Internal Control essay



Aclearly defined system of internal controls assures the stakeholdersthat all transactions are recorded properly and in a timely manner.This is because internal controls are designed in a way that guidesthe organization in ensuring that its operations are effective,accurate, efficient, and consistent with the law. This paper is aresponse to three questions that pertain to changes made in COSO,responsibilities of the management and internal auditors in theprocess of developing internal controls, and the issue of cybersecurity.

Question1: Changes in COSO 2013

TheCOSO framework that was launched in 2013 introduced two majorchanges. The first and the most import change involved the expressionof the 17 principles that were considered as the ideas underlyingdifferent components (including the control environment, riskassessment, information and communication, control activities, andmonitoring) of an effective internal control system. The 2013framework stated explicitly that the organizations should ensure thatthe 17 principles are not only present, but functioning (Ernst andYoung LLP, 2014). Initially, organizations were not required todemonstrate the presence or the functionality of the seventeenprinciple of an effective internal control. In addition, COSO 2013introduced a set of “points of focus”, which are guidelinesintended to help firms design, implement, and assess the presence aswell as the functionality of the 17 principles.

Secondly,the COSO 2013 introduced a set of enhancements. These enhancementsinclude a clarification of the requirements for the establishment ofan effective internal control system role of objective setting areflection on the increase in relevance of technology an enhancementof the governance concepts a keen consideration of business models(such as outsourcing) and an enhanced focus on the issue of risk offraud (Ernst and Young LLP, 2014).

The2013 COSO did not bring any change in three items of the initialframework. First, the five components (including the controlenvironment, risk assessment, information and communication, controlactivities, and monitoring) including that are used to determine aneffective internal control system were not changed (Ernst and YoungLLP, 2014). Secondly, the three objectives of internal control wereretained in the 2013 framework. These categories of objectivesinclude reporting, effectiveness as well as the efficiency ofoperations, and compliance with the law. Third, the 2013 frameworkretained the emphasis placed by the old framework on the significanceof judgment in designing, implementing and assessing an internalcontrol system.

Question2: Responsibilities of the management and internal auditors withregard to internal controls

Aneffective internal control system should have the input of both themanagement and internal auditor. The management is expected to ensurethat internal controls have been put in place, implemented in amanner that is consistent with the business practices, and observedby all relevant stakeholders (University of Nebraska, 2016). Theprocess of designing and implementing internal controls should bespearheaded by the chief executive officer. This demonstrates thatthe internal control system has received the support of the topmanagement. Therefore, the top management has the responsibility ofensuring that the system facilitates the establishment of a positiveinternal control environment. To achieve this, the management shouldplay the role of providing direction and leadership to the relevantstakeholders (University of Nebraska, 2016). Moreover, it is theresponsibility of the management to ensure that adequate policies andprocedures for assessing the effectiveness and compliance with theinternal control system are put in place. Additionally, themanagement is responsible for acting on the recommendations made bythe internal auditor regarding important changes in the existinginternal control system.

Theprimary responsibility of the internal auditor is to offer anobjective advice with respect to the design and implementation ofinternal controls. Although internal auditors are recruited and workfor the organization, they are expected to examine and makeindependent reports regarding the viability of the internal controlsput in place by the management (Dinapoli, 2013). Most importantly,internal auditors are expected to test the functionality of thecurrent set of internal controls and make recommendations to themanagement about the necessary changes as well as areas that needs tobe enhanced. In order to carry out this responsibility, internalauditors are supposed to study changes in the business environmentand identify new risks that the organization might face due toweaknesses of internal controls.

Question3: Cyber security

Thereare three key factors that have made cyber security a thrust area intoday’s business environment. First, modern businesses operated ina highly networked environment, where organizations connect theirbranches and external stakeholder using computer-based systems(Gabel, Liard &amp Orzechowski, 2015). This networking creates asuitable environment for cyber security to flourish because criminalsdo not require visiting companies physically in order to steal clientidentity or money. They can hijack the company’s systems from anylocation using their computers. Secondly, the consequences of cybercrimes are severe and they affect companies and their clients. Forexample, statistics show that about 12.7 million U.S. citizens lost $16 billion in 2014 to cyber criminals (Insurance InformationInstitute, 2016). The cyber criminals stole the money using theidentity of consumers, which was obtained from companies, such asbanks. Third, cybercrimes are committed across the borders, whichimply that the preventive measures put in place by individualcountries are inadequate. This implies that companies and theirclients remain vulnerable, irrespective of the laws and policiesformulated by the countries in which they operate.

Manystrategies have been recommended to companies, but three of them canreliably help companies prevent cybercrime. First, the company’ssystems should be protected through encryption in order to ensurethat the data stored in those systems is only accessed by authorizedpersons (Rotich, Metto &amp Siele, 2014). Secondly, companies shouldtrain their employees on how to detect early warning signs ofcybercrime. This can help companies contain cases of cyber attacks atearly stages, which is an effective way of reducing the severity ofcyber crimes. Third, companies should review their recruitmentprocedures in order to ensure that they only employ members of staffwho can be trusted. This is because some cybercrimes are perpetratedby external stakeholders who collude with internal stakeholders,including the managers and employees (Rotich, Metto &amp Siele,2014). Therefore, the vulnerability of companies to cybercrimes canbe effectively managed.


Internalcontrols are important because they give an assurance about thecorrectness and objectivity of the organizational operations. Thechanges made in COSO framework were intended to help theorganizations cope with the challenges that they face in the modernbusiness environment. An effective internal control system should beestablished with the contribution of the management and internalauditors. A highly networked environment, increase in vulnerability,and the severity of the consequences of cyber crimes make cybersecurity an issue worthwhile investigating.


Ernstand Young, LLP (2014). Transitioning to the 2013 COSO framework forexternal financial reporting purposes. Ernstand Young LLP.Retrieved June 3, 2016, from$FILE/COSOTransitionQuestionnaire_EE0946_27March2014.pdf

Dinapoli,P. (2013). Management’sresponsibility for internal controls.New York, NY: Office of the New York State Comptroller. RetrievedJune 3, 2016, from

Gabel,D., Liard, B. &amp Orzechowski, D. (2015, July 1). Cyber risk: Whycyber security is important. White&amp Case LLP.Retrieved June 3, 2016, from

InsuranceInformation Institute (2016). Identity theft and cybercrime.InsuranceInformation Institute.Retrieved June 3, 2016, from

Rotich,K., Metto, K., &amp Siele, L. (2014). A survey on cyber crimeperpetration and prevention: A review and model for cybercrimeprevention. EuropeanJournal of Science and Engineering,2 (1), 13-13. Retrieved June 3, 2016, from

Universityof Nebraska (2016). Management’sresponsibility.Lincoln, NE: University of Nebraska. Retrieved June 3, 2016, from