COSO – Takeaway for Banking and other financial institutions
Since the COSO framework is widely used to support management's assertion on the effectiveness of internal controls over financial reporting, and the possibility of significant effort necessary to meet the elevated expectations, it is highly encouraged that the entity should begin moving forward with urgency towards its application
From our last articles on this subject, we have been able to establish that the COSO framework presumes that the 17 principles are fundamental concepts of the original five components. All 17 are relevant to all entities and need to be present, functioning, and operating together in an integrated manner for an organization to have an effective system of internal control.
Since the COSO framework is widely used to support management's assertion on the effectiveness of internal controls over financial reporting, and the possibility of significant effort necessary to meet the elevated expectations, it is highly encouraged that the entity should begin moving forward with urgency towards its application.
The following should be of interest to finance and risk executives in banking and other financial institutions charged with guiding their organizations through this new internal control landscape:
- Application of 2013 COSO framework
The COSO framework has three distinct, but overlapping categories of objectives – opera t ions, reporting, and compliance – and reiterates the opportunity to expand the framework's application beyond its traditional adoption for external financial reporting to include operations and compliance. Because of the scrutiny of regulators and other third parties, there is an intensified need for the reporting to be the end-product of a well-controlled process, one in which the effectiveness of controls is periodically assessed. To that end, many organizations are encouraged to use the principles of the COSO framework and should begin applying them to design quality assurance review functions over other areas, including operational and regulatory reporting.
2. Consideration of existing enterprise-wide controls programs
The COSO framework reemphasizes the control environment as the basis for carrying out internal control responsibilities across the organization. The framework also stresses the role of the board and senior management in setting the tone regarding the importance of internal control and expectations concerning standards of conduct (principles 1-5).
Banks and other financial institutions in general likely have several existing governance programs, processes, and monitoring activities that may help comply with the 2013 COSO framework.
3. Dynamic risk assessment process
The COSO framework calls for companies to have a dynamic risk assessment program (principles 6-9) that considers significant changes in business operations and adapts to internal, external, and emerging risks.
To achieve such a dynamic risk assessment process, input from business units and appropriate levels of management should be formally captured as part of the risk assessment and scoping process, including the initial and continuous assessment of:
- Fraud risk;
- Complex non-routine processes;
- Processes requiring the “hand-off” of data between departments;
- Manual processes or those dependent on end-user computing tools;
- Potential changes in the internal control environment;
- Emerging risks and issues at peer organizations and the industry
Further, the risk assessment should be periodically updated to capture changes, both internal and external to the company, which may impact the qualitative assessment of risks and corresponding selection of in-scope entities and controls, including general information technology controls, to be assessed as part of the evaluation process (principles 10-12).