Control environment. Senior management must set an appropriate "tone at the top" that positively influences the control consciousness of entity personnel. The control environment is the foundation for all other components of internal controls and provides discipline and structure.
Risk assessment. The entity must be aware of and deal with the risks it faces. It must set objectives, integrated throughout all value chain activities, so that the organization is operating in concert. Once these objectives are set, the entity must then identify the risks to achieve those objectives, analyze them, and develop ways to manage them.
Control activities. Control policies and procedures must be established and executed to help ensure the actions identified by management to address risk are effectively carried out.
Information and communications. Surrounding the control activities are information and communication systems, including the accounting system. These systems enable the entity's people to capture and exchange the information needed to conduct, manage, and control its operations.
Monitoring. The entire control process must be monitored, and modifications made as necessary. In this way, the systems can react dynamically, changing as conditions warrant.
COSO Treadway Commission
 |
“When evaluating the effectiveness of internal control, management should consider it as an integrated whole.” |
The Committee of Sponsoring Organization of the Treadway Commission ("COSO")
framework describes five interrelated components of internal control.