1252016 ‘Committee of Sponsoring Organizations of the Treachway Commission ~ Wikipedia
Committee of Sponsoring Organizations of the
Treadway Commission
From Wikipedia, the free encyclopedia
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to
combat corporate fraud. It was established in the United States by five private sector organizations, dedicated to
guide executive management and governance entities on relevant aspects of organizational govemnance, business
ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a
common internal control model against which companies and organizations may assess their control systems.
COSO is supported by five supporting organizations, including the Institute of Management Accountants (IMA),
the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA),
the Institute of Internal Auditors (ITA), and Financial Executives Intemational (FED.
Contents
= 1 Organizational overview
2 History
= 3 Internal Control — Integrated Framework
= 3.1 Key concepts of the COSO framework
= 3.2 Definition of internal control and framework objectives
= 3,3 Five framework components
= 3.4 Limitations
= 4 Enterprise Risk Management — Integrated Framework
# 4.1 Four categories of business objectives
= 4.2 Eight framework components
= 43 Limitations
Internal Control over Financial Reporting — Guidance for Smaller Public Companies
Guidance on Monitoring Internal Control Systems
Role of intemal audit
Role of external audit
Internal Control — Integrated Framework update project
10 See also
IL References
12. External links
wend
Organizational overview
COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway
Commission). The Treadway Commission was originally jointly sponsored and funded by five main professional
accounting associations and institutes headquartered in the United States: the American Institute of Certified
Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Intemational (FEI),
Institute of Internal Auditors (TTA) and the Institute of Management Accountants ((MA). The Treadway
Commission recommended that the organizations sponsoring the Commission work together to develop integrated
guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring
Organizations of the Treadway Commission.
httoe:/enwikipedia.craNwikiMCommittes of Soonsorina Oraanizations of the Treadwav CommissionEntercrise Risk Menecement .£2.80.94 Intecrated F... 1/71252016 ‘Committee of Sponsoring Organizations of the Treacway Commission Wikipedia
The original chairman of the Treadway Commission was James C, Treadway, Jr., Executive Vice President and
General Counsel, Paine Webber and a former Commissioner of the U.S. Securities and Exchange Commission.
Hence, the popular name "Treadway Commission". Robert B. Hirth, Jr. (http://vww.coso.org/documents/COSO%2
OChairman%20June%4202013%20Release%20Final pdf) became the newest Chairman of COSO's board (http://w
ww.coso.org/board.htm) on June 1, 2013.
History
Due to questionable corporate political campaign finance practices and foreign corrupt practices in the mid -1970s,
the U.S. Securities and Exchange Commission (SEC) and the U.S. Congress enacted campaign finance law
reforms and the 1977 Foreign Corrupt Practices Act (FCPA) which criminalized transnational bribery and required
companies to implement intemal control programs. In response, the Treadway Commission, a private-sector
initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial
reporting.
The Treadway Commission studied the financial information reporting system over the period from October 1985
to September 1987 and issued a report of findings and recommendations in October 1987, Report of the National
Commission on Fraudulent Financial Reporting") As a result of this initial report, the Committee of Sponsoring
Organizations (COSO) was formed and it retained Coopers & Lybrand, a major CPA firm, to study the issues and
author a report regarding an integrated framework of internal control.
Tn September 1992, the four volume report entitled Internal Control— Integrated Framework?! was released by
COSO and later re-published with minor amendments in 1994, This report presented a common definition of
internal control and provided a framework against which internal control systems may be assessed and improved.
This report is one standard that U.S. companies use to evaluate their compliance with FCPA. According to a poll
by CFO magazine released in 2006, 82% of respondents claimed they used COSO's framework for internal
controls. Other frameworks used by respondents included COBIT, AS2 (Auditing Standard No. 2, PCAOB), and
SAS 55/78 (AICPA).
Internal Control — Integrated Framework
Key concepts of the COSO framework
The COSO framework involves several key concepts:
= Internal control is a process. It is a means to an end, not an end in itself.
= Internal control is affected by people. I's uot merely policy, manuals, and forms, but people at every level of
an organization.
= Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's
‘management and board.
= Internal control is geared to the achievement of objectives in one or more separate but overlapping
categories
Definition of internal control and framework objectives
The COSO framework defines internal control as a process, effected by an entity's board of directors, management
and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the
following categories:
= Effectiveness and efficiency of operations
Soe eee eee ee ee eee ea1252016 ‘Committes of Sponsoring Organizations of the Treachvay Commission Wikipedia:
= Reliability of financial reporting
= Compliance with applicable laws and regulations.
= Safeguarding of Assets (MHA)
Five framework components
The COSO internal control framework consists of five interrelated components derived from the way management
runs a business. According to COSO, these components provide an effective framework for describing and
analyzing the internal control system implemented in an organization as required by financial regulations (see
Secutities Exchange Act of 1934,|4) The five components are the followin,
Control environment: The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of intemal control, providing discipline
and structure. Control environment factors include the integrity, ethical values, management's operating style,
delegation of authority systems, as well as the processes for managing and developing people in the organization
Risk assessment: Every entity faces a variety of risks from extemal and internal sources that must be assessed. A
precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and
analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite fi
determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are
carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement
of the entity's objectives, Control activities occur throughout the organization, at all levels and in all functions.
‘They include a range of activities as diverse as approvals, authorizations ations, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
Information and communication: Information systems play a key role in internal control systems as they
produce reports, including operational, financial and compliance-related information, that make it possible to run
and control the business. Ina broader sense, effective communication must ensure information flows down, across
and up the organization, For example, formalized procedures exist for people to report suspected fraud. Effective
communication should also be ensured with external parties, such as customers, suppliers, regulators and
shareholders about related policy positions.
Monitoring: Internal control systems need to be monitored—a process that assesses the quallity of the system's
performance over time, This is accomplished through ongoing monitoring activities or separate evaluations,
Internal control deficiencies detected through these monitoring activities should be reported upstream and
corrective actions should be taken to ensure continuous improvement of the system.
Limitat
ns
Internal control involves human action, which introduces the possibility of errors in processing or judgment.
Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top
management.
CFO magazine reported that companies are struggling to apply the complex model provided by COSO. "One of
the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO
model, those objectives are applied to five key components (control environment, risk assessment, control
activities, information and communication, and monitoring). Given the number of possible matrices, it's not
oe ee ee eee eee ee ee eae1252016 ‘Committes of Sponsoring Organizations of the Treachvay Commission Wikipedia:
surprising that the number of audits can get out of hand.".5] CFO magazine continued by stating that many
organizations are creating their own risk-and-control matrix by taking the COSO model and altering it to focus on
the components that relate directly to Section 404 of the Sarbanes-Oxley Act.
Enterprise Risk Management — Integrated Framework
In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers. to develop a framework that would be
readily usable by managements to evaluate and improve their organizations’ enterprise risk management. High
profile business scandals and failures (e.g. Enron, Tyco International, Adelphia, Peregrine Systems and
WorldCom) led to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley
act was enacted. This law extends the long-standing requirement for public companies to maintain systems of
internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those
systems. The Jnternal Control — Integrated Framework continues to serve as the broadly accepted standard for
satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management -
Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and
extensive focus on the broader subject of enterprise risk management
Four categories of business objectives
This enterprise risk management framework is still geared to achieving an entity's objectives; however, the
framework now includes four categories:
= Strategic: high-level goals, aligned with and supporting its mission
= Operations: effective and efficient use of its resources
= Reporting: reliability of reporting
= Compliance: compliance with applicable laws and regulations
Eight framework components
The eight components of enterprise risk management encompass the previous five components of the Internal
Control-Integrated Framework while expanding the model to meet the growing demand for risk management:
Internal environment: The internal environment encompasses the tone of an organization, and sets the basis for
how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite,
integrity and ethical values, and the environment in which they operate.
Objective setting: Objectives must exist before management can identify potential events affecting their
achievement, Enterprise risk management ensures that management has in place a process to set objectives and that
the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
Event identification: Internal and extemal events affecting achievement of an entity's objectives must be
identified, distinguishing between risks and opportunities. Opportunitics are channeled back to management's
strategy or objective-setting processes.
Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they
should be managed, Risks are assessed on an inherent and a residual basis,
Risk response: Management selects risk responses — avoiding, accepting, reducing, or sharing risk — developing a
set of actions to align risks with the entity's risk tolerances and risk appetite.
Soe ee eee eee eee eee1252016 ‘Committes of Sponsoring Organizations of the Treachvay Commission Wikipedia:
Control activities: Policies and procedures are established and implemented to help ensure the risk responses are
effectively carried out.
Information and communication: Relevant information is identified, captured, and communicated in a form and
time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader
sense, flowing down, across, and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications made as necessary.
Monitoring is accomplished through ongoing management activities, separate evaluations, or both,
COSO believes the Enterprise Risk Management — Integrated Framework provides a clearly defined
interrelationship between an organization's risk management components and objectives that will fill the need to
meet new law, regulation, and listing standards and expects it will become widely accepted by companies and other
organizations and interested parties,
Limitations
COSO admits in their report that while enterprise risk management provides important benefits, limitations exist,
Enterprise risk management is dependent on human judgment and therefore susceptible to decision making,
Human failures such as simple errors or mistakes ean lead to inadequate responses to risk. In addition, controls can
be circumvented by collusion of two or more people, and management has the ability to override enterprise risk
management decisions. These limitations preclude a board and management from having absolute assurance as to
achievement of the entity's objectives.
Philosophically, COSO is more oriented towards controls. Therefore, it has a bias towards risks that could have
negative impact rather than the risks of missing opportunities. See TSO 31000.
Although COSO claims their expanded model provides more risk management, companies are not required to
switch to the new model if they are using the Intemal Control-Integrated Framework.
Internal Control over Financial Reporting — Guidance for Smaller
Public Companies
This document contains guidance to help smaller public companies apply the concepts from the 1992 Internal
Control — Integrated Framework. This publication show the applicability of those concepts to help smaller public
companies design and implement internal controls to support the achievement of financial reporting objectives. It
highlights 20 key principles of the 1992 framework, providing a principles-based approach to internal control. As
explained in the publication, the 2006 guidance applies to entities of all sizes and types!
Guidance on Monitoring Internal Control Systems
Companies have invested heavily in improving the quality of their internal controls; however, COSO noted that
many organizations do not fully understand the importance of the monitoring component of the COSO framework
and the role it plays in streamlining the assessment process. In January 2009, COSO published its Guidance an
Monitoring Internal Control Systems to clarity the monitoring component of internal control.
Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public
reporting on internal control because problems are identified and addressed in a proactive, rather than reactive,
manner
eee eee eee eee ee ea1252016 ‘Committes of Sponsoring Organizations of the Treachvay Commission Wikipedia:
COSO's Monitoring Guidance builds on two fundamental principles originally established in COSO's 2006
Guidance:
= Ongoing and/or separate evaluations enable management to determine whether the other components of
internal control continue to function over time, and
= Internal control deficiencies are identified and communicated in a timely manner to those parties respousible
for taking correetive action and to management and the board as appropriate,
The monitoring guidance further suggests that these principles are best achieved througt
on three broad elements:
monitoring that is based
= Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective
organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivicy and
authority; and (c) a starting point or "baseline" af known effective internal control from which ongoing
monitoring and separate evaluations can be implemented;
= Designing and executing monitoring procedures focused on persuasive information about the operation of
key controls that address meaningful risks to organizational objectives; and
= Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and
reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if
needed
Role of internal audit
Internal auditors play an important role in evaluating the effectiveness of control systems, As an independent
function reporting to the top management, internal audit is able to assess the internal control systems implemented
by the organization and contribute to ongoing effectiveness, As such, internal audit often plays a significant
‘monitoring role, In order to preserve its independence of judgment internal audit should not take any direct
responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise
on potential improvement to be made.
Role of external audit
Under Section 404 of the Sarbanes-Oxley Act, management and the external auditors are required to report on the
adequacy of the company's internal control over financial reporting. Auditing Standard No. 5, published by the
Public Company Accounting Oversight Board, requires auditors to "use the same suitable, recognized control
framework to perform his or her audit of internal control over financial reporting as management uses far is
annual evaluation of the effectiveness of the company’s internal control over financial reporting" section 143(3)
(i) of the Indian Companies Act, 2013 also required Statutory Auditors to comment on Internal Control over
Financial Reporting
Internal Control — Integrated Framework update project
In November 2010, COSO has announced a project to review and update the Internal Control — Integrated
Framework to make it more relevant in the increasingly complex business environment.”] The five framework
components remain the same, A new feature in the updated framework is that the internal control concepts
introduced in the original framework will now be caditied into 17 principles explicitly listed among five
components." Changes to the framework include internal controls over technology, such as email and the
Internet, that were not in widespread use when the original framework was issued in 1992.{"] Along with the
updated Framework, COSO intends to publish the following documents
See eee eee eee ee eae1252016 ‘Committee of Sponsoring Organizations of the Treacway Commission Wikipedia
= Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples —
developed to assist users when applying the framework to extemal financial reporting objectives
= Illustrative Tools — developed to assist users when assessing the effectiveness of a system of internal
control based on requirements listed in the updated Framework?!
See also
= Maiden Lane IT LLC
References
1. http://www.coso.org/Publications/NCFFR. pdf, "Report of the National Commi
Retrieved March 23, 2011.
“Archived copy". Archived from the original on 2009-02-28, Retrieved 2009-04-21., "Internal Control— Integrated
Framework", Retrieved March 23, 2011
. htip:/'www.cfo.com/article.cfm/5598405/c_2984409/2F=
March 23, 2011
4. 17 CFR Section 240 15d-15 (hitp://edocket access. ypo.gov/et
23, 2011.
5, htip/;www.cfo.com/article.cfin/$598405/2/e_5620756, CFO Magazine, Retrieved March 23, 2011
6. htip//www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdt, "Enterprise Risk Management - Integrated.
Framework", Rettieved March 23, 2011
7. hip:/www.coso.org/IC him, Retrieved December 2%, 2012,
8. "Archived copy" (PDF). Archived from the original (PDF) on 2007-10-07. Retrieved 2009-04-21, (AS No.
March 23, 2011
9. tip //www.coso.org/documents/COSOR eleaseNov20110_000.pdf, COSO Press Release, November 18, 2010.
10. htpy//www.coso.ory/documents/COSO%201C1F%20Press?%20Release%2012%2019%201 1% 20FINAL2.puf, COSO
Press Release, December 19, 2011
11. Tysiae, Ken (March 2012). "Internal Control, Revisited". Journal of Accountancy. American Institute of Certified Public
Accountants. 213 (3): 24-29. ISSN 0021-8448.
12. httpy//www.coso.org/documents/COSO%201CTF%20Press?%20Release%2009%2018%202012.pdf, COSO Press Release,
September 18, 2012,
on Fraudulent Financial Reporting",
chives, "The Trouble with COSO", March 15, 2006, Retrieved
- 2006iapratrpat!Tefr240, 15de15.pa), Retrieved March
), Retrieved,
External links
= COSO (htip:/www.coso.org)
= www.cpa2biz.com/COSOEvalTools (http://www.cpa2biz.com/COSOEvalTools), COSO evaluation template.
Retrieved from "https://en.wikipedia.org/wiindex.php?
title=Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission&coldid=751949686"
Categories: Reports on finance and business | Supraorganizations
= This page was last modified on 28 November 2016, at 18:20.
= Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply.
By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered crademark
of the Wikimedia Foundation, Inc., a non-profit organization,
hitee:/enwikipedia.craNwikiMCommittes of Soonsorina Oraanizations of the Treadwav CommissionEntercrise Risk Menecernent .£2.80.94 intecrated F... 7/7