Committee of Sponsoring Organizations of the Treadway Commission (COSO)

From Knowledge base

COSO is an organization providing thought leadership and guidance on internal control, enterprise risk management (ERM), and fraud deterrence. In 1992, COSO released Internal Control ― Integrated Framework (the framework). The framework was recognized among the corporate and financial reporting community as the predominant framework for reporting on the effectiveness of internal control over financial reporting (ICFR) by U.S. public companies. The framework is still regarded as a leading resource for purposes of providing guidance on the design and evaluation of internal control, and evaluating the compliance of such controls with Section 404 of the Sarbanes-Oxley Act. Additionally, the COSO framework can also be applied in assessing internal control over operations, compliance, and other reporting objectives.

The five components of the framework are:

1. Control environment

a. How management puts into place policies and procedures that guide the organization

b. The kind of tone management sets in the organization should be clearly communicated so that everyone knows that they responsible for the controls operating effectively and achieving the intended results

Update:

Sets the tone of an organization, influencing the control consciousness of its people.

  • Demonstrates commitment to integrity and ethical values.
  • Exercises board of directors' oversight responsibility.
  • Establishes structure, authority, and responsibility.
  • Demonstrates a commitment to a competent workforce.
  • Holds individuals accountable for internal controls.

2. Risk assessment

How the organization assesses risk to identify the things that threaten the achievement of their objectives

Update:

The process for identifying and analyzing risks to achieving the organization’s objectives.

  • Specifies clear and relevant objectives.
  • Identifies and analyzes risks across the organization.
  • Assesses the potential for fraud.
  • Identifies and analyzes significant changes.

3. Control Activities

Actions established by policies and procedures to ensure that management directives to mitigate risks are carried out.

  • Selects and develops control activities that mitigate risks.
  • Selects and develops general controls over technology.
  • Deploys control activities through policies and procedures

4. Information and communication

How management communicates its expectations to internal and external users and how to elicit acknowledgment and affirmation from those people that they understand the expectations

Update:

Systems or processes that support the identification, capture, and exchange of information in a form and timeframe that enable people to carry out their responsibilities.

  • Uses relevant, high-quality information to support internal control.
  • Communicates internal control information internally.
  • Communicates with external parties regarding internal control matters.

5. Monitoring activities

How management oversees the function of the entire organization, how it identifies when things aren’t working correctly, and how it corrects those deficiencies quickly

Update:

Ongoing evaluations, separate evaluations, or some combination of the two used to ascertain whether each of the five components of internal control is present and functioning.

  • Selects, develops, and performs ongoing and/or separate evaluations.
  • Evaluates and communicates internal control deficiencies in a timely manner.

Existing control activities

What controls are currently in place, whether the controls were in place and operating effectively at a specified time, and how long the controls have been in place COSO revised the original framework in 2013.1 The most significant change was the addition of 17 principles and 77 focus areas. These new items expand the definition of the five core areas. For a system of internal control to be effective, each of the 17 principles must be (a) present, (b) functioning, and (c) operating together in an integrated manner. Among the 17 principles, principle 8 states:

“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

What makes the 2013 framework an important development is that it provides guidance for organizations to develop effective and efficient systems of internal control to achieve important business objectives. It also facilitates organizations’ efforts as they (a) adapt to the increasing complexity of a changing business environment, (b) manage risks to, and (c) improve the reliability of information for management’s decision-making.

Separately, COSO published guidance on fraud deterrence in 2016 in the Fraud Risk Management Guide (the guide) to be supportive of and consistent with the 2013 framework and to provide best practices guidance for organizations to follow in addressing this fraud risk assessment principle. The guide’s five fraud risk management principles fully support, are entirely consistent with, and are parallel to the 2013 COSO framework’s 17 internal control principles. The relationship between the fraud risk management principles and the 2013 COSO framework’s internal control components and principles are described in the following chart.2

Retrieved from "https://www.govcwiki.org/w/index.php?title=Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission_(COSO)&oldid=14561"