All the most relevant Governance Frameworks demand – more or less explicit – the existence of additional controls that allow monitoring whether goals of an organisation are being met or not.
In order to guarantee that all controls will be deployed and maintained properly, organisation needs to move from ad-hoc activities to a planned implementation and monitoring system. This system is known as Internal Control System – ICS.
The Internal Control Systems is a tool that supports attaining objectives of an organisation. An Internal Control System is defined by COSO (Committee of Sponsoring Organisations of the Treadway Commission) as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
It should be noted that most Governance Frameworks utilises an ICS because of the need to measure and control selected aspects of organisation processes. An implementation of a Governance Framework requires a (re)design of the ICS since new controls need to be added. After implementation the established ICS controls are used at the execution level for monitoring of running business processes.
As with Governance Frameworks, several models for Internal Control System exist. One of the most complete and extensive model that is widely used is COSO’s Internal Control Integrated Framework. It consists of five components:
Elements of COSO ICS are often depicted in the form of a cube – shown in the figure.