DAISY B.

MALACA
BSMA 3

WHAT IS COSO?

The COSO Internal Control — Integrated Framework is a widely recognized framework for
designing, implementing, and assessing internal control in organizations. The framework was
developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It
consists of five components and 17 principles that provide a comprehensive and systematic approach
to internal control. COSO is supported by the following five organizations:

• The Institute of Management Accountants (IMA)

• The American Accounting Association (AAA)
• The American Institute of Certified Public Accountants (AICPA)
• The Institute of Internal Auditors (IIA)
• Financial Executives International (FEI)

COMPONENTS OF AN INTERNAL CONTROL FRAMEWORK

1. Control Environment

The control environment is a set of standards and processes that provide the basic components
for implementing internal controls for an organization. The board of directors as well as management
choose what internal controls are most important to the organization. A proper control environment
outlines the ethical values of an organization and sets the tone for governance. The control
environment is essential for the overall impact of system controls.

Principle 1: Commitment to Integrity and Ethical Values: Establish and demonstrate a

commitment to integrity and ethical values.

Principle 2: Board Independence and Oversight: Ensure that the board of directors is independent
and provides oversight of the organization's internal control.
Principle 3: Organizational Structure: Establish an organizational structure that supports the
achievement of objectives.

2. Risk Assessment

Many organizations leveraging the COSO framework conduct risk assessments to determine
if there is any existing risk and what is an acceptable level of risk to the organization.

Principle 4: Commitment to Competence: Attract, develop, and retain competent individuals in

alignment with objectives.

Principle 5: Risk Assessment: Assess risks to the achievement of objectives in terms of potential
fraud, errors, or inefficiencies.

Principle 6: Risk Response: Respond to identified risks in a manner that aligns with the
organization's risk tolerance.

3. Control Activities

Establish and enforce risk mitigation by an organization’s management structure. The

activities can be a detective or preventive and should be automated when possible. A primary example
of control activities is separation of duties, i.e., keeping the role of accounts payable and accounts
receivables separate.

Principle 7: Selecting and Developing Control Activities: Design and implement control activities
that mitigate risks to acceptable levels.

Principle 8: Information and Communication: Use relevant and quality information to support
internal control and communicate it effectively.

Principle 9: Selecting and Developing Technology Controls: Use technology controls to support
the achievement of objectives.

4. Information and Communication

Information is critical to support the proper function of internal controls. Communication

promotes the gathering, sharing, and organization of information to better support internal and
external controls. In order to effectively execute on the requirements laid out by the board and
management, communication needs to be clear.

Principle 10: Communication and Internal Reporting: Communicate internal control deficiencies
to appropriate parties.

Principle 11: Communication and External Parties: Communicate relevant internal control
information to external parties.

5. Monitoring Activities

Monitoring is essential to make sure internal controls are doing what they were created to do.

Principle 12: Ongoing and/or Separate Evaluations: Conduct ongoing evaluations and separate
evaluations to assess the effectiveness of internal control.

Principle 13: Communication of Deficiencies: Communicate internal control deficiencies in a

timely manner.

Principle 14: Reporting on the Effectiveness of Internal Control: Report on the effectiveness of
internal control based on the assessments.
Implementing the Framework

Framework implementation can be broken out into five phases:

Phase 1: Planning and Scoping

Phase 2: Assessment and Documentation
Phase 3: Remediation planning and Implementation
Phase 4: Design, testing, and reporting controls
Phase 5: Optimization of the effectiveness of internal controls

Phase 1: Planning and Scoping

Prior to any implementation, make sure that all stakeholders are on the same page. Often,
implementation requires outside assistance to make them work as internal employees already have
roles assigned or “a day job.” The old adage of measure twice and cut once is appropriate for how to
apply the 17 COSO principles in an organization.

The board and management of an organization needs to properly scope the application of the COSO
framework and understand in depth the five components and all the sub-components of the
framework.

Phase 2: Assessment and Documentation

Most organizations already have a set of controls in place. They may not be the controls
recommended in the COSO framework, but they still need to be examined and considered before
embarking on the COSO journey. Also, realize that the organizational industry can impact the
assessment and documentation phase. Some industries are highly regulated which will slow down the
overall process of implementing internal controls.

Phase 2 is also a great time to conduct the fraud risk assessment we mentioned above. Remember,
understanding how someone is going to try and circumvent your internal controls is critical.
Documentation can be tedious, but it is important at all phases of a COSO framework implementation.

Phase 3: Remediation planning and Implementation

Once your organization has identified all of its gaps, the real fun can begin. Remediation is the first
step in implementation as it addresses the critical few versus the trivial many. Phase 3 remediation
will set the organization up for success when it comes to implementing the COSO framework.
Compensating for gaps takes time and it may take extra effort from already taxed implementation
teams.

Phase 4: Design, testing, and reporting controls

How do you know if your hard-earned controls are actually working? Test them. Many COSO
framework implementations come to a screeching halt during phase 4 as they make a critical error —
they try to test everything.

Do your organization a favor and test a handful from each control group. Also, make sure that the
testing is organized and follows a specific design. Testing is only valid when it is repeatable.

Phase 5: Optimization of effectiveness of internal controls

In order for phase 5 of a COSO framework implementation to be successful, time must be spent on
automation. Sure, manual optimization of controls can get the job done, but it requires more resources
than most organizations have or becomes cost inhibitive. Implemented doesn’t mean done. It means
ready to move to the next phase of the control life cycle. Make sure that monitoring is integrated and
actually being looked at by a team in the organization. When a control failure surfaces, don’t fret— it
means you get another chance to get it right.