Professional Documents
Culture Documents
MALACA
BSMA 3
WHAT IS COSO?
The COSO Internal Control — Integrated Framework is a widely recognized framework for
designing, implementing, and assessing internal control in organizations. The framework was
developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It
consists of five components and 17 principles that provide a comprehensive and systematic approach
to internal control. COSO is supported by the following five organizations:
1. Control Environment
The control environment is a set of standards and processes that provide the basic components
for implementing internal controls for an organization. The board of directors as well as management
choose what internal controls are most important to the organization. A proper control environment
outlines the ethical values of an organization and sets the tone for governance. The control
environment is essential for the overall impact of system controls.
Principle 2: Board Independence and Oversight: Ensure that the board of directors is independent
and provides oversight of the organization's internal control.
Principle 3: Organizational Structure: Establish an organizational structure that supports the
achievement of objectives.
2. Risk Assessment
Many organizations leveraging the COSO framework conduct risk assessments to determine
if there is any existing risk and what is an acceptable level of risk to the organization.
Principle 5: Risk Assessment: Assess risks to the achievement of objectives in terms of potential
fraud, errors, or inefficiencies.
Principle 6: Risk Response: Respond to identified risks in a manner that aligns with the
organization's risk tolerance.
3. Control Activities
Principle 7: Selecting and Developing Control Activities: Design and implement control activities
that mitigate risks to acceptable levels.
Principle 8: Information and Communication: Use relevant and quality information to support
internal control and communicate it effectively.
Principle 9: Selecting and Developing Technology Controls: Use technology controls to support
the achievement of objectives.
Principle 10: Communication and Internal Reporting: Communicate internal control deficiencies
to appropriate parties.
Principle 11: Communication and External Parties: Communicate relevant internal control
information to external parties.
5. Monitoring Activities
Monitoring is essential to make sure internal controls are doing what they were created to do.
Principle 12: Ongoing and/or Separate Evaluations: Conduct ongoing evaluations and separate
evaluations to assess the effectiveness of internal control.
Principle 14: Reporting on the Effectiveness of Internal Control: Report on the effectiveness of
internal control based on the assessments.
Implementing the Framework
Prior to any implementation, make sure that all stakeholders are on the same page. Often,
implementation requires outside assistance to make them work as internal employees already have
roles assigned or “a day job.” The old adage of measure twice and cut once is appropriate for how to
apply the 17 COSO principles in an organization.
The board and management of an organization needs to properly scope the application of the COSO
framework and understand in depth the five components and all the sub-components of the
framework.
Most organizations already have a set of controls in place. They may not be the controls
recommended in the COSO framework, but they still need to be examined and considered before
embarking on the COSO journey. Also, realize that the organizational industry can impact the
assessment and documentation phase. Some industries are highly regulated which will slow down the
overall process of implementing internal controls.
Phase 2 is also a great time to conduct the fraud risk assessment we mentioned above. Remember,
understanding how someone is going to try and circumvent your internal controls is critical.
Documentation can be tedious, but it is important at all phases of a COSO framework implementation.
Once your organization has identified all of its gaps, the real fun can begin. Remediation is the first
step in implementation as it addresses the critical few versus the trivial many. Phase 3 remediation
will set the organization up for success when it comes to implementing the COSO framework.
Compensating for gaps takes time and it may take extra effort from already taxed implementation
teams.
How do you know if your hard-earned controls are actually working? Test them. Many COSO
framework implementations come to a screeching halt during phase 4 as they make a critical error —
they try to test everything.
Do your organization a favor and test a handful from each control group. Also, make sure that the
testing is organized and follows a specific design. Testing is only valid when it is repeatable.
In order for phase 5 of a COSO framework implementation to be successful, time must be spent on
automation. Sure, manual optimization of controls can get the job done, but it requires more resources
than most organizations have or becomes cost inhibitive. Implemented doesn’t mean done. It means
ready to move to the next phase of the control life cycle. Make sure that monitoring is integrated and
actually being looked at by a team in the organization. When a control failure surfaces, don’t fret— it
means you get another chance to get it right.