COSO, or the Committee of Sponsoring Organizations of the Treadway Commission, is a committee composed of representatives from five organizations: The American Accounting Association, American Institute of Certified Public Accountants, Institute of Internal Auditors, Institute of Management Accountants, and Financial Executives International. The goal of COSO was to investigate factors that led to fraudulent financial activity from the 1970s into the mid-1980s.
Unfortunately, fraud continues to rise. According to a 2022 report by the Association of Certified Fraud Examiners, the most common cause of occupational fraud was a lack of internal controls.
The COSO Framework
In 1992, COSO released a framework to help secure organizational assets from fraud. The framework's goals are divided into three categories: operations, reporting and compliance. The primary focus is meeting applicable laws and regulations in these areas.
To effectively meet these goals, COSO divides the framework's 17 principles into five pillars:
Control Environment
The control environment refers to the organization's culture and establishes the discipline and structure needed to implement the remaining controls in the framework. Factors include integrity, ethical values, organizational structure and a commitment to proper employee development.
The organization's board of directors and senior leaders establish the tone from the top regarding the importance of COSO internal controls and the expected standards of conduct.
Risk Assessment
Every organization faces both internal and external risks. Understanding these risks is an important prerequisite in determining how to manage them best. Before starting a risk assessment, management must identify objectives within the categories of operations, reporting and compliance.
Any risks that may prevent the achievement of these objectives will be identified during the assessment, and management action plans can be implemented to manage these risks.
Control Activities
Control activities are the actions, activities and communications established through policies and procedures. They help ensure that management's directives to mitigate risks are carried out.
Control activities are carried out at all organizational levels and can include authorizations, approvals and verifications.
Information and Communication
Information obtained through IT systems provides reports on operational, financial and compliance-related information that makes control activities possible.
Effective communication is both continuous and iterative. It ensures that the proper information flows to all areas of the organization and guarantees effective communication with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring Activities
The fifth pillar of the COSO Framework involves monitoring all controls to verify that they are functioning properly. This can be carried out via continuous evaluations or separate audits that management can review. All findings are evaluated against regulatory standards and the objectives established by senior leadership.
Monitoring typically leads to routine reviews by management and senior leadership that can help set the tone for the organization.
Implementing and Using the COSO Framework
The COSO Framework is widely used in publicly traded companies, accounting firms and financial institutions. It enables these organizations to comply with legal and regulatory standards while emphasizing risk assessment and risk management.
By leveraging COSO procedures, organizations can monitor adherence to the established controls and prioritize efforts to meet objectives.
There are five steps that organizations can take to implement the COSO Framework:
Learning and Planning
To get the most benefit from the COSO Framework, a team is typically established to champion the effort to learn about it and develop implementation recommendations. Ensure that the people directly involved with the implementation develop a deep understanding of the COSO Framework, its five pillars and 17 principles.
At this stage, create a detailed plan that includes timing and milestones, resources needed, and named team members who are given clear roles and responsibilities.
Determine the scope of the implementation: Which activities will be measured, and when will they be measured?
Assess and Document
Once a plan is in place, the next step is to assess the controls currently in place and gather documentation that refers to these controls. Note if there are established, documented processes with appropriate control activities. When there is no documentation or the documentation is not adequate, these should be listed as gaps to be remediated.
Next, compare any existing controls to those in the COSO Framework by noting each of the five pillars and 17 principles and indicating where existing controls fit into the framework. During this comparison, try to interview key personnel who carry out the existing control procedures to determine if there are potentially other gaps.
Remediate
Once the assessment of the current controls is completed, it is time to remediate any gaps that were found. Each remediation plan should name those responsible and include the risk mitigation steps and the timeline. As a part of the remediation plan, prioritize those deficiencies that pose the greatest risks at the top of the list.
Once the plan is drafted, be sure to obtain approval from senior leadership on the next steps and ensure that those who will carry out any plans are available.
Test and Report
As risks are remediated, evaluate the effectiveness of the organization's internal controls and adjust them as needed to either remediate any lingering gaps or to make improvements.
Observe how control owners perform actions to carry out the COSO procedures. Ask the control owners questions to explain how their controls work and request any related documentation. Be sure to report any findings to senior management.
Continuously Improve
The internal controls that have been established must be dynamic and flexible enough to respond to changes in the organization's objectives and operations. Ensure that all controls are aligned with the organization's strategic goals and determine whether controls should be manual or automated.
At this time, continuous monitoring with software should be considered. COSO tools, such as software programs, can help organizations establish a culture of compliance by enabling more people to adhere to controls as a part of their daily workflow.
Automating COSO Compliance
Because of the COSO Framework's high-level mandates, any changes to improve controls, including tracking action items and reporting to senior management, can be daunting. Manually tracking activities in spreadsheets can be time-consuming and lead to errors.
COSO tools can transform monitoring and reporting from manual audits and reporting after the fact to continuous monitoring with real-time reporting. Organizations can always have greater visibility into compliance status to be better prepared for any audits.
When choosing COSO tools, look for a relatively straightforward deployment with software that can work in the existing environment. Make sure these tools make it easier to collect evidence and show adherence to the processes. Any tools chosen should lower the effort and cost of compliance over time.
COSO Best Practices
Properly utilizing the COSO Framework should lead to improved risk management within the organization. The following are some best practices that will result from its usage over time:
Improved Governance and Culture
A fundamental goal of COSO is to improve the organization's governance and compliance functions to monitor risks and improve security. This will ensure improved bottom-up adherence to policies, regulations and laws. Looking top-down, organizational culture will also improve with enhanced board and senior management oversight and direction.
Improved Fraud Detection and Prevention
The COSO Framework enables organizations to implement controls that prevent fraud from occurring and, when it does occur, to detect any fraud immediately. This will lead to more effective responses to any incidents of fraud. If fraud does occur, establish a formal review process to understand the root cause. Any root cause analysis should assess all controls and procedures that need improvement.
Standardize and Create More Effective Controls
When organizations leverage the COSO Framework, they standardize how all teams conduct their business. This not only improves the effectiveness of the controls to mitigate risks but also will improve the organization's efficiency. This is because the COSO Framework provides a common language for internal controls across the organization, reducing siloed terms and usage. A common language will also lead to improved design, implementation and evaluation of controls to make better use of everyone's time.
Reduce Costs
Organizations that properly implement the COSO procedures and framework will become more efficient over time as all teams follow the same control set. This will ultimately lead to lower risk management and compliance costs.
In addition, many organizations that leverage the COSO Framework tend to act more strategically to help them meet their goals. This leads to improved performance, which will garner positive attention from employees, customers and investors.
Learn more about the COSO Framework by exploring these related resources on KnowledgeLeader: