HOW COSO HAS IMPROVED IMTERNAL CONTROL IN THE UNITED STATES Since its inception in 1985, the Committee

of Sponsoring Organization of the Treadway Commission (COSO) has created a variety of methods to improve the internal control processes used by organizations worldwide. All types of the entities can improve internal controls by carefully examining the contributions of COSO over time. COSO is a voluntary, private sector entity comprised of the following five professional organizations a. b. c. d. e. The American Institute of Certified Public Accountants (AICPA); The American Accounting Association (AAA) The institute of Managerial Accountants (IMA) The Institute of the Internal Auditors (IIA);and Financial Executives International (FEI)

COSO has contributed greatly to the audit profession since its inception in 1985. Although COSO was intended to have only a 12-to 18-month life, it is still making significant contibutions worldwide. In February 2009, COSO published Guidance Monitoring Internal Control Systems. This guidance can help auditors and managers at organizations of any size monitor the effectiveness of internal control objectives related to finance, operations, and compliance. Internal Control prior to COSO There had been several modification of the term internal control prior to the creation of COSO. In 1958, Statement of Accounting Practice (SAP) No. 29 defined internal control as having two components; accounting controls and administrative controls. In attempt to prevent auditors from detecting brides, some corporations established slush funds, or off-the-books accounts. Because of the transactions involved cash exchanges that were not recorded on an organizations books, there was no audit trail, which made detecting bribes almost imposible. About COSO COSO was originally called the National Commission on Management Fraud, and its primary objective was to identify factors associated with fraudulent financial reporting while reducing taxpayer dollars allocated to excessive regulaory compliance. COSO is sometimes referred to as the Treadway Commission, after its first board chairman, James C. Treadway. Prior to being the chairman for COSO, Treadway was appointed by President Ronald Reagan as the Commissioner of the Securities and Exchange Commission (SEC) from 1982 to 1985. COSOs guidance Looking at internal control frameworks from a historical perspective can help management and auditors comprehend how COSO has contributed to improving organizations risk management processes and internal control systems. Internal Control-Intergrated Framework In 11992, COSO published Internal Control-Intergrated Framework, which defined internal control as

a process. Hence. This internal control framework went one step further than the FCPA. The objectives of the COSO internal control framework help address the following questions: a. How do we define internal control? b. What best practices should we incorporate into internal audits envolving role? c. How can internal audit become an integral part of risk management processes and maintain independence? d. What should be the departments strategic plan be? e. How should the audit function deliver its services and communicate its observations? Control Environment. The control enviroment sets the tone for an organization and its often perceived as the most crucial component, although it is difficult to manage and effectively evaluate. Risk Assessment. The risks faced by an organization nedd to be continuously monitored, to ensure that an organizations goals and objectives can be met. Control Activities. Control activities are the policies and procedures needed to mitigate risks so that an organizations goals and obectives can be achieved. Informayion and Communication Information should be identified, gathered, and communicated to appropriate individuals in a timely manner. Monitoring Monitoring involves continuous processes to elimate risks so that an organizations goals and objectives are met. Internal Control Issues in Derivatives Usage According to COSO, risk management processes related to derivatives should involve the following: a. Understanding operations and entity wide objectives b. Indentifying, measuring, assessing, and modifying business risk c. Evaluating the usage of derivatives to control market risk and linking use to entity wide and activity level objectives d. Defining risk management activities and terms relating to derivatives to provide a clear understanding of their usage e. Assessing the appropriateness of specified activities and strategies relating to the use of derivatives f. Establishing procedures for obtaining and communicating information and analyzing and monitoring risk management activities and their results. Enterprise Risk Management-Integrated Framework In 2001, COSO commissioned a group of professors at the University of Virginia to assits in determining whether a risk management framework was necessary. In 2004, COSO published

Enterprise Risk Management-Integarted Framework, often referred to as the COSO ERM framework. The COSO ERM framework has the following eight components: Internal enviroment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring

Guidance for Smaller Public Companies While COSOs Internal Control-Integrated Framework was intended for all types and sizes of organization, specific guidance was deemed necessary to help smaller organization comply with Sarbanes-Oxley Act, especially Section 404. In 2006, COSO issued Internal Control Over Financial Reporting-Guidance Smaller Public Companies. This guidance gives a high level overview for senior management and board members, real examples drawn from small organizations, and techniques to help smaller organizations implement and evaluate internal control specifically related to financial reporting. Guidance on Monitoring Internal Control Systems COSO emphasizes the following three primary elements of monitoring: Organizations should have an effective control environment for monitoring internal controls to create an appropriate tone at the top that highlights the importance of internal controls and the related role of monitoring internal control. Organizations should priorize effective monitoring procedures and allocate monitoring resources consistent with the organizations risk appetite. Organizations should establish a communication structure to allow timely reporting of monitoring activities, including control weaknesses, to appropriate parties.

In order to achieve these objectives and design effective monitoring procedures, COSOs monitoring guidance recommends that companies perform the following for steps. a. Prioritize risks. Understand and prioritize risks to organizational objectives. b. Identify controls. Identify key controls accross the internal controls systems that address those prioritized risks c. Identify information. Identify information that will persuasively indicate whether the internal control system is operating effectively. d. Implement monitoring. Develop and implement cosy effective procedures to evaluate that persuasive information.