Web www.software-risk.co.uk

The COSO framework makes a distinction between internal controls, in terms of scale with entity level and activity level controls.

Internal controls are currently important, because of section 404 of the Sarbanes-Oxley Act. Public companies and their auditors have to attest to the effectiveness of their internal controls in relation to financial reporting.

Entity level controls are those that have an effect in the control environment. They have a pervasive effect on the way that controls are implemented. (The control environment is one of 5 elments that make up internal controls and essentially consists of management "setting the tone" and has a heavy slant towards ethics.)

An example is a commitment to competence, so that every member of the organisation has the required skill set and knowledge to his job.

Activity level controls are control procedures that are enacted at the activity level.

To continue the commitment an activity level control, would be asking a job candidates for financial roles to take a skills test.

However, COSO does make clear that significant controls found at both levels. Indeed, any thorough evaluation of internal controls must investigate all significant control, no matter what level.

The approach COSO takes to evaluating activity controls may differ from current auditing practice, which traditionally focused on the financial statement approach. For a more up to date US approach see the Public Company Accounting Oversight Board .

In particular, COSO chose to follow the Value-Chain analysis approach. This seeks to identify business process activities that add value to the offering to the customer. For more on the approach see here.

Value-Chain splits activities within firms and organisations into two, primary and support.

Primary activities are those involved directly in creating the the product and ensuring selling and delivery to the customer.

 *Inbound Logistics Activities for handling inputs to the product. Example is warehousing of raw materials.
 *Operations Activities to transform to a finished product.
 *Outbound logistics Storing the finished product and delivering it to the customer. An financial reporting related activity is ensuring the customer actually receives it.
 *Market and sales enabling the customer to purchase the product. An example is pricing. The control could be, to ensure the advertised price is the correct one.
 *Service Activities to maintain the product in the hands of the buyer.

Support activities help the primary activities and each other by providing purchased inputs, technology and entity wide activities like management accounting.

 *Firm Infrastructure General management activities.
 *Human Resource Management Activities dealing with hiring, training, development and compensation.
 *Procurement Activities involved in the purchase of inputs. As procurement is so pervasive throughout the organisation, it sometimes is overlooked. A typical control is to make sure that stocks of materials match up with those purchased.
 *Technology Development Activities to improve services, products and services. An example might be developing new IT systems.

Lastly it has to be noted that every entity no matter how small or large, simple or complex has an individual value chain. As a consequence, each entity has to be viewed individually.

Related Articles
SEC Proposes Years Exemption on 404
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Caterpillar and Internal Controls
GAO Supports SOX Cost Claims
Panelists Named for Sarbanes-Oxley Roundable
IT Controls Tools

Similar Areas

Process Improvement Items

Sarbanes-Oxley Items

Accounting Items

Management Items

Regulation Items

Selected Books

Keywords

internal controls

business processes

COSO

COSO Framework

Sarbanes-Oxley Act

Sarbanes-Oxley compliance

section 404

404

section 404 compliance

entity level controls

activity level controls

auditors

financial reporting

control environment

ethics

value-chain

Human Resources

HR

procurement