Introduction

4.01 Internal control is not one event or circumstance, but a dynamic, iterative, and integrated process. It is not a one-time task because the impact of an entity’s internal and external activities is not static but is continually changing. The entity’s policies reflect management or board statements of what should be done to effect internal control. These statements may be explicitly stated in management communication or implied through management actions and decisions.

4.02 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

4.03 In May 2013, COSO published an update to the 1992 Internal Control—Integrated Framework (the framework). The updates became necessary due to the increasing complexity of businesses since the original framework was published. The changes were intended to make the framework easier for management to use while, at the same time, allowing management to meet the entity’s financial and operations goals. The discussion of internal control in this guide recognizes the definition and description of internal control contained in the framework.

4.04 The following are the five components and seventeen underlying principles of internal control from the framework: ...