COSO is a framework used by businesses to establish a set of internal controls for integration into their business processes. This set of controls assures that an organization is operating in accordance with established industry standards and COSO best practices and functions in an ethical and transparent manner.
COSO is the acronym for the Committee of Sponsoring Organizations of the Treadway Commission. The committee created the framework in 1992 in conjunction with several private sector organizations, including the American Accounting Association, Financial Executives International and the American Institute of Certified Public Accountants, among others. Today it is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.
The COSO Model
COSO broadly defines internal control as “a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in the following categories:
- Operational Effectiveness and Efficiency
- Financial Reporting Reliability
- Applicable Laws and Regulations Compliance
In 2013, the COSO framework was updated to include the COSO cube, a 3-D diagram that demonstrates the integration and relationship of each element of an internal control system. The committee then introduced a COSO Enterprise Risk Management (ERM) Framework in 2017, to assist organizations to understand and prioritize risks and to build strong and sustainable links between risk, strategy and business performance.
When initiating the project to update its ERM framework, COSO saw opportunities to gain clarity on several fronts. The updated framework recognizes the growing importance of the interconnection of risk, strategy and enterprise performance, particularly in organizational decision-making. To start, its underlying premise is that every entity exists to provide value to all stakeholders; yet, these entities face uncertainty in pursuing that value. Thus, the framework focuses on creating and preserving enterprise value, with an emphasis on managing risk within the entity’s defined risk tolerance. “Uncertainty” is defined as not knowing how or if potential events may manifest themselves when achieving future strategies and objectives. The term, “risk” is the effect of such uncertainty in formulating and executing strategy and achieving objectives.
Since their inception, COSO’s ERM and Integrated and Internal Control Frameworks were intended to provide guidance for management on how to implement and evaluate effective ERM and internal control processes, leading to the improvement of management and governance processes. When applied effectively, the frameworks’ concepts contribute to the goal of improving organizational performance and governance in meaningful and measurable ways.
One can dig deeper into the COSO update and get answers to many questions, such as, who should complete the mapping of controls to the 17 principles, and what are the components of a model project plan for the 2013 New Framework implementation? One can dig deeper into the history, updates and details of COSO as well as get answers to a series of in-depth questions, here.
The Five COSO Components
The COSO framework is principles-based, meaning it introduces five interrelated components to support the achievement of an entity’s mission, strategies and related business objectives. These components are as follows:
- Control Environment: This component aims to ensure that all business processes reflect industry standard practices, aiming to validate that the business is run responsibly. As such, it serves to potentially reduce an organization's legal exposure and verify that an organization is adhering to regulatory compliance requirements.
- Risk Assessment and Management: Also referred to as enterprise risk management, this component adheres to the concept that risk is an inherent part of doing business and may cause a business to suffer adverse consequences. Risk management helps a business to identify, mitigate and even eliminate risks deemed to pose a threat to its well-being.
- Control Activities: Also tied to risk management, control activities are carried out to ensure that business processes are carried out in a way that helps an organization meet its business objectives without introducing unnecessary risks into the process.
- Information & Communications: This component consists of rules to ensure that internal and external communications adhere to legal requirements, ethical values and industry best practices. One example is data usage and security.
- Monitoring: Monitoring is typically performed by an internal auditor who ensures that employees adhere to established internal controls. Public companies tend to outsource this function to an external auditor. Audit results are reported to the board of directors.
In addition to these five components, the COSO framework outlines 20 relevant principles arrayed among those components. The framework focuses on integrating ERM with the core processes. Its subtitle defines it well: “Integrating with Strategy and Performance.” Its concept of integration is embodied within its definition of ERM: “The culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk, creating, preserving and realizing value.” Four themes are vital to effective ERM integration:
- Implementing strategy
- Integrating performance
- Laying a strong foundation with risk governance and culture
- Tying risk considerations into decision-making processes
How Is the COSO Framework Used?
The COSO Framework is used by many publicly traded companies as well as accounting and financial firms. It seeks to put internal controls in place that standardize and articulate the way business processes are performed. COSO helps organizations adhere to legal and ethical requirements through a focus on risk assessment and management. The framework integrates controls into key business processes while placing emphasis on monitoring and reporting, particularly when using internal auditors to monitor adherence to established controls.
The COSO Framework emphasizes the importance of an organization’s tone at the top and the responsibility of the board of directors for overseeing the development and performance of internal controls. There are several reasons why the board or one or more of its committees should care about the Framework. Active oversight by the board of directors can help strengthen an organization and better prepare it to face significant risk exposures. ERM increases risk awareness and encourages a proactive approach to managing those risks.
Further Your Knowledge of COSO
To start, KnowledgeLeader offers a preliminary CPE course, Overview of the COSO Internal Control-Integrated Framework. This basic-level course explains the history of the COSO framework, objectives and components and its application at the entity, process and activity levels.
For those focusing on specific COSO applications, there’s the course, Using the COSO Internal Control Integrated Framework for Sarbanes-Oxley Compliance.
In addition to online CPE courses, resources are available for individual and group study and serve as a helpful reference for organizations—for example, How COSO Frameworks Improve Organizational Performance and Governance. This booklet illustrates how the ERM frameworks can enhance organizational performance, governance, strategy setting and management processes.
In sum, the COSO framework of internal control establishes the foundation for sound internal control within an organization through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions of the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels across the company. The entire system of internal control is continuously monitored and problems are addressed in a timely fashion. Learn more from KnowledgeLeader here.