Mendoza, Bernabeth W.

F-433
Committee
of
Sponsoring
Commission (COSO)

IntAud
Mrs. Emily C. Sunga
Organizations

of

the

Treadway

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

is a joint initiative of five private sector organizations, established in the United
States, dedicated to providing thought leadership to executive management and
governance entities on critical aspects of organizational governance, business
ethics, internal control, enterprise risk management, fraud, andfinancial reporting.
COSO has established a common internal control model against which companies
and organizations may assess their control systems. COSO is supported by five
supporting organizations, including the Institute of Management Accountants (IMA),
the American Accounting Association (AAA), the American Institute of Certified
Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial
Executives International (FEI).
Definition of internal control and framework objectives
The COSO framework defines internal control as a process, effected by an entity's
board of directors, management and other personnel, designed to provide
"reasonable assurance" regarding the achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
Safeguarding of Assets (MHA)
Five framework components
The COSO internal control framework consists of five interrelated components
derived from the way management runs a business. According to COSO, these
components provide an effective framework for describing and analyzing the
internal control system implemented in an organization as required by financial
regulations (see Securities Exchange Act of 1934) The five components are the
following:
Control environment: The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values, management's operating
style, delegation of authority systems, as well as the processes for managing and
developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal

sources that must be assessed. A precondition to risk assessment is establishment

of objectives and thus risk assessment is the identification and analysis of relevant
risks to the achievement of assigned objectives. Risk assessment is a prerequisite
for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help
ensure management directives are carried out. They help ensure that necessary
actions are taken to address the risks that may hinder the achievement of the
entity's objectives. Control activities occur throughout the organization, at all levels
and in all functions. They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating performance,
security of assets and segregation of duties.
Information and communication: Information systems play a key role in internal
control systems as they produce reports, including operational, financial and
compliance-related information, that make it possible to run and control the
business. In a broader sense, effective communication must ensure information
flows down, across and up the organization. For example, formalized procedures
exist for people to report suspected fraud. Effective communication should also be
ensured with external parties, such as customers, suppliers, regulators and
shareholders about related policy positions.
Monitoring: Internal control systems need to be monitoreda process that
assesses the quality of the system's performance over time. This is accomplished
through ongoing monitoring activities or separate evaluations. Internal control
deficiencies detected through these monitoring activities should be reported
upstream and corrective actions should be taken to ensure continuous
improvement of the system
.
Limitations
Internal control involves human action, which introduces the possibility of errors in
processing or judgment. Internal control can also be overridden by collusion among
employees (see separation of duties) or coercion by top management.
CFO magazine reported that companies are struggling to apply the complex model
provided by COSO. "One of the biggest problems: limiting internal audits to one of
the three key objectives of the framework. In the COSO model, those objectives
are applied to five key components (control environment, risk assessment, control
activities, information and communication, and monitoring). Given the number of
possible matrices, it's not surprising that the number of audits can get out of
hand.". CFO magazine continued by stating that many organizations are creating
their own risk-and-control matrix by taking the COSO model and altering it to focus
on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.
Enterprise Risk Management Integrated Framework
In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to
develop a framework that would be readily usable by managements to evaluate
and improve their organizations' enterprise risk management. High-profile business
scandals and failures (e.g. Enron, Tyco International, Adelphia, Peregrine

Systems and WorldCom) led to calls for enhanced corporate governance and risk
management. As a result the Sarbanes-Oxley act was enacted. This law extends
the long-standing requirement for public companies to maintain systems of internal
control, requiring management to certify and the independent auditor to attest to
the effectiveness of those systems. The Internal Control Integrated
Framework continues to serve as the broadly accepted standard[citation
needed] for satisfying those reporting requirements; however, in 2004 COSO
publishedEnterprise Risk Management - Integrated Framework.[6] COSO believes
this framework expands on internal control, providing a more robust and extensive
focus on the broader subject of enterprise risk management.
Four categories of business objectives
This enterprise risk management framework is still geared to achieving an entity's
objectives; however, the framework now includes four categories:
Strategic: high-level goals, aligned with and supporting its mission
Operations: effective and efficient use of its resources
Reporting: reliability of reporting
Compliance: compliance with applicable laws and regulations
Eight framework components
The eight components of enterprise risk management encompass the previous five
components of the Internal Control-Integrated Framework while expanding the
model to meet the growing demand for risk management:
Internal environment: The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an entity's
people, including risk management philosophy and risk appetite, integrity and
ethical values, and the environment in which they operate.
Objective setting: Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the chosen
objectives support and align with the entity's mission and are consistent with its risk
appetite.
Event identification: Internal and external events affecting achievement of an
entity's objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channeled back to management's strategy or
objective-setting processes.
Risk assessment: Risks are analyzed, considering likelihood and impact, as a
basis for determining how they should be managed. Risks are assessed on an
inherent and a residual basis.
Risk response: Management selects risk responses avoiding, accepting,
reducing, or sharing risk developing a set of actions to align risks with the entity's
risk tolerances and risk appetite.
Control activities: Policies and procedures are established and implemented to

help ensure the risk responses are effectively carried out.

Information and communication: Relevant information is identified, captured,
and communicated in a form and time frame that enable people to carry out their
responsibilities. Effective communication also occurs in a broader sense, flowing
down, across, and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations, or both.
COSO believes the Enterprise Risk Management Integrated Framework provides
a clearly defined interrelationship between an organization's risk management
components and objectives that will fill the need to meet new law, regulation, and
listing standards and expects it will become widely accepted by companies and
other organizations and interested parties.
Limitations
COSO admits in their report that while enterprise risk management provides
important benefits, limitations exist. Enterprise risk management is dependent on
human judgment and therefore susceptible to decision making. Human failures
such as simple errors or mistakes can lead to inadequate responses to risk. In
addition, controls can be circumvented by collusion of two or more people, and
management has the ability to override enterprise risk management decisions.
These limitations preclude a board and management from having absolute
assurance as to achievement of the entity's objectives.
Philosophically, COSO is more oriented towards controls. Therefore, it has a bias
towards risks that could have negative impact rather than the risks of missing
opportunities. SeeISO 31000.
Although COSO claims their expanded model provides more risk management,
companies are not required to switch to the new model if they are using the
Internal Control-Integrated Framework.
Source:
https://en.wikipedia.org/wiki/Committee_of_Sponsoring_Organizations_of_the_Tre
adway_Commission