Which of the following is a component of an internal control system that ensures that the internal control system is working as designed?

Implementing Internal Controls for SOC 1 Compliance

When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. In order for an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components of internal control in place and functioning, and implement the 17 principles related to internal control outlined in the framework. While we’ve already covered how organizations can meet the three objectives of internal control, let’s take a look at the five components of COSO and what they mean for SOC 1 compliance.

The 5 Components of COSO: C.R.I.M.E.

The five components of COSO – control environment, risk assessment, information and communication, monitoring activities, and existing control activities – are often referred to by the acronym C.R.I.M.E. To get the most out of your SOC 1 compliance, you need to understand what each of these components includes.

1. Control Environment: How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that your controls are operating effectively and are achieving the results that they expect?
2. Risk Assessment: How does your organization assess risk in order to identify the things that threaten the achievement of their objectives?
3. Information and Communication: How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive acknowledgement from those people that they understand what you’re asking them to do?
4. Monitoring Activities: How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can?
5. Existing Control Activities: What are the controls that you currently have in place? Were they in place and operating effectively over a period of time?

Want to get started on your SOC 1 compliance journey? Ready to learn more about the COSO Internal Control – Integrated Framework and how you can implement the five components of COSO? Contact us today.

Video Transcription

In order to complete your SOC 1 audit, you have to have the five components of internal control in place and functioning. These five components are known by the acronym C.R.I.M.E. The “C” stands for control environment. How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that our controls are operating effectively and are achieving the results that we expect? The “R” stands for risk assessment. How does the organization assess risk in order to identify the things that threaten the achievement of their objectives? The “I” stands for information and communication. How does management communicate to their internal and external users what it is they expect from them? How do we make sure that they receive acknowledgement from those people that they understand what it is that you’re asking them to do? The “M” stands for monitoring activities. How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can? The “E” stands for existing control activities. This is the largest section in your SOC 1 report because it talks about all of the controls that you’ve put into place and how the auditor tested those controls to make sure that they were operating effectively over a period of time.

Audit & Advisory Services is committed to assisting all levels of management and staff in the achievement of UCSF's goals and objectives by striving to provide a positive impact on the efficiency and effectiveness of operations. To that end, the internal controls information provided below covers the basic concepts of internal controls and their application to UCSF, including:

Internal controls summary
Internal control structure
Internal control types
Internal controls in my department

Internal controls summary

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance:

• That information is reliable, accurate and timely
• Of compliance with applicable laws, regulations, contracts, policies and procedures
• Of the reliability of financial reporting

Internal controls are intended to prevent errors and irregularities, identify problems and ensure that corrective action is taken. In many cases, process owners within your department perform controls and interact with the control structure on a daily basis, sometimes without even realizing it because controls are built into operations.  

Control definition reflects certain fundamental concepts:

• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is effected by people. It is not merely policy manuals and forms, but also people at every level of an organization.
• Internal control can be expected to provide only reasonable, not absolute, assurance to an entity’s management and board.

Internal controls are established to further strengthen:

• The reliability and integrity of information
• Compliance with policies, plans, procedures, laws and regulations
• The safeguarding of assets
• The economical and efficient use of resources
• The accomplishment of established objectives and goals for operations or programs

Internal control structure

The internal control structure is derived from the way management runs an operation or function and is integrated with the management process. Although the components apply to the entire University, small and mid-size departments may implement them differently than large ones do. Together, they are designed to provide reasonable assurance that overall established objectives and goals are met.

The internal control structure consists of five inter-related components:

• Control environment – The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include (1) the integrity, ethical values and competence of the entity's people; (2) management's philosophy and operating style; (3) the way management assigns authority and responsibility and organizes and develops its people; and (4) the attention and direction provided by the University. Additional examples are:
  • Tone from the top
  • University policies
  • Organizational authority
• Risk assessment–Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Examples include:
  • Monthly meetings to discuss risk issues
  • Internal audit risk assessment
  • Formal internal departmental risk assessment
• Control activities– Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Additional examples are:
  • Purchasing limits
  • Approvals
  • Security
  • Specific policies
• Information and communication – Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that makes it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization. Examples include:
  • Vision and values or engagement survey
  • Issue resolution calls
  • Reporting
  • University communications (e.g., emails, meetings)
• Monitoring– Internal control systems need to be monitored, a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the Regents. Examples include:
  • Monthly reviews of performance reports
  • Internal audit function

Internal control types

Different risks and environments require different controls. The control types described below can be used in combination to mitigate risks to the organization.

Preventive and detection controls

• Preventive controls attempt to deter or stop an unwanted outcome before it happens. Examples include use of passwords, approval, policies and procedures.
• Detection controls attempt to uncover errors or irregularities that may already have occurred. Examples include reconciliations, monitoring of actual expenses vs. budget, prior periods and forecasts.

Hard vs. soft controls

• Hard controls are formal and tangible. Examples include organizational structure, policies, procedures and segregation of duties
• Soft controls are informal and intangible. Examples include tone at the top, ethical climate integrity, trust and competence

Manual vs. automated controls

• Manual controls are manually performed, either solely manual or IT-dependent, where a system-generated report is used to test a particular control.
• Automated controls are performed entirely by the computer system.

Key vs. secondary controls

• Key controls are those that must operate effectively to reduce the risk to an acceptable level.
• Secondary controls are those that help the process run smoothly but are not essential.

To identify the correct control(s) to implement, you must know what risks are present. To know what risks are present, you need to understand what objectives are being sought.  Therefore, Objectives → Risks→ Controls.

Internal controls in my department

Control activities within your department may include the following:

• Implementing segregation of duties where duties are divided (segregated) among different people, to reduce the risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.

• Making sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
• Ensuring records are routinely reviewed and reconciled, by someone other than the preparer or transactor, to determine that transactions have been properly processed.

• Making certain that equipment, inventories, cash and other property are secured physically, counted periodically and compared with item descriptions shown on control records.

• Providing employees with appropriate training and guidance to ensure that they (1) have the knowledge necessary to carry out their job duties, (2) are provided with an appropriate level of direction and supervision and (3) are aware of the proper channels for reporting suspected improprieties.

• Making sure University- and departmental-level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and promotes continuity of activities in the event of prolonged employee absences or turnover.

Remember, everyone in your department has responsibility for internal controls.

Note: The above internal controls definition was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is recognized by UCSF Audit & Advisory Services.

What are the components of an internal control system?

Which of the following components of internal control consist of work performed by internal and external auditors?

Which one of the following describes the internal control component information system?

Which is the control component of an internal control system that refers to the attitude of employees in the organization?