Finance glossary

What is the COSO framework?

Bristol James
5 Min

Published in 1992, the Committee of Sponsoring Organizations of the Treadway Commission, known as “COSO,” published a set of regulations regarding internal controls within the financial operations and reporting functions of businesses. Named the COSO Internal Control-Integrated Framework – the “COSO Framework” for short — these guidelines were designed to help prevent fraud, reduce financial risk, and improve transparency in the financial reporting process.

Developing the COSO Framework was a joint effort; the American Institute of Certified Public Accountants (AIPCA), Institute of Management Accountants (IMA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI) worked together to write and publish the COSO Framework. After cases of fraud in the 1970s and 1980s, these organizations worked with the US government to establish the framework. After the Enron scandal and similar instances in the early 2000s, the COSO Framework became even more vital to business operations.

Evolution of the COSO Framework

When it was first published in the 90s, the COSO Framework consisted of 5 pillars and 17 principles that helped companies establish and implement effective internal controls. By connecting the strategy piece of internal controls to actionable steps, accounting experts paved a path for more transparent, secure external reporting, protecting businesses, consumers, and investors alike.

In 2013, the COSO Framework was updated with the COSO cube. This diagram helps break down exactly how all the priorities of internal controls should work together. Then, in 2017, the COSO Enterprise Risk Management Framework was published in an effort to better illustrate the connection between business performance and financial risk.

COSO Cube
COSO Cube (Source: Deloitte)

Five Pillars of the COSO Framework

Broken into five parts, the COSO Framework gives businesses an idea of how to focus their efforts in order to conduct quality internal control:

Control Environment

Meant to highlight an organization’s collective mentality surrounding internal controls, leaders that establish a “Control Environment” reinforce the necessity of internal controls and solidify their standing as key business priorities. Things like mission statements, documented policies, and stringent internal audit practices can be extremely helpful in establishing a Control Environment. When a Control Environment is successful, it’s clear that the company upholds integrity and ethical practices, is well-equipped to manage risks, and hires talent that will continue to maintain the Control Environment.

Risk Assessment and Management

This pillar focuses on regular risk assessments within a company’s internal control system. Are the internal controls still being conducted properly? Is risk being absorbed effectively? No business transactions are without risk, but with robust audits of the internal control practices within a business, both the frequency and impact of risk can be reduced. When internal auditors or consultants identify risks, organizations should track and monitor the risks, understand the impact of the risks, and develop a plan to mitigate the risks.

Control Activities

After clearly defining risk-related objectives and establishing a robust Control Environment, organizations must consider the detailed actions that are happening behind the scenes to support the internal control system. Control activities that help mitigate risk and support strategic goals through a wide range of processes. A control activity might look like restricting access to certain systems or financial data. It can also look like having a careful segregation of duties when it comes to financial transactions.

Information and Communications

Even the best plans to mitigate risk will be ineffective if the entire organization isn’t well-versed on the top objectives and their role in said objectives. The COSO Framework mandates that companies consistently distribute necessary information to all key personnel. Organizations must use data to inform internal control decisions, they must communicate all decisions internally, and in some instances, external communication may be required as well.

Monitoring

This pillar involves continuous monitoring of internal control activities, testing their effectiveness, and remediating any gaps in the strategic approach to risk. Companies should be reporting on the internal control system used to verify that it’s reliable and operating as expected. If deficiencies are found, those shortcomings should be reported to leadership and addressed.

What Does COSO Look Like in Action?

Although the Sarbanes Oxley Act became law long after the COSO Framework was first published, businesses that are required to abide by SOX regulations must also utilize the COSO Framework. Today, SOX mandates internal controls, and it uses the framework to help detail the key internal controls activities. Because of the legal and ethical implications of risk exposure, public companies and accounting and financial firms monitor internal controls with vigor.

Understanding the Impact of the COSO Framework

The COSO Framework is a fantastic tool for businesses that aren’t sure where to start with their risk management efforts. Not only does it provide a high-level overview of potential risk in business, but it contains actionable, tangible practices for businesses to bolster their internal control systems. It also ensures a uniform alignment across industries to improve business outcomes, protect the economic health of the country, and insulate individuals from any fallout associated with bad business practices.

On the other side of the equation, critics of the framework note that it may not be easy to implement in all organizational structures. If certain activities fall into multiple categories of the COSO Framework, identifying the right owner of the activities can be a challenge. Finally, some leaders say that the framework isn’t specific enough; they note that broad-based guidance can actually cause confusion within their organizations.

Summary

  • The COSO Framework was developed in response to corporate fraud and the fallout of poor financial operations and reporting mechanisms. It was written to provide clear guidance on mitigating business risk, reducing fraud, and protecting economic health.
  • With five key pillars, this framework helps simplify the priorities for internal control systems. These pillars are control environment, risk assessment and management, control activities, information and communication, and monitoring.
  • The COSO Framework helps businesses navigate the changing landscape of business risk and creates a uniform approach to addressing these risks, but some see it as too broad to be effective and difficult to implement in certain organizational structures.

References:

 

Related articles

Finance glossary

What is MFA?

Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …

Read more
Finance glossary

What are imposter scams?

Imposter scams are a type of fraud where scammers pretend to be trusted individuals, companies, or government agencies to deceive victims into …

Read more
Finance glossary

What is accounts payable fraud?

Accounts payable fraud is a deceptive practice that exploits vulnerabilities in a company’s payment processes. It occurs when individuals—whether employees, vendors or …

Read more

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.