The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework goes back to the year 1992. The industry was looking for an internal control framework, and the COSO Internal Control Framework was the answer. There are three COSO compliance disciplines, five internal control components, and 17 principles focused on internal controls.
The COSO Framework cube is a visual representation of how all the components work together and relate to each other. The COSO model defines internal controls as processes that are influenced by an organization’s employees, management, and board of directors. The ultimate goal of the COSO Framework is to provide assurance that objectives have been achieved in the critical areas of operations, reporting, and compliance.
The COSO framework objectives are divided into three distinct disciplines: operations, reporting, and compliance. The goal behind internal control systems is to achieve an organization’s overall business objectives and strategy. Key to supporting this strategy are the five components of the COSO cube: with each component supported by principles. These five components are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities, which will all be described in detail.
The control environment is a set of standards and processes that provide the basic components for implementing internal controls for an organization. The board of directors as well as management choose what internal controls are most important to the organization. A proper control environment outlines the ethical values of an organization and sets the tone for governance. The control environment is essential for the overall impact of system controls.
- (COSO Principle 1) Integrity and Ethical Values: Set the ethical tone of the board and organization.
- (COSO Principle 2) Oversight: Determine the board’s independence, governance, oversight, and responsibilities.
- (COSO Principle 3) Organizational structure: Outline the overall board authority.
- (COSO Principle 4) Commitment to competence: Make sure that employees of the organization are trained, retained, and competent in their job roles.
- (COSO Principle 5) Accountability: Reinforce accountability to individuals for their internal control responsibilities in the pursuit of objectives and to maximize performance.
Does your organization have internal controls that are effective? Many organizations leveraging the COSO framework conduct risk assessments to determine if there is any existing risk and what is an acceptable level of risk to the organization.
- (COSO Principle 6) Specifies suitable objectives: Set objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- Operational objectives: Outline the financial reporting requirements, both internal and external.
- Reporting objectives: Determine what needs to be reported on and make sure the process is sustainable.
- Compliance objectives: Organizations should follow COSO compliance objectives first and also take into account the variety of other regulatory bodies and mandates before starting the risk assessment.
- (COSO Principle 7) Identifies and analyzes risk: Focus on risks across the entity that enable achievement of objectives and analyze risks as a basis for determining how the risks should be managed.
- (COSO Principle 8) Assesses fraud risk: Conduct a fraud risk assessment to determine how fraud can occur. Look at all people, processes, and technology to determine how they might undermine security controls to commit fraud.
- (COSO Principle 9) Identifies and analyzes significant change: Assess internal and external change in an organization that might affect risk.
Establish and enforce risk mitigation by an organization’s management structure. The activities can be a detective or preventive and should be automated when possible. A primary example of control activities is separation of duties, i.e., keeping the role of accounts payable and accounts receivables separate.
- (COSO Principle 10) Selection and development of control activities: Select and develop control activities that primarily focus on mitigating risk.
- (COSO Principle 11) Selection and development of general controls over technology: Select and develop general control activities over technology to support the achievement of objectives.
- (COSO Principle 12) Deploy control activities through policies and procedures: Deploy control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
Information is critical to support the proper function of internal controls. Communication promotes the gathering, sharing, and organization of information to better support internal and external controls. In order to effectively execute on the requirements laid out by the board and management, communication needs to be clear.
- (COSO Principle 13) Uses relevant information: Internal controls are only supported with quality information that is relevant and factual.
- (COSO Principle 14) Communicates internally: The board and management properly message internal objectives and roles to support internal controls.
- (COSO Principle 15) Communicates externally: Proper information is communicated to external parties about internal control status and other matters that affect the functioning of internal control.
What you can’t monitor you can’t manage. Monitoring is essential to make sure internal controls are doing what they were created to do.
- (COSO Principle 16) Conduct ongoing evaluations: Perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- (COSO Principle 17) Evaluate and communicate deficiencies: When a deficiency in a control is found, it is imperative that timely messaging takes place to implement corrective action. The board, management, and control owners should be some of the first notified.
Implementing the Framework
Now that we better understand the COSO control and compliance objectives, what goes into implementing the framework? Framework implementation can be broken out into five phases:
- Phase 1: Planning and Scoping
- Phase 2: Assessment and Documentation
- Phase 3: Remediation planning and Implementation
- Phase 4: Design, testing, and reporting controls
- Phase 5: Optimization of the effectiveness of internal controls
Phase 1: Planning and Scoping
Prior to any implementation, make sure that all stakeholders are on the same page. Often, implementation requires outside assistance to make them work as internal employees already have roles assigned or “a day job.” The old adage of measure twice and cut once is appropriate for how to apply the 17 COSO principles in an organization.
The board and management of an organization needs to properly scope the application of the COSO framework and understand in depth the five components and all the sub-components of the framework.
Phase 2: Assessment and Documentation
Most organizations already have a set of controls in place. They may not be the controls recommended in the COSO framework, but they still need to be examined and considered before embarking on the COSO journey. Also, realize that the organizational industry can impact the assessment and documentation phase. Some industries are highly regulated which will slow down the overall process of implementing internal controls.
Phase 2 is also a great time to conduct the fraud risk assessment we mentioned above. Remember, understanding how someone is going to try and circumvent your internal controls is critical. Documentation can be tedious, but it is important at all phases of a COSO framework implementation.
Phase 3: Remediation planning and Implementation
Once your organization has identified all of its gaps, the real fun can begin. Remediation is the first step in implementation as it addresses the critical few versus the trivial many. Phase 3 remediation will set the organization up for success when it comes to implementing the COSO framework. Compensating for gaps takes time and it may take extra effort from already taxed implementation teams.
Phase 4: Design, testing, and reporting controls
How do you know if your hard-earned controls are actually working? Test them. Many COSO framework implementations come to a screeching halt during phase 4 as they make a critical error — they try to test everything.
Do your organization a favor and test a handful from each control group. Also, make sure that the testing is organized and follows a specific design. Testing is only valid when it is repeatable.
Phase 5: Optimization of effectiveness of internal controls
In order for phase 5 of a COSO framework implementation to be successful, time must be spent on automation. Sure, manual optimization of controls can get the job done, but it requires more resources than most organizations have or becomes cost inhibitive. Implemented doesn’t mean done. It means ready to move to the next phase of the control life cycle. Make sure that monitoring is integrated and actually being looked at by a team in the organization. When a control failure surfaces, don’t fret— it means you get another chance to get it right.