What is COSO?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group initiative between five organizations committed to helping businesses enhance operational performance through internal controls, governance, risk management, and fraud deterrence.

As a part of COSO, the Internal Control-Integrated Framework has been widely accepted as the standard framework for developing internal controls and measuring the effectiveness of those internal controls.

Overview of the COSO Internal Control-Integrated Framework

The COSO Integrated Framework enables organizations to create and implement a system of internal security controls. The definition of internal control, according to COSO, is a process designed to deliver reasonable assurance for meeting objectives in three categories:

  • Operational Efficiency and Effectiveness 
  • Financial Reporting Objectives 
  • Compliance with Applicable Laws and Regulatory Requirements

Who is responsible for COSO compliance?

The COSO framework is not a legal mandate, however, regulators like the Securities and Exchange Commission (SEC) or the Justice Department use it to audit adjacent frameworks such as FCPA and SOX. 

Additionally, the American Institute of Certified Public Accountants (AICPA) provides a voluntary COSO certification program to demonstrate the organization’s ability to implement adequate internal controls.

What are the objectives for implementing COSO?

COSO’s Internal Control-Integrated Framework denotes that an effective internal control system contains eighteen principles spread out over five components of internal control systems. The five components are: 

  1. Control Environment
  • Exercise proper ethics and integrity values
  • Commit to competence
  • Leverage your audit committee and board of directors
  • Facilitate the organization’s operating style and management philosophy
  • Create a structure for the organization
  • Assign responsibility and authority appropriately
  • Leverage human resources protocols within the internal control environment 

2. Risk Assessment

  • Develop organization-wide objectives
  • Develop objectives at the process level
  • Perform risk analysis and determine acceptable levels of risk
  • Implement change management

3. Control Activities

  • Follow procedures and protocols
  • Enhance application and network security
  • Implement change management at the application level
  • Outsourcing activities

4. Information and Communication

  • Measure information quality
  • Measure communication effectiveness

5. Monitoring

  • Perform continuous monitoring activities
  • Evaluate the effectiveness of controls
  • Report and mitigate any control deficiencies

How to implement COSO to Mitigate Enterprise Risk

Using the COSO Internal Control-Integrated Framework’s five components, risk mitigation in the enterprise environment occurs in the following phases: 

  1. Control Environment: The organization must define the standards, procedures, and structure that provide the basis for carrying out internal controls across the entire business environment. This will include organizational structure, ethical values, ensuring competency around internal controls, and implementing human resources policies.
  2. Risk Assessment: Next, the organization should conduct an internal audit to identify and analyze risks posed by threats both internally and externally. This includes establishing objectives, determining the applicability within your business, and how it weighs risk versus tolerance.
  3. Control Activities: Then, the organization should use its organizational protocols to outline the tasks to achieve its internal control goals. These include operations around approvals, validation, reconciliations, and performance reviews.
  4. Information and Communication: These aspects are vital to the success of an internal control system. COSO emphasizes the importance of high-quality information to direct control functions. This includes determining the responsibilities and expectations of team members.
  5. Continuous Monitoring: Finally, a vital component of an effective internal control system is monitoring the controls routinely to ensure they remain effective over time. Ongoing evaluations should be embedded in your day-to-day business operations and vary depending on the type and level of risk.

Key Takeaways

  • The purpose of COSO is to help businesses enhance operational performance through internal controls, governance, risk management, and fraud deterrence.
  • The COSO Internal Control-Integrated Framework is widely accepted as the standard framework for developing an effective system of internal control.
  • Auditing COSO compliance objectives is not a legal mandate but is used for FCPA and SOX audits.
  • The Internal Control-Integrated Framework lays out five components and eighteen principles to guide an effective internal control system and mitigate enterprise risk management (ERM).