completely online during the Covid pandemic. This industry changed its operations by moving from running activities in big gyms to online workouts. If the way the fitness business is operating changes, so do too the information needs. Let’s say that in the physical version, gym members would pay subscriptions for attending gym classes, while in the online version, gym members would pay per each class viewed and for the opportunity to socialize on the platform. While during the in-gym workouts, management would need information on how many customers pay subscriptions, after the online move, the information needs would focus on how much time customers interact with the sports platform (to watch the lessons or to socialize after lessons). The data collected from customers is also different; while in the gym-setting, data would be collected at enrolment and subscription payment, in the online environment data would be continuously collected. As expected, the IT infrastructure is much more important in the online setting.

Because of its strict delineation of domains where control is needed, the information-based control framework can readily indicate control goals related to each domain. For the business domain, goals can be set based on the balanced scorecard criteria: efficiency and effectiveness of internal processes, innovative power, customer satisfaction and financial performance. For a restaurant, performance indicators can be set for example, on the level of satisfaction of the customers visiting the restaurant (e.g., an average of 4 out of 5 stars).

Goals can be set for the quality of information along the following criteria:

• Validity: information is valid if it is in accordance with reality (e.g., fictitious sales do not comply with the validity criteria)

• Accuracy: information is free of error (e.g., there is no mathematical error in the calculation of a discount)

• Completeness: every relevant information is recorded (e.g., we are not missing suppliers from our database)

• Timeliness: information is provided in time

• Understandability: information is not ambiguous (e.g., ‘Profits increased satisfactorily’ is more understandable than ‘Profits increased by 5%’

• Efficiency: information is produced at a reasonable cost (e.g., it is not very useful to put a complex system in place to track how much rice is returned per dish; it is more useful to track how many dishes are returned and of which type)

• Effectiveness: information can be used (e.g., there is not need of providing information on vendors when we need information on customers)

Data can also have goals than can be met (e.g., data inputs should be valid, data inputs should be accurate, private data should be protected) and so does too the IT infrastructure (e.g., the IT infrastructure should allow for data to be made available on demand).

Why is it important for you to be able to use the concepts in this chapter? It is important because, besides the fact that these frameworks are useful, they also are present in the vernacular of internal control professionals (I always wanted to use the word ‘vernacular’!). So, when you actually want to communicate with somebody, you should learn their language.

9.3 Questions and application:

1. Can you think of examples for all the components of the COSO framework?
2. Can you apply the information-based control framework to a new situation besides the one described in the chapter (i.e., related to the fitness industry)?
3. Can you give multiple examples of situations when the information quality criteria are not met (e.g., when is information not valid?)?

Maijoor, Steven. 2000. “The Internal Control Explosion.” International Journal of Auditing 4 (1): 101–9.

Power, Michael. 2004. “The Risk Management of Everything.” The Journal of Risk Finance 5 (3): 58–65.

Sponsoring Organizations of the Treadway Commission, Committee of et al. 2013. “Internal Control—Integrated Framework Framework and Appendices, May 2013.”

Vaassen, Eddy, and Roger Meuwissen. 2020. Hoofdlijnen Bestuurlijke Informatieverzorging. Noordhoff Uitgevers.