Control framework definition
/What is a Control Framework?
A control framework is a conceptual basis for formulating a set of controls for an organization. This set of controls is intended to minimize risk through the use of practices and procedures in a coordinated manner. The best-known control framework is the Integrated Framework, which was developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. This framework defines internal control as a process that is designed to provide reasonable assurance regarding the achievement of objectives in the following three areas:
The efficiency and effectiveness of a firm’s operations
The reliability of a firm’s financial reporting
The compliance of a firm with applicable laws and regulations
The framework includes the following general concepts:
Internal control is not an end in itself; rather, it is a process that is intended to support the requirements of a business.
Internal control is impacted by individuals throughout a business; it is not simply a set of policies, procedures, and forms.
Internal control can only provide reasonable assurance to an organization’s management and board of directors; it cannot provide absolute assurance.
Internal control is targeted at achieving specific objectives within a business.
Related AccountingTools Courses
How to Minimize the Need for a Control Framework
It is not always necessary to develop a system of controls. Instead, there are methods for avoiding the underlying issues entirely, so that no controls are required. These avoidance actions are as follows:
Automate activities. If there are risks associated with having employees complete certain tasks, then see if these tasks can be automated instead. Doing so eliminates the risk of transactional errors and fraud. For example, automated picking systems can be used to fulfill orders, thereby eliminating the risk of delivering incorrect shipments to customers. However, automation is limited by the cost of the equipment and the level of task complexity that can be replaced.
Centralize decision-making. Some risks can be reduced by centralizing key decision points with the most experienced people. This usually means that a business employs a high level of centralization, where all important decisions are run up the corporate hierarchy to people with vast amounts of experience. While this approach does mitigate the level of “rookie mistakes,” it also means that a business tends to have a large number of inexperienced, junior staff.
Eliminate activities. If the risks associated with a particular activity are too high, then avoid the activity entirely. For example, you could sell off or shut down the business unit that is presenting such a high risk. Alternatively, you could subcontract the work, thereby shifting the risk onto the subcontractor. For example, you might conclude that running a paint booth in a production facility presents an excessive risk of medical problems for employees, and so shift this work to a subcontractor.
Share risks. If you must retain some activities, then at least outsource some or all of the associated risks by obtaining insurance coverage, such as fidelity bonds. Another risk-sharing option is to invest in joint ventures to deal with some activities, so that any losses are shared with them.
Any one of these options rarely provides a complete solution to control problems, but some combination of them can be used to mitigate risks, sometimes to a substantial degree.
Related Articles
Components of an Internal Control System
Continuous Controls Monitoring