Internal audit under the COSO approach.

Nowadays it is essential for organizations to have an audit activity to know the veracity of the financial information they have generated, as well as the activities related to the administrative area, in order to verify the effectiveness of the internal control operating procedures. Therefore, organizations should develop internal audit processes to help all members of management to discharge their financial and administrative responsibilities and achieve the proposed goals. In this perspective, Estupiñan (2006) indicates that internal auditing is a process executed by the Board of Directors or Administrative Council of an entity and by the personnel, designed to provide them with security to achieve effectiveness and efficiency in operations, reliability of financial information, and compliance with laws and regulations.

From this point of view, internal auditing is part of the administration of an entity whose function is the subsequent analysis of operations, evaluation of compliance with policies, standards, procedures, examination of accounting and budgetary statements, as well as the communication of results and recommendations to the highest authority or to the person to whom it reports hierarchically. In this sense, it represents one of the most important means of control used by the management of an organization to assess and evaluate the results obtained. This function is characterized by reporting on the compliance and maintenance of the effectiveness, efficiency and economy of the systems and procedures within the organization. For this reason, the support and commitment of managers is essential, as well as the willingness of all personnel, since they are an indispensable and non-delegable part of the managerial responsibility, which does not end with the formulation of objectives and goals, but with the verification that these have been fulfilled. Indeed, the field of application of internal auditing is very broad, since any activity or function that is carried out in a group, uses resources and pursues an objective can, or should be managed, and therefore may be the subject of an evaluative investigation.

In this context, internal auditing represents a control body that is applied in business organizations to examine and monitor adherence to the guidelines established, as well as to participate in the improvement of the controls established or to be established at any given time. In the words of Morales (2012), internal auditing is an independent activity of evaluation of an organization, through the review of its accounting, finances and other operations that serve as a basis for the company's management. Based on these guidelines, internal auditing makes use of internal control to keep the company in the direction of its profitability objectives, since they promote efficiency, reduce the risks of loss of assets, and help ensure the reliability of financial statements and compliance with laws and regulations.

Source

Based on these points, Mantilla (2009) points out that internal control is broadly defined as a process carried out by the board of directors, managers and other personnel of the entity, designed to provide reasonable assurance regarding the achievement of objectives" (p.68) The author goes on to state that "internal control consists of five interrelated components, derived from the way management conducts business, and are integrated into the management process. Although the components apply to all entities, small and medium-sized entities may implement them differently than large ones. Their controls may be less formal and less structured, however a small company may have an effective internal control.

In this order of ideas, the components of internal control are: control environment, risk assessment, control activities, information and communication, and monitoring. For the purpose of analyzing each component, we must start from the concept given in the COSO Report (Committee of Sponsoring Organizations of Treadway) on internal control, published in the U.S. in 1992, which arose as a response to the concerns raised by the diversity of concepts, definitions and interpretations that exist on the subject. This report addresses the needs and expectations of managers and others. It defines and describes internal control in order to establish a common definition that serves the needs of different parties, as well as to provide a standard by which business entities and other large or small, public or private, not-for-profit entities in the public or private sector can assess their control systems and determine how to improve them.