Por Juan Pablo Calle, en October 30, 2019
The internal control environment is one that influences the members of an organization and the control of its activities. This environment is the baseline of corporate risk management, providing discipline and structure, as well as impacting all components of risk management.
For this control environment to work, the following elements need to be integrated.
Management philosophy
All entities should have a consistent risk management philosophy. This has to do with the assignment of responsibilities that facilitate the fulfillment of the company's objectives and mission. It is also important to establish whether adequate risk management is favored over the search for profitability.
Risk appetite
The institution must determine whether it is willing to expose itself to a high risk in order to achieve its objectives or whether, on the contrary, it opposes it. Before planning or conducting business, the different units of the organization must evaluate the implementation of the processing measures necessary for proper management.
Governing board
It is important to have a governing board that is sensitive and committed to risk management, and which exercises its supervisory functions in a relevant manner. Therefore, the board must have the experience and reputation of decision-making, as well as independence from management.
Integrity and ethical values
Determining ethical and behavioral values allows you to maintain the consistency of the control environment. In this regard, entities must ensure that the company's values are binding on all collaborators; that is, that they are extended to all organizational units and related companies. It should also aim to promote socially responsible business and support the trust of stakeholders.
Commitment to skills
The organization must conduct a proper analysis of the skills of its employees and, based on this assessment, focus on improving the knowledge and abilities of the company's human resources.
Organizational structure
It is essential that each entity establishes a structure with clearly defined responsibilities. Therefore, it should have a governing board, management units, an audit committee, a compliance officer, and specialized units to support management.
Assignment of authority and responsibility
The people who are part of the organization must be authorized to do their jobs. Therefore, hierarchical levels are essential to decide and supervise. Thus, decision-making powers will be centralized and decentralized.
Human resource standards
Establishing practices for contracting, guidance, training, coaching and compensation is a fundamental process of the internal control environment. Similarly, entities should determine the mechanisms and rules for sanctioning non-compliance by members of the organization.
Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct.
The COSO Framework covers three (3) categories of objectives which include the Operating, Reporting and Compliance Objectives of an entity. This implies that the Framework was developed to address the effectiveness and efficiency of the entity’s operations, the financial and non-financial reporting’s reliability, timeliness, transparency or other terms as set forth by regulators, recognized standard setters or the entity’s policies, and the entity’s adherence to the laws and regulations it is subject to. I stated in the first part of this publication last week that the Framework consists of five (5) integrated components. These components assist the organization in achieving the aforementioned objectives. These five (5) components have a total of seventeen (17) principles that represent the fundamental concepts of the components to which they are associated. The principles are represent the hit point of what each component addresses.
In this part, we will look at the “Control environment” and the corresponding principles that address it.
Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.
Of all 17 principles, the Control Environment component has five (5) principles relating to it:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
These principles in turn have approaches which serve as guides in accomplishing them. The approaches, although defined, are not meant to restrict entities application as they can introduce approaches of their own especially when not specifically addressed by the Framework.