Committee of Sponsoring Organizations of the Treadway Commission
From Wikipedia, the free encyclopedia
- For people named "Treadway", see Treadway (surname).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
COSO is sponsored and funded by 5 main professional accounting associations and institutes; American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) and The Institute of Management Accountants (IMA).
[edit] History
Due to questionable corporate political campaign finance practices and foreign corrupt practices in the mid-1970s, the SEC and the U.S. Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices Act (FCPA) which criminalised transnational bribery and required companies to implement internal control programs. In response, a private-sector initiative, called the National Commission on Fraudulent Financial Reporting (commonly known as the Treadway Commission) was formed in October 1985. The Treadway Commission issued its initial report in 1987, and among other items, recommended that the organisations sponsoring the Commission work together to develop integrated guidance on internal control. As a result of this initial report, the Committee of Sponsoring Organizations (COSO) was formed and it retained Coopers & Lybrand, a major CPA firm, to study the issues and author a report regarding an integrated framework of internal control. The Coopers & Lybrand authored report, issued in 1992 and re-published with minor amendments in 1994, was titled "Internal Control - Integrated Framework." This report presented a common definition of internal control and provided a framework against which internal control systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA.
[edit] Key concepts of the COSO framework
The COSO framework involves several key concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The capabilities of an organization in relation to the COSO model could be assessed based on universal states or plateaus that organizations typically target. The descriptions are incremental. The capability descriptions are based on evolution toward generally recognized best practices. Each organization determines which level of "maturity" would be the most appropriate in support of its business needs, priorities and availability of resources. A rating system of “0” to “5” is used. A rating of “5” does not necessarily mean “goodness”, but rather, maturity of capability. The ideal maturity rating for any area is dependent on the needs of the organization. The different and progressive plateaus are:
0 Non-existent when:
The organisation lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of IT operational security and internal control assurance. Management and employees have an overall lack of awareness of internal controls.
1 Initial/Ad Hoc when:
Management recognises the need for regular IT management and control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. IT management has not formally assigned responsibility for monitoring the effectiveness of internal controls. IT internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function.
2 Repeatable but Intuitive when:
The organisation uses informal control reports to initiate corrective action initiatives. Internal control assessment is dependent on the skill sets of key individuals. The organisation has an increased awareness of internal control monitoring. Information service management performs monitoring over the effectiveness of what it believes are critical internal controls on a regular basis. Methodologies and tools for monitoring internal controls are starting to be used, but not based on a plan. Risk factors specific to the IT environment are identified based on the skills of individuals.
3 Defined when:
Management supports and institutes internal control monitoring. Policies and procedures are developed for assessing and reporting on internal control monitoring activities. An education and training programme for internal control monitoring is defined. A process is defined for self-assessments and internal control assurance reviews, with roles for responsible business and IT managers. Tools are being utilised but are not necessarily integrated into all processes. IT process risk assessment policies are being used within control frameworks developed specifically for the IT organisation. Process-specific risks and mitigation policies are defined.
4 Managed and Measurable when:
Management implements a framework for IT internal control monitoring. The organisation establishes tolerance levels for the internal control monitoring process. Tools are implemented to standardise assessments and automatically detect control exceptions. A formal IT internal control function is established, with specialised and certified professionals utilising a formal control framework endorsed by senior management. Skilled IT staff members are routinely participating in internal control assessments. A metrics knowledge base for historical information on internal control monitoring is established. Peer reviews for internal control monitoring are established.
5 Optimised when:
Management establishes an organisationwide continuous improvement programme that takes into account lessons learned and industry good practices for internal control monitoring. The organisation uses integrated and updated tools, where appropriate, that allow effective assessment of critical IT controls and rapid detection of IT control monitoring incidents. Knowledge sharing specific to the information services function is formally implemented. Benchmarking against industry standards and good practices is formalised.
[edit] COSO definition of internal control
The COSO framework defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
[edit] COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:
Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring: Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
[edit] COSO Enterprise Risk Management Framework: Now Eight Components Supporting Four Categories of Business Objectives
In 2004 COSO published Enterprise Risk Management - Integrated Framework, expanding the initial COSO framework. http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
The eight components of Enterprise Risk Management (additional components highlighted) are:
Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another
[edit] COSO ICoFR - Guidance for Smaller Public Companies
Published in 2006, Internal Control over Financial Reporting - Guidance for Smaller Public Companies aims at supporting smaller organisations in implementing adequate internal controls over financial reporting (ICoFR).
http://www.coso.org/Publications/erm_sb/SB_EXECUTIVE_SUMMARY.PDF
[edit] The Role of internal audit
Internal auditors play an important role in evaluating the effectiveness of control systems. As an independent function reporting to the top management, internal audit is able to assess the internal control systems implemented by the organization and contribute to ongoing effectiveness. As such internal audit often plays a significant monitoring role. In order to preserve its independence of judgment Internal Audit should not take any direct responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise on potential improvement to be made.