Guide to COSO Framework and Compliance

Fraud deterrence was the main impetus behind the formation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its 1992 framework for internal control: Internal Control—Integrated Framework.

Known as the COSO framework, this document provided not only provided the first common definition of “internal control,” but also a system that organizations could use to assess their own internal controls’ effectiveness.

COSO defines “internal control” as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Unpacking this definition reveals five concepts regarding internal controls.

• Establishing them is a process, not a destination.
• They help organizations to achieve objectives—operational, reporting, and compliance.
• People put them into effect.
• They can provide “reasonable assurance,” but not absolute assurance, to senior management and the board regarding:
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations.
• They can be adapted to the “entity” structure, applied entity-wide or to one or more subsidiaries, divisions, operating units, or business processes.

The COSO Framework: A Short History

Originally, the Committee of Sponsoring Organizations, or COSO, was organized in 1985 to sponsor the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

As its name implies, the NCFR formed to study why and how fraudulent financial reporting at organizations occurs, and to recommend ways to reduce it. The NCFR’s 1987 report focused on internal financial controls, shining a light for perhaps the first time on this important topic. It also pointed out that there was no standard definition of “internal control,” and began a project to create one. The COSO internal control framework, published in 1992, was the result.

Twenty years would pass before an update to the COSO framework. Increased business complexity, globalization, and the ascendant role of IT in business operations were among the factors inspiring the update, released in May 2013.

COSO’s Main Elements

COSO’s five key components of internal control (described in more detail in the next section), are:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

Each component includes principles—17 principles in all—with supporting “points of focus” to help with designing, implementing, conducting, monitoring, and assessing internal control processes.

COSO has also published other documents to improve internal control management:

• Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples—to help users apply the framework to external financial reporting objectives
• Illustrative Tools—to help users assess the effectiveness of a system of internal control based on requirements listed in the updated framework

And the organization in 2004 issued a second framework: Enterprise Risk Management—Integrated Framework, updated in 2017.

COSO defines five risk management components, which are what an organization needs to achieve its objectives, each with corresponding principles:

1. Control environment

• Commitment to integrity and ethical values
• Independent board of directors’ oversight
• Structures, reporting lines, authorities, and responsibilities
• Attract, develop, and retain competent people
• People held accountable for internal control responsibilities

2. Risk assessment

• Clear objectives specified
• Risks identified to achievement of objectives
• Potential for fraud considered
• Significant changes identified and assessed

3. Control activities

• Clear objectives specified
• Risks identified to achievement of objectives
• Potential for fraud considered
• Significant changes identified and assessed

4. Information and communication

• Quality information obtained, generated, and used
• Internal control information internally communicated
• Internal information externally communicated

5. Monitoring activities

• Ongoing and/or separate evaluations conducted
• Internal control deficiencies evaluated and communicated

The five components make up one face of the “COSO cube,” a three-dimensional framework defining internal control from varying perspectives.

• Operations controls
• Reporting controls
• Compliance controls

These are described in greater detail in the next section.

The third face represents an organization’s structure: units, divisions or processes, each of which may or may not be affected by a particular internal control:

• Business unit activities
• Division and function controls
• Business entity-level controls

When it was published in 1992, the COSO internal control framework established for the first time a standard, common definition of effective “internal control.” This definition refers to three types of risk management “objectives,” which is what a business hopes to achieve:

Operations objectives:

Concerning the effectiveness and efficiency of entity operations including operational and financial performance goals and safeguarding assets against loss.

Reporting objectives:

Concerning internal and external reporting, financial and non-financial. These controls may encompass reliability, timeliness, transparency, or other concepts set forth by regulators or the organization’s policies.

Compliance objectives:

Concerning conformance to relevant laws and regulations.

These objectives, form one face of the three-sided COSO “cube,” a three-dimensional model illustrating internal control from various perspectives. The other two dimensions depict “components,” what the entity needs to achieve the objectives and the organizational structure.

Ten years after the publication of the original COSO framework, in 2002, Congress enacted the Sarbanes-Oxley Act (SOX), which requires that U.S. publicly listed companies report on the effectiveness of their internal controls over financial reporting (ICFR) using a suitable framework. Many companies use COSO’s Integrated Control—Integrated Framework as their guide to SOX compliance, and may use the document’s appendix, The Illustrative Tools for Assessing Effectiveness of a System of Internal Control, for templates and scenarios to use when applying the COSO framework.

One of the three sides of the “COSO cube,” a three-dimensional illustration of how the COSO internal control framework may be applied, lists the areas of an entity to which COSO might be applied to achieve operational, financial, and compliance objectives:

ENTITY LEVEL

DIVISION

OPERATING UNIT

FUNCTION

These four coverage area criteria correlate to the top-down structure of a typical organization. They establish that the COSO framework can be used to gauge the effectiveness of controls for an enterprise as a whole or at the division, operating unit, or function level—and that control activities should take place at all these levels.

The higher the level, the more abstract their relation to financial reporting activities. Entity-level controls often have an indirect relationship to financial statements, and so can be harder to quantify than more direct process-level controls. Entity-level controls also tend to vary according to an organization’s complexity and risk profile, and so must be evaluated qualitatively as opposed to qualitatively.

Effective internal controls are essential to enterprise risk management (ERM). ERM helps an organization manage risk at every level, from strategy-setting through review and revision, and uses internal controls to achieve four types of risk-management objectives:

• Strategic
• Operations
• Financial reporting
• Compliance

Recognizing the importance of ERM and internal control to successful enterprise governance and management, COSO has published an ERM framework as well as an internal control framework:

• COSO Internal Control—Integrated Framework (updated 2013)
• COSO Enterprise Risk Management—Integrating with Strategy and Performance (updated 2017)

COSO also provides guidance on using both frameworks in its 2014 paper,Improving Organizational Performance and Governance: How the COSO Frameworks Can Help.

The COSO ERM framework defines enterprise risk management as:

A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

According to COSO, the COSO ERM framework is a strategic guide to meeting business objectives, while the COSO internal control framework is a tactical guide. Both frameworks can be used in tandem to help enterprises achieve their goals.

Although they differ in the key components they list, these are complementary and intended to be applied in tandem.

The internal control framework lists five key components of internal control:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

The ERM framework lists five core business activities essential to good risk management:

• Governance and culture, including the formulating of mission and vision statements, board oversight, and executive management functions
• Strategy and objective setting, in which executives and, possibly, the board, define organizational risk appetite and create a high-level plan for achieving organizational goals
• Performance, in which risks are identified, assessed, and prioritized, and responses to risk implemented
• Review and revision, which involves assessing performance and striving for continual improvement
• Information, communication, and reporting, including the use of information technology

Components in the internal control framework correspond to those listed in the ERM framework. ERM and internal control go hand-in-hand; indeed, internal control is essential to ERM. One supports the other: having strong internal controls enables managers to focus on operations and business objectives, knowing that the organization has a robust risk management program and is in compliance with applicable laws, regulations, and standards.

Implementation of the COSO internal control framework requires assessing its five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles against the organization’s current internal control system, and making adjustments accordingly.

Failing to enforce the COSO framework principles can result in violations of the federal Sarbanes-Oxley Act’s (SOX) requirements. Auditors evaluating an organization’s internal control over financial reporting (ICFR) will judge against this standard: When even one of the 17 principles doesn’t function properly, a “major deficiency” is deemed to exist—a “material weakness” under SOX Section 404.

The 17 principles of internal control can serve as a handy checklist for enterprises to use to evaluate and strengthen their internal control system—but first, there is groundwork to be laid. To successfully apply COSO’s internal control or enterprise risk management (ERM) framework requires a methodical, step-by-step approach. To help, we’re providing this roadmap that includes implementation challenges and leading practices.

Implementing the COSO Framework in Five Phases

PHASE 1: PLAN AND SCOPE

Appoint an implementation team. Here’s how it works: The board delegates implementation authority to a committee such as an audit and compliance committee. Managers assign oversight to a management function in the organization such as internal control or ERM. The team may include accounting managers and staff as well as people with a thorough knowledge of how work gets done in the organization.

Develop an implementation plan that includes timing, resources needed, and roles and responsibilities of implementation team members. Determine the scope of the framework’s implementation: Which activities will it measure, and over what period of time?

The implementation team at this point will also evaluate the five components of the COSO internal control framework to understand how the enterprise’s internal control system is designed, and how well it functions.

In this phase, the implementation team should also meet with the external auditors who will be assessing the organization’s COSO compliance. They’ll need to learn what their roles will be, avoid redundancies, and communicate the plan to the board and managers.

PHASE 2: ASSESS AND DOCUMENT

In this phase, the implementation team assesses the organization’s control structure. Are its systems centralized or decentralized? How are entity-level controls structured? Is there a formal ERM process, with documented risk management activities? If so, the documents should be helpful in analyzing where the organization meets COSO framework guidelines and where it falls short. If there is no coordinated approach to ERM, COSO implementation may require more time and effort.

Other activities during this phase include:

• Assessing fraud risk. The COSO internal control framework emphasizes the importance of considering the potential for fraud when assessing the risks to achieving objectives.
• Documenting existing processes and controls. Once managers have identified which processes are relevant to the framework’s control activities, the implementation team can study and document each of them. Doing so allows them to identify which internal controls apply to each process, and where gaps exist. This step may involve interviews with key personnel.
• Performing gap assessments. This entails comparing the COSO internal control framework’s components and principles to practices in the organization. COSO’s publication Illustrative Tools for Assessing Effectiveness of a System of Internal Control can be helpful.

PHASE 3: REMEDIATE

Now that gap assessments are drawn up, it’s time to remediate those gaps.

• Make a remediation plan. Prioritize the control deficiencies that pose the most serious vulnerabilities, and move down the list to the least serious. Include milestones and a schedule for completion.
• Implement your remediation plan

PHASE 4: DESIGN, TEST, AND REPORT

• Classify controls as critical or non-critical
• Design procedures for testing each critical control. Each test should take into consideration the risk to be mitigated and the control description—both are equally important to determining a control’s effectiveness. Choose a method of testing for each control. Common methods include:
  • Inquiring: Asking control owners to explain how their controls work
  • Observing: Observing the control in action
  • Examining: Studying all the transactions and documentation associated with a control’s functioning
  • Analyzing: Using data analytics tools to gain insights into controls’ design and operations
• Test controls, reporting to management on progress and obstacles.

PHASE 5: OPTIMIZE INTERNAL CONTROLS’ EFFECTIVENESS

How do identified risks and controls mesh with your enterprise’s goals, plans, and strategies? The COSO internal control framework can help you align or realign goals and controls. When developing or redesigning controls, consider:

• Control activities such as reconciliation, verification, supervisory and physical controls
• Whether controls are preventive, detective, i.e. occurring after a process has begun but before it has concluded, or corrective
• Whether controls are automated, partially automated (automation enabled or assisted by people) or manual

Once controls are in place, monitoring is key to ensuring that they remain effective. Continuous monitoring with software is preferable to manual monitoring. Should a control fail, study the incident carefully to determine its cause for the most effective remediation.

Developed by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, comprising five private-sector organizations, the COSO Internal Control—Integrated Framework focuses primarily on an enterprise’s system of internal control and processes for financial reporting, with fraud prevention in mind.

COBIT, or Control Objectives for Information and Related Technologies, is supported by ISACA, an international professional organization focused on IT governance. The COBIT framework helps with the quality, control, and reliability of an organization’s information systems, and facilitates best practices in risk management as associated with IT processes.

Both frameworks list three objectives and five components needed to achieve those objectives in their respective areas (financial controls and IT controls).

The COSO internal control framework’s objectives:

• Operations
• Financial reporting
• Compliance

Its components:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

COBIT 5’s main objectives:

• Benefits realization
• Risk optimization
• Resource optimization

Its “five principles”:

• Meeting stakeholder needs
• Covering the enterprise end-to-end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating corporate governance from management

In other words, COSO governs internal control, which it defines as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

COBIT 5 enables the governing and management of IT holistically, throughout the enterprise. It encompasses the full, end-to-end business and IT functional areas of responsibility and considers the IT-related interests of internal and external stakeholders.

Although differing in their focus, the two frameworks are complementary can be applied in tandem. In fact, doing so is recommended to maximize risk management and controls throughout the organization.

Both frameworks can be effective for achieving compliance with the Sarbanes-Oxley Act (SOX), a federal law intended to prevent accounting errors and fraud in public companies.

For most entities, the COSO framework and SOX compliance go hand-in-hand. Because COSO focuses on financial controls and fraud prevention, it dovetails nicely with SOX, and COSO framework compliance pretty much guarantees SOX compliance.

Enacted in 2002, SOX does not spell out compliance requirements for IT, however, so many enterprises use COBIT to help ensure that their IT systems and processes comply with the law’s requirements.

The two complement each other in another way, as well: COSO is more theoretical, establishing the guiding principles for organizations to use for building risk tolerance and reducing fraud, while COBIT 5 is more practical, offering concrete suggestions for how to build controls related to IT.

Because COSO’s Internal Control—Integrated Framework is a framework, not a regulation or requirement, a COSO audit, by definition, doesn’t exist.

However, the COSO framework is very useful for achieving compliance with the Sarbanes-Oxley Act (SOX), which federal law requires for all publicly traded companies. The U.S. Securities and Exchange Commission watches financial reporting closely and, since SOX’s passage in 2002, demands that those reports be transparent, accurate, and verified by an independent auditor. Noncompliance could cost your organization tens of millions in fines, and send your CFO to prison for 20 years.

SOX is extremely complex. Each of its 11 sections delivers a different mandate, covering oversight, auditor independence, corporate responsibility, financial statements, annual reports, and more. The regulation is intended to secure public companies and their stakeholders and customers against financial fraud, which is one reason why most organizations audit their SOX compliance using the COSO framework.

COSO was designed to help manage financial risk and improve internal control. In fact, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, was originally named the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

The Treadway Commission devised Internal Control—Integrated Framework to help businesses comply with SOX Section 404: Management Assessment of Internal Controls, the regulation’s most complex, demanding, and expensive section. Essentially, COSO helps entities strengthen their system of internal control to protect their data, especially financial information, from tampering.

Another result of SOX was the formation of the Public Company Accounting Oversight Board (PCAOB), an independent agency that regulates external audit firms and establishes auditing standards for external auditors—including Auditing Standard No. 5, or AS5, used by auditors to gauge compliance with various SOX sections including

• Section 404, rules for assessing internal controls
• Section 302, establishing management’s responsibility for financial reports
• Section 401, rules for enhanced financial reporting disclosures
• Section 409 , requiring the immediate disclosure of significant changes in financial conditions and operations
• Section 802, setting penalties for altering documents
• Section 806, rules regarding whistleblowers

The best way to ensure that your enterprise is audit-ready for SOX is to use COSO to establish a strong internal control framework.

The independent external auditor you will hire to audit your SOX compliance will almost certainly be using COSO standards to measure your controls. Reciprocity’s “Preparing for a SOX Audit Using COSO” audit checklist walks you through the questions you need to ask to prepare for this audit.

To prepare for the audit, follow these four steps, using as a guide COSO’s five components and 17 principles for achieving financial reporting objectives.

1. Prepare a framework

• Control environment
  • Commitment to integrity and ethical values
  • Independent board of directors’ oversight
  • Structures, reporting lines, authorities, and responsibilities
  • Attract, develop, and retain competent people
  • People held accountable for internal control
• Risk assessment
  • Clear objectives specified
  • Risks identified to achievement of objectives
  • Potential for fraud considered
  • Significant changes identified and assessed

2. Identify your internal controls

• Control activities
  • Control activities selected and developed
  • Controls developed through policies and procedures
  • General IT controls selected and developed
• Information and communication
  • Quality information obtained, generated, and used
  • Internal control information internally communicated
  • Internal information externally communicated

3. Test your controls

• Monitoring activities
  • – Ongoing and/or separate evaluations conducted
  • – Internal control deficiencies evaluated and communicated

4. Get help if you need it

Modern challenges require modern solutions—including software that can automate many of these processes, greatly simplifying the task of SOX compliance using a framework such as COSO’s.

Created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the COSO internal control framework may seem simple to use—at first. After all, there are only five components—control environment, risk assessment, control principles, information and communication, and monitoring activities—and 17 principles.

But the framework’s high-level mandates require a long list of action items and processes—not easy to implement manually, and downright difficult if you’re using spreadsheets for your compliance program.

Automation is the answer. Today’s technologies take much of the guesswork and grunt work out of compliance with regulations, standards, and frameworks. Whether your organization is struggling to manage cyber risks and achieve cybersecurity goals, improve performance management, meet business objectives, or comply with mandates, software solutions can simplify these tasks and streamline your compliance efforts.

When choosing a solution, look for:

• Fast, effortless deployment
• User-friendly design
• In-a-click internal audits
• Integrated, multi-framework dashboard
• Easy evidence collection
• Automatic framework updates

Reciprocity’s governance, risk, and compliance software-as-a-service, ZenGRC, offers all these features and more.

Used by the world’s leading companies, ZenGRC is a cloud-based solution with fast, easy deployment, unified controls management, and a centralized dashboard for simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. Contact a Reciprocity expert today to request your free demo, and embark on the worry-free path to regulatory compliance—the Zen way.