COSO - An Approach to Internal Control Framework

The COSO Framework was designed to help businesses establish, assess and enhance their internal control

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

In my last article, I made mention of the Committee of Sponsoring Organization (COSO) which published the “Internal Control Integrated Framework” which is the internal control framework widely adopted the United States of America.

A commission led by James C. Treadway, Jr., the then Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission was set up. This commission was sponsored and funded by five United States private sector organizations made up of the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). These organizations are collectively called the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The Committee of Sponsoring Organizations were charged by the Treadway Commission to develop an integrated guidance on Internal Control. As a result of this, a framework for designing, implementing and evaluating internal control for organizations was released.

The COSO Framework was designed to help businesses establish, assess and enhance their internal control. The importance of Internal Control in the Operations and Financial Reporting of an entity cannot be over-emphasized as the existence or the absence of the process determines the quality of output produced in the Financial Statements. A present and functioning Internal Control process provides the users with a “reasonable assurance” that the amounts presented in the Financial Statements are accurate and can be relied upon for informed decision making.

COSO Internal Control Framework

Internal Control over Financial Reporting therefore are the controls specifically designed to address the risks of intentional or unintentional misstatements in the financial statements.

The COSO Integrated Framework for Internal Control has five (5) components which include:

1.    Control Environment: The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of inter­nal control including expected standards of conduct. Management reinforces expecta­tions at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational struc­ture and assignment of authority and responsibility; the process for attracting, develop­ing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

2.    Risk Assessment: Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objec­tives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to opera­tions, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of pos­sible changes in the external environment and within its own business model that may render internal control ineffective.

3.    Control Activities: Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.

Did you find this useful?