Internal controls cover many areas in enterprise operations. An example here is a separation of duties control where a person who prepares a check for issue to an outside party should not be the same person who approves that check for payment. Two independent people should be involved with the release of checks that take cash from the enterprise. This is a common and well-recognized internal control, and many others relate to similar situations where one person or process should always be in a position to independently check the work of another party. Good internal control processes are essential for effective risk management systems in an enterprise.

This introductory chapter briefly looks at an important guidance standard for defining internal control, the Committee of Sponsoring Organizations' (COSO) internal control framework. This COSO guidance has become the worldwide accepted standard for defining internal control in enterprises today. From this internal controls framework the chapter then introduces the similar looking in appearance, but very different, COSO enterprise risk management (ERM) framework, the major topic of many of the chapters in this book.

The chapter will also introduce us to an example company, Global Computer Products, which will be referenced in many examples throughout other chapters. The Global Computer Products hypothetical enterprise is a U.S.-headquartered computer hardware and software products manufacturer with worldwide development and distribution facilities. Although no example can be comprehensive or complete, we will try to use this Global Computer Products example as a vehicle to better understand and implement COSO ERM and governance, risk and compliance (GRC) issues in an enterprise today as well as to use them for implementing effective enterprise practices.

The internal control guidance-setting organization, COSO, is a similar example with an abbreviated name standing for the Committee of Sponsoring Organizations of the Treadway Commission. Of course, an explanation of that COSO name does not offer much help—who is this committee, what are they sponsoring, and what is the Treadway Commission? To understand how this internal control standard came about, it is necessary to go back to the late 1970s and early 1980s, a period when there were many major enterprise financial failures in the United States due to conditions including very high inflation, the resultant high interest rates, and some aggressive enterprise accounting approaches. The scope of these failures seems minor today when contrasted with the financial meltdowns of 2009 and 2010 or the financial frauds at the beginning of this century that led to the Sarbanes-Oxley Act (SOx). Financial crises will always be with us, and a concern back in the 1970s was that several major corporations suffered a financial collapse even though their recently published audited financial reports, signed by their external auditors, showed both adequate earnings and good financial health. Some of these failures were caused by fraudulent financial reporting, but most turned out to be victims of the high inflation and resultant high interest rates during that period. It was not uncommon for many companies that failed to have issued fairly positive annual reports despite the bad news about to come. This also was another period of high regulatory activity in the United States and some members of Congress drafted legislation to “correct” these business or audit failures. Congressional hearings were held, but no legislation was ever passed. Rather, a private professional group, called the National Commission on Fraudulent Financial Reporting, was formed to study the issue. Five U.S. professional financial organizations sponsored this National Commission: the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the Financial Executives Institute (FEI), the American Accounting Association (AAA), and the Institute of Management Accountants (IMA). Named after its chair, SEC Commissioner James C. Treadway, the authority adopted as its official name The Committee of Sponsoring Organizations of the Treadway Commission. Today, that group has become known by its acronym name, COSO.

The original focus of COSO was not on enterprise risk management but on the reasons behind the internal control problems that had contributed to those financial reporting failures of many years ago. COSO's first report, released in 1987,¹ called for management to report on the effectiveness of their internal control systems. Called the Treadway Commission Report, it emphasized the key elements of an effective system of internal controls, including a strong control environment, a code of conduct, a competent and involved audit committee, and a strong management function. Enterprise risk management was not a key topic at that time. The Treadway report emphasized the need for a consistent definition of internal control and subsequently published what is now known as the COSO definition of internal control, now the generally recognized worldwide internal accounting control guidance or framework.

That COSO report on internal controls was released in 1992 with the official title Internal Control–Integrated Framework.² Throughout this book, it is referred to as the COSO Internal Controls report or framework to differentiate it from the COSO Enterprise Risk Management or the COSO ERM framework, our main topic. The COSO Internal Controls report proposed a common framework for the definition of internal control, as well as procedures to evaluate those controls.³ For virtually all persons involved in modern business today, an understanding of that COSO definition of internal controls is essential.

The COSO definition of internal control uses a three-dimensional model to describe an internal control system in an enterprise. The model, as shown in Exhibit 1.1, consists of five horizontal levels or layers, three vertical components, and multiple sectors spanning its third dimension. This model, as shown in the exhibit, might be viewed in terms of its 5 × 3 × 3 or 45 individual cells or components. However, these are not individual and separate components but are all interconnected with internal controls in each depending on the others. While each level and component of the COSO internal control framework is important for understanding internal controls in an enterprise, we will focus here on two horizontal levels: the control environment foundation level and the risk environment level. These are particularly important components for understanding how the COSO internal control framework relates to the COSO ERM model introduced later in Chapter 4 and illustrated in Exhibit 4.1.

An enterprise's history and culture plays a major role in forming its control environment. For example, when an enterprise and its management places a strong emphasis on producing error-free products, when senior management continues to emphasize the importance of error-free products, and if this message has been communicated to all levels, this becomes an important control environment factor for the enterprise. The words of the chief executive officer (CEO) and other members of senior management communicate a strong message to employees, customers, and other stakeholders. This very important set of these messages is known as the tone at the top. However, if senior management has had a reputation of “looking the other way” at policy violations and oth...