Professional Documents
Culture Documents
COSO
FRAMEWORK
ITDC 14a (Stub Code 98)
PRESENTING
COSO
FRAMEWORK
ITDC 14a (Stub Code 98)
GROUP COMPOSITION
Together, the COSO board develops guidance documents that help organizations with risk
assessment, internal controls and fraud prevention. Their vision is to “be a recognized thought
leader in the global marketplace on the development of guidance in the areas of risk and
control which enable good organizational governance and reduction of fraud.”
The COSO FRAMEWORK
ITDC 14a
What is the COSO FRAMEWORK?
HISTORY AND INFORMATION
Fraud deterrence was the main impetus behind the formation of the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) and its 1992 framework for internal control:
As its name implies, the NCFR formed to study why and how fraudulent financial reporting at
organizations occur, and to recommend ways to reduce it. The NCFR’s 1987 report focused on
internal financial controls, shining a light for perhaps the first time on this important topic. It
also pointed out that there was no standard definition of “internal control,” and began a project
to create one.
COSO FRAMEWORK
INTERNAL CONTROL GOALS
ITDC 14a
COSO FRAMEWORK
INTERNAL CONTROL GOALS
The COSO framework divides internal control objectives into three categories:
Operations
Reporting
Compliance.
Operations objectives, such as performance goals and securing the organization’s assets
against fraud, focus on the effectiveness and efficiency of your business operations.
Reporting objectives, including both internal and external financial reporting as well as non-
financial reporting, relate to transparency, timeliness and reliability of the organization’s
reporting habits.
Compliance objectives are internal control goals based around adhering to laws and
regulations that the organization must comply with.
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS
ITDC 14a
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS
The COSO framework further teaches that there are five components to an internal control
system.
Control environment
Risk assessment
Control activities
Information and communication
Monitoring activities
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS
Control environment - is the “set of standards, processes, and structures that provide the basis
for carrying out internal controls across the organization.” This component includes your:
Ethical values
Organizational structure
Commitment to employing competent employees
Human resources policies
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS
Risk assessment - involves your organization’s analysis of the risks posed by internal and
external changes, the ability to establish objectives and determine their suitability for your
business and the process for weighing risks versus risk tolerances.
Control activities - are the tasks and activities (laid out by organizational policies and
procedures) that help you achieve your internal control objectives. These include actions such
as “authorizations and approvals, verifications, reconciliations, and business performance
reviews.”
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS
Information and Communication Component - recognizes these two things as essential to
any internal control system.
COSO stresses the importance of relevant and high-quality information to control functions.
Internal messages emphasizing the importance of control responsibilities, in addition to clear
communication of expectations with external parties, is key to a strong system.
Monitoring Activities - your internal controls is just as important as establishing them. Use
ongoing evaluations built into your business processes as well as regular separate evaluations,
which will vary based on your level of risk, system effectiveness and regulation requirements.
COSO FRAMEWORK
INTERNAL CONTROL COMPONENTS CHARACTERISTICS
COSO FRAMEWORK
THE COSO COVERAGE AREAS
ITDC 14a
COSO FRAMEWORK
THE COSO COVERAGE AREAS
One of the three sides of the “COSO cube,” a three-dimensional illustration of how the COSO
internal control framework may be applied, lists the areas of an entity to which COSO might be
applied to achieve operational, financial, and compliance objectives:
ENTITY LEVEL
DIVISION
OPERATING UNIT
FUNCTION
COSO FRAMEWORK
THE COSO COVERAGE AREAS
These four coverage area criteria correlate to the top-down structure of a typical organization.
They establish that the COSO framework can be used to gauge the effectiveness of controls
for an enterprise as a whole or at the division, operating unit, or function level—and that control
activities should take place at all these levels.
The higher the level, the more abstract their relation to financial reporting activities. Entity-
level controls often have an indirect relationship to financial statements, and so can be harder
to quantify than more direct process-level controls. Entity-level controls also tend to vary
according to an organization’s complexity and risk profile, and so must be evaluated
qualitatively as opposed to qualitatively.
COSO FRAMEWORK
DEVELOPING THE INTERNAL
CONTROL SYSTEM
ITDC 14a
COSO FRAMEWORK
DEVELOPING THE INTERNAL CONTROL SYSTEM
The COSO framework explains that “an effective system of internal control reduces, to an
acceptable level, the risk of not achieving” objectives. When developing your system, make
sure that:
COSO recognizes that, while its framework should help you design a fraud-deterring system of
internal controls, it’s not without limitations. For example, even the strongest system can’t
prevent human error, bad judgement and external events that are beyond your control.
COSO FRAMEWORK
USAGE
ITDC 14a
COSO FRAMEWORK
USAGE AND THINGS TO NOTE
After understanding the COSO framework, senior management and other decision-makers in
the organization should use it to assess the current internal control system. Does the system
meet all of the effectiveness standards? If not, make plans on how to improve it according to
COSO’s model.
Lower-level managers and employees should also familiarize themselves with the COSO
framework. Offer suggestions based on the document to senior management. Put together a
committee of employees at all levels to brainstorm ideas for a stronger internal control system.
In addition, every employee should take their role in preventing fraud seriously. Conduct your
work in a way that supports the COSO framework. For example, follow anti-fraud policies
without exception and always file timely, accurate reports.
COSO FRAMEWORK
LIMITATIONS
ITDC 14a
COSO FRAMEWORK
LIMITATIONS
The framework is intentionally broad in order to apply to a wide array of industries and
processes. This feature can be problematic, though, for “more complex businesses (e.g., those
with varied operations and complex data systems)”
Proper execution of the COSO framework is dependent on the ability to establish a strong,
formal control environment; however, the framework provides minimal implementation
guidance.” Small businesses and startups may feel overwhelmed and unsupported, leading
them to use a model with a more detailed framework instead.
In addition, the COSO framework is not designed well to deal with objectives that fall under
multiple categories.
COSO FRAMEWORK
SUMMARY
ITDC 14a
COSO FRAMEWORK
SUMMARY
https://reciprocity.com/guide-to-coso-framework-and-compliance/
https://www.techopedia.com/definition/30607/it-governance-framework
https://i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/
END OF PRESENTATION
Q & A SEGMENT
QUESTIONS
What are the internal control goals based around adhering to laws
and regulations that the organization must comply with?
QUESTIONS
T/F
COSO stresses the importance of relevant and high-quality
information to control functions. Internal messages emphasizing
the importance of control responsibilities, in addition to clear
communication of expectations with external parties, is key to a
strong system.
QUESTIONS
T/F
-END-