INTOSAIs Comments on the Revised COSO Internal Control Integrated Framework a Summary

The INTOSAI community has for many years been promoting initiatives aimed at supporting appropriate use of
public funds, based on ethical conduct principles. We are pleased to contribute to the development of one of
the worlds most popular internal control models that of COSO. We believe that the COSO Internal Control
Integrated Framework plays an important role in providing effective systems to ensure appropriate
performance, and to prevent misappropriation, fraud and corruption. We would also like to pay attention to the
specifics of the public (government) sector, especially to ethical values and resources safeguarding, which
according to INTOSAI GOV 9100 are included in the catalogue of internal control objectives. Another issue
that we would like to emphasize is the specific role and importance of Supreme Audit Institutions (SAIs). Their
activity, through external assessment they provide, significantly influences the organization, functioning and
improvement of internal control systems applied in public (government) sector entities.

Below, we present comments of representatives of the INTOSAI community that have been sent to the
Supreme Audit Office of Poland (NIK) which is the chair of the INTOSAI Subcommittee on Internal Control
Standards.

1. The INTOSAI Guidelines for internal control standards for the public sector (INTOSAI GOV 9100)

One of the main reasons for developing the Guidelines was to emphasize the importance of internal control in
reaching the public sector entity objectives within political, legal and financial constraints. Another reason was
the role of SAIs in supporting the development of strong internal control. In this perspective we should also
mention the strong need for public sector emphasis adapted to the public sector environment.

The specific public sector orientation of the INTOSAI Guidelines is most clearly reflected in the internal control
definition. The definition of internal control according to INTOSAI included some important, specific to the
public sector additions to the original COSO framework definition (version 1992) which is accepted worldwide.
INTOSAIs definition is as follows: Internal control is an integral process that is effected by an entitys
management and personnel and is designed to address risks and to provide reasonable assurance that in
pursuit of the entitys mission, the following general objectives are being achieved :
Executing orderly, ethical, economical, efficient and effective operations;
Fulfilling accountability obligations ;
Complying with applicable laws and regulations ;
Safeguarding resources against loss, misuse and damage.
The three major additions to the COSO definition were as follows:
firstly, an addition of the terms orderly, ethical and economical. The addition of an ethical component
is important. This emerged because since the 1990s, emphasis has progressively shifted to an

1
 ethically responsible behavior and the prevention and detection of fraud and corruption. An ethical
code of conduct is increasingly viewed as a primary requirement to enhance the citizens trust in
authorities and as a cornerstone for good management;
secondly, the inclusion of the terms fulfilling accountability obligations. Fulfilling these obligations is
broader than simply ensuring the reliability of financial reporting. In the public sector, non-financial
information (in matters of policy, performance, effects, etc.) also plays an important role;

thirdly, the addition of the fourth objective: safeguarding resources against loss, misuse and damage.

The second part of INTOSAI GOV 9100 describes the components of internal control as an adaptation of the
five COSO internal control components to the public sector.

The third part gives an overview of the different actors in a public organization with their responsibility for
internal control.

2. INTOSAI Guidelines for internal control standards for the public sector versus the revised COSO
Internal Control Integrated Framework (December 2011)

The definition of internal control (according to the revised COSO Internal Control Integrated Framework)
does not consider the notions: orderly, ethical.

The COSO framework provides a basis for evaluating the effectiveness of internal control systems by
considering components, principles and attributes. The COSO framework does not, however, consider
executing ethical operations as an objective, but considers the commitment to integrity and ethical values as
one of the underlying principles related to control environment. Control environment comprises integrity and
ethical values of an organization with a related principle:

The organization demonstrates a commitment to integrity and ethical values (principle 1)

In this respect, COSO also pays great importance and particular attention to the personal and professional
integrity and ethical values of managers and their staffs, which is evidenced in a range of measures, such as a
code of conduct, awareness training, registration and assessment of side activities, etc.

A strong corporate ethical climate at all levels is vital to the well-being of an entity, all of its elements and the
society at large.

COSO also pays particular attention to:

tone at the top: Indeed, the managements philosophy and operating style is important. Providing
leadership means, among other things, setting and maintaining the ethical tone, providing guidance
for proper behavior, removing temptations for unethical behavior, etc;

2
 organizational structure: the organizational structure of an entity provides assignment of authority and
responsibility, empowerment and accountability, and appropriate lines of reporting.

Fulfilling accountability obligations

Here, we refer to a principle relating to risk assessment: Specifies relevant objectives (principle 6).

This principle also deals with reporting objectives. Reporting objectives pertain to the preparation of reliable
reports. According to COSO, these reporting objectives may relate to financial or non-financial reporting. For
the reporting category of objectives, COSO gives separate attributes for internal reporting, external non-
financial reporting and external financial reporting.

Safeguarding resources against loss, misuse and damage are separate entitys objectives.

In fact, resources in the public sector (mainly) concern public money. Moreover accounting on a cash basis is
still a widespread practice in the public sector but it does not provide sufficient assurance related to the
acquisition, use, and disposition of resources. As a result, public organizations do not always have an up-to-
date record of all their assets, so that they are more vulnerable. Safeguarding resources was thus within
INTOSAI GOV 9100 judged to be an important internal control objective.

In the COSO framework, principle 8 Assesses fraud risk deals with the safeguarding of assets. So again,
within the COSO framework, the safeguarding of assets is not dealt with as a separate objective but as an
underlying principle to the risk assessment objective. Regardless of what objective may be affected, the
responsibility and accountability for loss prevention and anti-fraud policies and procedures reside with the
management of an entity and its subunits in which the risk resides.

Components of internal control

The well-known five components of internal control according to COSO (control environment, risk assessment,
control activities, information and communication, monitoring) were also adopted by INTOSAI with, where
necessary, special attention to specific public sector aspects (in line).

3. The updated Framework should further and in more detail clarify the relation to COSOs Enterprise
Risk Management Framework.

The Framework should especially elaborate why two very similar concepts should remain in force
simultaneously and why no consolidation has been carried out. Another question is whether and to what extent
both concepts in organizational practice should exist as parallel, or whether one concept should be given
priority (e.g. risk management as a broader concept), or whether the preferred use depends on the
organizational framework (e.g. use of the Internal Control Framework in the public sector rather).

3
4. There is a need to stress the position and role of Supreme Audit Institutions (SAIs) and stand it from
external audit out

We think it would be possible and worth creating, in the Framework, a relation between COSO and INTOSAI
GOV 9100 to promote the COSO model among public sector entities. INTOSAI GOV 9100 includes roles and
responsibilities of a wide range of stakeholders. INTOSAI considers SAIs as a party which encourages and
supports the establishment of effective internal control in the government. The assessment of internal control is
essential to SAIs compliance, financial and performance audits. They communicate their findings and
recommendations to interested stakeholders.

On the other hand, external auditors audit certain government organizations in some countries. They and their
professional bodies should provide advice and recommendations on internal control.

5. Clarify the language used in classifying deficiencies and applicability of material weaknesses

Material weakness applicable only to the financial reporting objective:

We do not agree with the notion that the concept of a material weakness is applicable only to the
financial reporting objective.

Development of new terminology, major/minor non-conformity:

We also do not agree with the creation of new terminology for classifying deficiencies in operations
and compliance. Entities may perceive internal control deficiencies that are material in nature but do
not fall under the external financial reporting objective as unnecessary to report upon and address,
when in fact they could have a material impact on the system of internal control, and therefore an
adverse effect on the financial statements or other information accompanying the financial
statements.

Blending preventive and detective controls in discussion:

We believe the exposure draft incorrectly combines the role of preventive and detective controls. The
exposure draft states: there is a reasonable possibility that a material misstatement of the entitys
financial statements will not be prevented, detected, or corrected on a timely basis.

6. Improve general applicability of the COSO Framework to all entities

Roles and responsibilities of personnel internal to the organization:

The 17 fundamental principles are not equally applicable to government agencies. For example,
many principles include specific roles and responsibilities of the board of directors. The governance
structure of government entities would not usually include a board of directors.

4
Applicability of examples:

The examples in the Framework can serve as a good source of ideas for management and those
responsible for implementing the new framework; however, many of these approaches and examples
would be applicable or appropriate for large, commercially-oriented entities.

Presentation of benefits of internal controls:

The Framework places an emphasis on a benefit that is not applicable to all entities. Specifically, the
Framework states that Among the most significant benefits of effective internal control for many
entities is the ability to meet certain criteria required to access capital markets, providing capital-
driven innovation and economic growth.

7. Improve discussion related to information technology (IT)

Nature and extent of risk associated with IT:

There are several factors that affect the nature and extent of risk associated with IT controls for which
the Framework does not contain a clear discussion. We believe that such factors would include:
nature of the hardware and software used; configuration of networks and IT strategy.

Guidance on the use of appropriate criteria for assessing the adequacy of IT controls:

We believe it is important that the Framework guide the entity to develop an appropriate set of criteria
for assessing IT controls. There are a number of examples of comprehensive criteria that have been
published which can be used to assess the adequacy of IT controls.

Categories of general controls and business process controls:

The section related to general controls over technology does not include all of the critical elements of
the five control categories, which include: security management; access control; configuration
management; segregation of duties; and contingency planning.

The section related to business process application controls does not include all of the critical
elements of the four control categories, which include: application general controls; business process
controls; interface controls; and database management controls.

8. Improve a discussion of outsourced service providers

We believe the impact of outsourced service providers on an entitys internal control system is not
adequately addressed in the exposure draft. While we noted a discussion in both the control
environment and monitoring sections of the exposure draft, we do not believe that this adequately
addresses the topic.

5
9. Emphasize safeguarding of assets as a subset of the three categories of internal control

The Framework does not clearly state in the discussion of the categories of internal control objectives
that safeguarding assets is a subset of the three categories of internal control objectives.

10. Improve consistency in presentation of attributes

Each chapter describing a component of internal control contains a summary of principles and
attributes located at the end of each chapter. However, the attributes located in the body of the
Framework are not consistent with the attributes presented in the summary at the end of each
chapter.

11. Clarify presentation of changes to the 1992 Version of Internal Control Integrated Framework

The Exposure Draft provides a summary of changes to the 1992 Version of the Internal Control -
Integrated Framework that describes broad changes made as well as changes made within the five
components of internal control. However, it does not summarize changes that the entity would have to
make in order to adhere to the 2012 version.

12. Clarify the importance of management philosophy in control environment

The discussion on the tone at the top does not have a definitive statement linking the attitude and
philosophy of the management to having a profound effect on internal control.

13. Need for completeness of reports in reporting objectives

We do not agree with the notion that the reporting objectives pertain only to the reliability of reporting.
We believe that completeness of information presentation is also a key part of the reporting
objectives.

14. Other comments

The appendices are very helpful to the reader, as they provide a common basis of understanding.

The use of examples to explain the scope of content, especially for the 17 principles is very helpful.

It would be a great contribution to publish a guide containing case studies and examples based on
reality, referring to how you can incorporate the 17 principles within an organization.

The examples could be expanded to include matters pertinent to the public sector.

The updated Internal Control Frameworks enhanced focus on principles and attributes provides
valuable criteria for each internal control component which should assist the management and
auditors in assessing both the design and effective operation of an entitys system of internal control.