Mature your use of the COSO Framework

A brief history of the COSO Framework

The creation of the COSO Commission (Committee of Sponsoring Organizations of the Treadway Commission) was a direct response to a series of accounting scandals that impacted the financial world in the 1970s and 1980s. The scandals exposed weaknesses in companies’ internal controls and highlighted the need for more robust safeguards to ensure the accuracy and integrity of financial reporting. COSO published the original model in 1992 and updated the framework in 2013 after another series of accounting frauds in the early 2000s. The 2013 update ensured that the COSO Framework remained relevant for organizations of all types to design, implement, and assess their internal controls in a more dynamic business environment. In its current version, the COSO Framework fits the needs of a wider range of organizations, regardless of size, industry, or location, focuses on all control types, not only financial reporting, and is easier to understand, with more specific guidance on implementing the principles.

Understanding the COSO Framework

The COSO Framework consists of five interconnected components that address critical aspects of internal control, with 17 principles supporting the components. These include:

Control environment: The control environment encompasses an organization's full governance, with a focus on the tone at the top, leadership’s commitment, ethical values, and the overall culture of control within the organization.

Risk assessment: Risk assessment emphasizes the importance of identifying and understanding the potential risks that could impact your organization’s objectives, including emerging risks.

Control activities: Control Activities include the specific policies and procedures implemented to mitigate the identified risks. Management designs controls to mitigate the risks identified in the risk assessment through a mix of preventive, detective, and corrective procedures.

Information and communication: Communication must flow across all levels of the organization to ensure everyone understands their roles and responsibilities in operating effective internal controls.

Monitoring: The framework stresses the importance of ongoing monitoring to assess the effectiveness of internal controls and adjust as needed. Monitoring includes activities performed by management, assurance teams, and an internal audit team positioned to remain free from influence by the organization’s leadership.

The 17 principles supporting these components explain how an organization can accomplish the five components. The principles do not dictate mandatory procedures and should not be mistaken for prescriptive controls. Rather, these act as a guide to management when designing their controls.

Benefits of the COSO Framework

While the organization is responsible for designing and implementing controls, following the guidance in the COSO Framework leads to stronger results. Using the COSO Framework as a guide helps organizations establish controls to ensure the accuracy and reliability of financial reporting, meet compliance requirements, and address operational risks. COSO helps organizations avoid costly mistakes and disruptions by identifying and addressing potential risks and promoting a controlled environment that fosters good decision-making by ensuring relevant information is available to management.

Connection to the COSO ERM Framework

COSO introduced the Enterprise Risk Management (ERM) Framework in 2017. The COSO ERM Framework helps organizations understand and prioritize risks and creates a strong connection between strategic objectives, risks, controls, and business outcomes. The two COSO Frameworks are closely linked and work together to improve an organization’s overall risk management and control environment.

The COSO ERM Framework helps identify and assess all the potential risks an organization faces. Management can then design targeted internal controls to mitigate those risks. The COSO Internal Control Framework then provides the foundation for establishing strong internal controls within an organization to mitigate the risks identified under the ERM framework. The two COSO Frameworks are intended to be used together. The ERM process identifies risks, and the Internal Control Framework provides a guide for designing and implementing controls to address those risks. This integrated approach ensures that internal controls are aligned with the organization’s overall risk management strategy.

Both frameworks emphasize the importance of a strong control environment, which includes factors like leadership commitment, ethical values, and a culture of accountability. This fosters better governance and helps ensure the organization’s objectives are achieved. The ERM Framework provides the big picture of risk management, while the Internal Control Framework offers a detailed roadmap for building and maintaining effective internal controls. Using these together, management can create a robust system for managing risks and safeguarding the organization.

COSO controls mapping

Many organizations map their internal controls, especially SOX (Sarbanes-Oxley Act) controls, to the COSO Framework. COSO controls mapping aligns your organization’s existing controls with the principles and components outlined in the COSO Framework, ensuring your company establishes a comprehensive and effective control environment to address potential risks.

COSO controls mapping helps identify weaknesses or gaps in your current control environment. Through mapping, you may find control coverage gaps or areas of weak coverage. A well-documented COSO controls mapping exercise demonstrates to external auditors or other stakeholders that your organization has a robust internal control system.

Start your COSO controls mapping by gathering information about your existing controls and reviewing policies and procedures, interviewing personnel, and documenting control activities. Match your identified controls to the relevant COSO components (control environment, risk assessment, control activities, information and communication, monitoring) and principles within those components. The mapping process will likely reveal areas where controls are weak or missing, so develop a plan to address these gaps by implementing new controls, strengthening existing ones, or revising risk assessments.

Conclusion

Whether you are new to the COSO Framework or considering ways to strengthen your internal control environment, the resources developed by COSO provide room to grow and mature. You might start by mapping your controls to the five components, then expand by mapping to the 17 principles, and eventually set a maturity goal of linking your internal controls into the broader ERM Framework. Technology will be essential to your success wherever you are in your COSO Framework journey. Look for technology that facilitates the COSO controls mapping exercise and allows multiple controls to map to each principle. The control testing results can then inform your evaluation of the effectiveness of coverage for each principle.