Public Directory : Larry's Audit Q&A Blog
Internal Control is a Process
(Internal Controls)
Controls are such a basic concept, I think, but one understood differently by almost everyone. COSO tried to help, but still we struggle with that.

Internal control, and internal control frameworks, are for auditors and other evaluators. Managers don't use COSO to achieve objectives, but we auditors can compare Management's Controls to the COSO framework (or any other framework), and thereby evaluate the design adequacy of controls.

Internal control is a process, not just a single thing. The specific components of that process, per COSO, are: People work in an environment, created by management, that either help or hinders their meeting objectives (CE). And Objectives and risks need to be clearly understood and managed (RA). Plus management needs to know if the risk responses they put in place are working (CA), and all this needs to be supported by a good flow of information (I&C). Finally, someone other than the responsible manager, like auditors, needs to periodically look at all this.

My shorthand version is "controls are things management does to help achieve business objectives."

So, controls are a process (a five step process), but controls are not The Process (the tasks required to do the job):


Created: March 10, 2008 at 11:07 AM.  Changed: Nov 12, 2008 at 11:48 AM
 
 

Join AirSet!

To respond to a forum entry, you must be a member of AirSet.

If you are already a member, log in!

If not, register now to post your comments.
 
 

Explore

What is AirSet?

Join

Register