Guide to COSO Framework and Compliance

Trust is a core component in business dealings. However, it can be hard to ascertain, especially when the performance of any task relies on individuals. Over time, independent organizations such as The Committee of Sponsoring Organizations of the Treadway Commission (COSO) have come up to guide business operations. The COSO framework is a guideline for establishing internal controls in an organization to fight fraud. The framework guides executive functions, financial activity, risk management, and ethics to ensure that a business operates transparently, legally, efficiently, and effectively.

Following the COSO framework is not compulsory. However, implementing the framework in your business model also helps you comply with mandatory regulations such as the federal Sarbanes-Oxley Act (SOX) and the Foreign Corrupt Practices Act (FCPA).

How Does the COSO Framework Apply to You?
If you run a business, you’ll want to prevent fraud for internal effectiveness and external assurance, especially to investors and financiers. In the initial drafts, the COSO framework focused on creating systems, checks, and controls that deter fraud and support detection by the management and auditors. The five principle organizations behind the framework also needed to solve rampant fraudulent financial reporting and protect investments. These organizations are:

  • Institute of Management Accountants (IMA)
  • American Accounting Association (AAA)
  • American Institute of Certified Public Accountants (AICPA)
  • The Institute of Internal Auditors (IIA)
  • Financial Executives International (FEI)

Over time, these organizations have revised the framework to cater to the complex IT environment. However, the general structure of the COSO framework focuses on bringing control to the internal environment.

What Are the Five Major Components of the COSO Framework?
The COSO framework focuses on five areas. Each component of the framework has 17 principles of internal control:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring activities

Control Environment
The COSO framework proposes the creation of an internal environment that supports internal control in the organization. The design of a fraud-free climate begins with the top management and trickles down to the rest of the organization. Specific standards of conduct, ethics, and integrity should clearly be understood throughout the organization.

The board of management should also exercise independence from the daily management and act as the overall oversight body. However, the board should collaborate with the administration to create reporting lines, authority, and responsibilities to attain business objectives. To further foster an ethical environment and ensure organizational objectives are met, the board and management should commit to attracting, hiring, and retaining competent individuals.

Control Activities
Control activities are processes that mitigate risks. They can be preventative or detective and are present at all levels of the organization. Controls such verifications and authorizations are essential to control financial activity, ensure information security, and identify responsibility. Usually, the management defines control activities that help groups within an organization acceptably achieve objectives. Typical forms of control activities include the segregation of duties, which creates roles that employees can operate within. The COSO framework advocates that the management identifies the risks involved in a project and then finds solutions that prevent some risks or mitigate some.

Risk Assessment
Every decision an organization makes has internal and external risks that hinder the achievement of an objective. Risk affects multiple parts of the organization, including the probability of success, reputation, financial health, and service quality. Risk assessment is a vital component of each decision and project because it helps the organization identify, assess and prepare to handle risks based on current systems in place. COSO advocates for identifying and analyzing risks that may adversely affect the achievement of an objective and risks that may positively affect the objective.

To ensure a clear risk assessment, the organization should specify the objectives and outline the risk in each stage. It should then weigh mitigation and risk prevention measures in place to check if adjustments can be made.

Information and Communication
Information and communication are vital to ensure that the organization operates effectively and runs all internal controls. The management uses information from external and internal sources to achieve enterprise objectives. Internally, communication channels should ensure the generation, sharing, and circulation of relevant and quality information. The organization should also be in constant communication with external parties on matters affecting the organization.

Monitoring Activities
Continuously monitoring internal control is essential to verify what works, what doesn’t, and what could work better. Ongoing evaluations built into business processes are vital to check if current controls are functioning as required. Periodic evaluations are also great for monitoring the effectiveness of ongoing assessments. The management should evaluate the findings of any assessment against company policies and objectives. If any defects are identified, they should be communicated to the organization for remediation.

What Is Internal Control?
The five components of the COSO framework form the basis for internal control. They also create the framework for defining internal control through three objectives.

  • Operations Objectives
    These concerns activities that ensure the efficient and effective function of the operational processes.
  • Reporting Objectives
    These concern internal and external reporting of financial and non-financial activity.
  • Compliance Objectives
    These objectives are concerned with compliance and regulations.

What Are COSO Framework Coverage Areas?
The COSO Framework applies to various parts of the organization to ensure effective control and objective fulfillment. The coverage areas relate to the typical top-down hierarchy of the organization-entity level, division level, operation unit, and function.

The management can use the COSO controls to measure effectiveness and prevent fraud at any of the company’s operation levels. It’s important to remember that as you go higher on the organizational structure, the harder it becomes to relate to functional units. As such, it’s important to establish controls that support each level of the organization without incapacitating function.

How to Implement the COSO Framework
1. Read and Understand the Framework
Enterprises looking to implement the COSO framework should begin by reading and understanding the 17 principles of internal control.

2. Plan
A committee should be put in place to establish a plan that creates controls for the organization. The plan should include timing, resources, and scope.

3. Assess
As with all crucial business objectives, an assessment is essential to verify the time, resources, and implementation scope. The application of the framework varies per enterprise, which means that internal assessment determines the best way to move forward. A committee should be put in place to investigate the organization, identify current internal controls and measure their effectiveness. In this stage, the committee should gather information about the organization, structure, systems, and risks—the information from the assessment I then used to establish controls for the enterprise.

4. Remediate
The management and committee should propose solutions to remediate gaps identified during the assessment. It’s important to begin the process with the risk that poses the highest threats and work down the list.

5. Design, Test, and Report, and Optimize
The organization should design the solution in detail, test it, and report on its effectiveness. If the solution has gaps, it should be improved or replaced with an alternative. This process is repetitive and goes on continually until adequate controls are established and incorporated into company policy. Over time, you can perform ongoing evaluations to check if current controls are effective for the current environment.

ERMA helps you manage your business competitively by improving your business knowledge. Reach out for more solutions for your enterprise.

Written by Jordan MacAvoy
Author Bio: Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Before joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.