Published in 1992, the Committee of Sponsoring Organizations of the Treadway Commission, known as “COSO,” published a set of regulations regarding internal controls within the financial operations and reporting functions of businesses. Named the COSO Internal Control-Integrated Framework – the “COSO Framework” for short — these guidelines were designed to help prevent fraud, reduce financial risk, and improve transparency in the financial reporting process.
Developing the COSO Framework was a joint effort; the American Institute of Certified Public Accountants (AIPCA), Institute of Management Accountants (IMA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI) worked together to write and publish the COSO Framework. After cases of fraud in the 1970s and 1980s, these organizations worked with the US government to establish the framework. After the Enron scandal and similar instances in the early 2000s, the COSO Framework became even more vital to business operations.
When it was first published in the 90s, the COSO Framework consisted of 5 pillars and 17 principles that helped companies establish and implement effective internal controls. By connecting the strategy piece of internal controls to actionable steps, accounting experts paved a path for more transparent, secure external reporting, protecting businesses, consumers, and investors alike.
In 2013, the COSO Framework was updated with the COSO cube. This diagram helps break down exactly how all the priorities of internal controls should work together. Then, in 2017, the COSO Enterprise Risk Management Framework was published in an effort to better illustrate the connection between business performance and financial risk.
Broken into five parts, the COSO Framework gives businesses an idea of how to focus their efforts in order to conduct quality internal control:
Meant to highlight an organization’s collective mentality surrounding internal controls, leaders that establish a “Control Environment” reinforce the necessity of internal controls and solidify their standing as key business priorities. Things like mission statements, documented policies, and stringent internal audit practices can be extremely helpful in establishing a Control Environment. When a Control Environment is successful, it’s clear that the company upholds integrity and ethical practices, is well-equipped to manage risks, and hires talent that will continue to maintain the Control Environment.
This pillar focuses on regular risk assessments within a company’s internal control system. Are the internal controls still being conducted properly? Is risk being absorbed effectively? No business transactions are without risk, but with robust audits of the internal control practices within a business, both the frequency and impact of risk can be reduced. When internal auditors or consultants identify risks, organizations should track and monitor the risks, understand the impact of the risks, and develop a plan to mitigate the risks.
After clearly defining risk-related objectives and establishing a robust Control Environment, organizations must consider the detailed actions that are happening behind the scenes to support the internal control system. Control activities that help mitigate risk and support strategic goals through a wide range of processes. A control activity might look like restricting access to certain systems or financial data. It can also look like having a careful segregation of duties when it comes to financial transactions.
Even the best plans to mitigate risk will be ineffective if the entire organization isn’t well-versed on the top objectives and their role in said objectives. The COSO Framework mandates that companies consistently distribute necessary information to all key personnel. Organizations must use data to inform internal control decisions, they must communicate all decisions internally, and in some instances, external communication may be required as well.
This pillar involves continuous monitoring of internal control activities, testing their effectiveness, and remediating any gaps in the strategic approach to risk. Companies should be reporting on the internal control system used to verify that it’s reliable and operating as expected. If deficiencies are found, those shortcomings should be reported to leadership and addressed.
Although the Sarbanes Oxley Act became law long after the COSO Framework was first published, businesses that are required to abide by SOX regulations must also utilize the COSO Framework. Today, SOX mandates internal controls, and it uses the framework to help detail the key internal controls activities. Because of the legal and ethical implications of risk exposure, public companies and accounting and financial firms monitor internal controls with vigor.
The COSO Framework is a fantastic tool for businesses that aren’t sure where to start with their risk management efforts. Not only does it provide a high-level overview of potential risk in business, but it contains actionable, tangible practices for businesses to bolster their internal control systems. It also ensures a uniform alignment across industries to improve business outcomes, protect the economic health of the country, and insulate individuals from any fallout associated with bad business practices.
On the other side of the equation, critics of the framework note that it may not be easy to implement in all organizational structures. If certain activities fall into multiple categories of the COSO Framework, identifying the right owner of the activities can be a challenge. Finally, some leaders say that the framework isn’t specific enough; they note that broad-based guidance can actually cause confusion within their organizations.
Summary
References:
Batch invoice processing is the method of handling multiple invoices together in a group or “batch” rather than processing each invoice individually. …
In finance, regression is a statistical method used to analyze the relationships between different financial variables. It helps financial analysts and investors …
The “bottom line” is a company’s net income or profit, which is found at the bottom of its income statement. It represents …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
