The COSO Framework for Internal Control
Internal frauds are a big part of the operational risk faced by any organization. This is truer of multinational companies who have business interests in various countries across the globe. This is because there are thousands of people in important positions making business decisions on behalf of the company. Hence, ensuring that all these employees always act in conformity with the companys principles is a difficult task.
This issue shot into prominence during the turn of the century. The Enron scandal which shook the entire world economy in the early 2000s also accentuated the need for having proper internal controls in any organization. In response to the Enron Scandal, the United States government passed a landmark piece of legislation called the Sarbanes Oxley Act or SOX. As per the provisions of this act, the management and the auditors of the company are jointly responsible for clearly documenting the internal controls processes and having them certified.
Research has suggested that the lack of properly defined internal controls is the reason for more than 50% of internal frauds in the world. Now, since each company has to document these processes, the Committee of Sponsoring Organizations (COSO) has come up with a framework that can be followed by all organizations in order to develop and document their internal controls. This system has been designed by experts and can be used by any organization to augment its risk management endeavors. The COSO is a committee which composes of five major associations
What is the COSO Framework?
The COSO framework was first developed in the year 1992. Over the years, it has gone through several iterations and has been revised several times. The model has three dimensions which are why it is often displayed on a cube.
The First Dimension: The Functions
The COSO framework mentions actions that need to be taken within three different functions. They are:
- Operations: The COSO framework suggests that the operations of the organization be thoroughly studied in order to develop internal controls
- Reporting: The COSO framework also suggests that any information source which feeds into internal or external reporting must be audited for accuracy. These audits must happen at periodic intervals and must ensure that the information system of the company work in a timely, reliable, and transparent manner
- Compliance: Lastly, the internal control goals must be aligned with the different laws and regulations that the company is supposed to follow.
The Second Dimensions: The Levels
The COSO framework suggests that the organization must be divided into various levels for the purpose of managing internal controls. The internal controls should be continuously monitored at various levels such as subsidiary level, business-unit level, division level as well as entity level.
The Third Dimension: The Environment
- Internal Environment: The internal environment of the company refers to the culture propagated by the top management. One of the reasons behind the debacle at Enron was that the unethical values propagated by the top management seeped through in lower levels of management. It is for this reason, the board of directors, as well as outside parties, are supposed to keep a keen eye on whether the top management is committed to maintaining a fraud-free internal environment in the company.
- Risk Assessment: This refers to a system of routinely identifying and classifying the various types of risks. The organization should have a system of scanning its environment for possible causes which could lead to failure in the future.
- Control Activities: Control procedures are activities listed out by the management in order to mitigate the threats that may arise. These are activities such as approvals, reconciliations, and verifications which are performed in order to identify whether any risk is being missed. Internal controls help point out the flaws in the system.
- Information and Communication: This step involves building a strong internal communication system. This means that all the internal parties must be clear about what their responsibilities are. Also, the expectations should also be made clear with external parties. The protocols to escalate any risks amongst the internal as well as external parties in order to ensure a speedy resolution must be put into place.
- Monitoring: The last step includes continuously monitoring all the steps which have been taken in the earlier steps. It is as important to monitor a system for internal controls as it is important to create one.
The COSO model emphasizes that all five components work together as an integrated system. The malfunction of any one component would also impact all the other components as well. The idea behind the framework is to provide a set of tools that will have to be used by every company. The specific organization can then go ahead and decide on the specific methods that they want to follow for controls or for information management. The standardized model makes the implementation of risk management comparatively easier.
|❮❮ Previous||Next ❯❯|
Authorship/Referencing - About the Author(s)
The article is Written By Prachi Juneja and Reviewed By Management Study Guide Content Team. MSG Content Team comprises experienced Faculty Member, Professionals and Subject Matter Experts. We are a ISO 2001:2015 Certified Education Provider. To Know more, click on About Us. The use of this material is free for learning and education purpose. Please reference authorship of content used, including link(s) to ManagementStudyGuide.com and the content page url.
- Risk Management - Introduction
- Benefits of Risk Management
- Principles of Risk Management
- Risk Management Process
- Risk Identification and Assessment
- Aspects of Risk Management
- Steps in Risk Management Process
- Approaches to Risk Management
- Risk Management Policy
- Commonly Used Measures of Risk
- Risk Management Plan
- Evaluation of Risk Management Plan
- Risk Treatment
- Role of HRD in Risk Management
- Enterprise Risk Management
- Implementing ERM
- Risk Management and Stock Market
- Outsourcing Risk Management Program
- Risk Management as a Profession
- Anticipating and Mitigating Organizational Risks in the Digital Age
- Challenges Facing the Australian Economy
- The Economic Costs of MeToo
- Automated Claims Processing
- Challenges in Global Insurance And International Claims
- Conflicts of Interest in the Insurance Business
- The Cost Structure in the Insurance Industry
- How Drones Will Impact the Insurance Industry?
- How Is Health Insurance Funded?
- How Self Driving Cars Impact Insurance?
- How Stock Market Volatility Affects Insurance Companies?
- Insurance Agents vs. Insurance Brokers
- The ABCs of Insurance Fraud in India
- Technological Advances in the Insurance Industry
- The Basics of Unemployment Insurance
- The Pros and Cons of Unemployment Assistance and Why it Matters in the Present Times
- The Role of Insurance In #MeToo Movement
- Why the Flood Insurance Market should be Privatized?
- Basics of Pet Insurance
- Cannabis Insurance
- Challenges Facing Cryptocurrency Insurance
- Evolution of Insurance Regulation
- Food Delivery Apps and Insurance
- How Does Captive Insurance Work?
- On-Demand Insurance
- Reinsurance vs. Double Insurance
- Solvency Regulations in the Insurance Industry
- Terrorism and Insurance
- The Basics of Microinsurance
- The Basics of Reinsurance
- Types of Captive Insurance Companies
- What is P2P Insurance?
- How Risks Affect Companies Providing Financial Services
- Risk Management Information System
- Disadvantages of Risk Management Information Systems
- The Known-Unknown Classification of Risk
- Operational Risk: Definition and Drivers
- How Regulations Have Affected Operational Risk?
- Identification of Operational Risks
- How to Identify Operational Risks
- Using Internal Loss Data to Mitigate Operational Risks
- External Loss Data in Operational Risk Management
- Risk Control Self Assessment (RCSA)
- Scenario Analysis in Risk Management
- Key Risk Indicators
- Basel Approaches in Operational Risk Management
- The Basel Risk Categories
- Cause Categories in Operational Risk Management
- Loss Distribution Approach
- The COSO Framework for Internal Control
- Mistakes to be Avoided While Building a Risk Management System
- Credit Rating Terminology
- Types of Exposures to Determine Credit Limit
- Types of Credit Events
- Active Credit Portfolio Risk Management
- Metrics to Measure Credit Risk
- Credit Derivatives: An Introduction
- Credit Linked Note
- How do Credit Default Swaps Work?
- Why are Credit Default Swaps Dangerous?
- Total Returns Swap
- What are Collateralized Debt Obligations and How do they Work?
- Collateralized Debt Obligations: Advantages and Disadvantages
- Mark To Market Accounting
- What are Recovery Rates? - Different Types of Recovery Rates
- Netting, Close Out, and Acceleration
- Expected Default Frequency (EDF)
- Expected Default Frequency: Advantages and Disadvantages
- Altmans Z Score Model
- Unexpected Loss and Economic Capital Buffer
- Stress Testing in Credit Risk Management
- Provisioning in Credit Risk Management
- How Corporate Governance Impacts Credit Risk
- Exit Strategies In Credit Risk Management
- What is Market Risk? - How its Measured and Sources of Market Risk
- Why is Market Risk Management Important?
- Introduction to Value At Risk (VaR)
- The Three Types of Value at Risk (VaR)
- Marginal, Incremental and Component Value at Risk (VAR)
- How Value at Risk (VaR) is Implemented?
- Backtesting Value at Risk (VaR)
- Advantages of Using Value at Risk (VaR) Model
- Disadvantages of Using the Value at Risk (VaR) Model
- How Margins Are Calculated Using Value at Risk (VaR)
- Market Risk Limits
- Tail Risk
- The Upside of Market Volatility
- Relationship between Volatility and Risk
- Importance of Data Quality in Risk Management
- Impact of Using Poor Quality Data and Metrics to Measure Data Quality
- Enterprise Risk Management (ERM) vs Traditional Risk Management
- Benefits of Enterprise Risk Management
- Corporate Risk Governance
- International Risk Governance Committee (IRGC) Framework
- Failure of Market Risk Management
- Mistakes to Avoid in Risk Management