Loading AI tools
Business guideline committee From Wikipedia, the free encyclopedia
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 2013), COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.
In 1985, COSO began as a private sector initiative to investigate the causal factors that lead to fraudulent financial reporting as a result of a number of accounting scandals in the 1970s and mid-1980s. This initiative was termed the National Commission on Fraudulent Financial Reporting; the first president of the Commission was James C. Treadway, Jr., a former Commissioner of the US Securities and Exchange Commission, and therefore the initiative was commonly called the "Treadway Commission". The Treadway Commission was sponsored jointly by five major professional associations based in the United States:
COSO first examined financial reporting from October 1985 to September 1987, releasing "Report of the National Commission on Fraudulent Financial Information".[1] The report included observations on the extent of fraudulent financial reporting, the root causes of such fraud, the role of independent public accountants in detecting fraud, and the steps companies could take to prevent fraudulent activity.
As an extension of the original report and to fulfill its mission of improving financial reporting, COSO prepared a set of guidelines for managing a system of internal controls over financial reporting. In 1992, COSO published "Internal Control – Integrated Framework"[2] which detailed five key components of an effective internal control system, along with tools to evaluate the effectiveness of such a system. In 2013, COSO re-released the Integrated Framework, stating that significant changes in technology and global business trends increased the need for quality systems of internal control, and provided enhanced guidance for the application of the overall principles.[3]
As part of the changes of the Sarbanes-Oxley Act of 2002, public companies in the United States are required to use a system of internal controls in order to evaluate the effectiveness of their own financial reporting, and to report on the results of that evaluation to their investors in their annual financial statements.[4] The COSO framework is commonly used, given its broad applicability to all industries and enterprise sizes.
The COSO framework defines internal control as a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide "reasonable security" with respect to the achievement of objectives in operations, financial reporting, and compliance with applicable laws and regulations.
COSO organizes its framework into five interrelated components, subdivided in 17 principles. COSO notes that in order for an effective system of internal control to reduce the risk of not achieving an entity's objectives, (i) each of the five components of internal control and relevant principles is present and functioning, and (ii) the five components are operating together in an integrated manner.
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the basis of all other components of internal control, providing discipline and structure. Factors in the control environment include integrity, ethical values, the operational style of administration, the delegation of authority systems, as well as the processes for managing and developing people in the organization.
Each entity faces a variety of risks from external and internal sources that must be assessed. A prerequisite for risk assessment is the establishment of objectives and, therefore, risk assessment is the identification and analysis of risks relevant to the achievement of the assigned objectives. Risk assessment is a prerequisite for determining how risks should be managed. The four underlying principles related to risk assessment are that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fraudulent behavior; and should monitor changes that could impact internal controls.
Control activities are the policies and procedures that help ensure that management directives are carried out. They help to ensure that the necessary measures are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, operational performance reviews, asset safety and segregation of functions.
Information systems play a key role in internal control systems, as they produce reports, including operational, financial and compliance-related information, which make the operation and control of the business possible. In a broader sense, effective communication must ensure information flows down, across and up the organization. An example is the formalized procedures for individuals to report suspected fraud. Effective communication with external parties, such as customers, suppliers, regulators and shareholders on related political positions, must also be guaranteed.
Internal control systems must be monitored, a process that evaluates the quality of system performance over time. This is achieved through continuous monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities must be reported upstream and corrective measures must be taken to ensure continuous improvement of the system.
Internal control involves human action, which introduces the possibility of errors in prosecution or trial. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by senior management.
The magazine CFO reported that companies are struggling to apply the complex model provided by COSO. "One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, these objectives apply to five key components (control environment, risk assessment, control activities, information and communication , and monitoring "Given the number of possible matrices, it is not surprising that the number of audits can get out of control."[5] CFO magazine continued to state that many organizations are creating their own risk and control matrix by taking the COSO model and modifying it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.
In 2001, COSO initiated a project and hired PricewaterhouseCoopers to develop a framework that administrations could easily use to evaluate and improve the business risk management of their organizations. High-profile commercial scandals and failures (e.g., Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) prompted calls to improve corporate governance and risk management. As a result, Sarbanes–Oxley Act was enacted. This law extends the long-standing requirement for public companies to maintain internal control systems, which requires management to certify and the independent auditor to certify the effectiveness of those systems. The Internal Control – Integrated Framework continues to serve as the widely accepted standard [citation needed] to meet those reporting requirements; however, in 2004 COSO published "Enterprise Risk Management – Integrated Framework."[6] COSO believes that this framework is expanded in internal control, providing a more robust and extensive approach to the broader issue of business risk management.
This business risk management framework is still aimed at achieving the objectives of an entity; However, the framework now includes four categories:
The eight components of business risk management encompass the five previous components of the Integrated Internal Control Framework while expanding the model to meet the growing demand for risk management:
COSO admits in its report that, although business risk management provides significant benefits, there are limitations. Business risk management depends on human judgment and, therefore, is susceptible to decision making. Human failures, such as simple errors or errors, can lead to inadequate risk responses. In addition, controls can be avoided by collusion of two or more people, and management has the ability to override business risk management decisions. These limitations prevent a board and management from having absolute security regarding the achievement of the entity's objectives.
Philosophically, COSO is more oriented towards controls. Therefore, it has a bias towards risks that could have a negative impact instead of the risks of missing opportunities. See ISO 31000.
While COSO states that its expanded model provides more risk management, companies are not required to change to the new model if they are using the Integrated Internal Control Framework.
This document contains guidance to help smaller public companies to apply the concepts of 1992 Internal Control – Integrated Framework. This publication shows the applicability of these concepts to help smaller public companies design and implement internal controls to support the achievement of financial information objectives. It highlights 20 key principles of the 1992 framework, providing a principles-based approach to internal control. As explained in the publication, the 2006 guideline applies to entities of all sizes and types.[7]
Companies have invested heavily in improving the quality of their internal controls; However, COSO noted that many organizations do not fully understand the importance of the monitoring component of the COSO framework and the role it plays in streamlining the evaluation process. In January 2009, COSO published its "Guidance on the monitoring of internal control systems" to clarify the internal control monitoring component.
Over time, effective monitoring can lead to organizational efficiencies and reduced costs associated with public information about internal control because problems are identified and addressed proactively, rather than reactively.
The COSO Monitoring Guide is based on two fundamental principles originally established in the 2006 COSO Guide:
The monitoring guide also suggests that these principles are best achieved through monitoring based on three general elements:
Internal auditors play an important role in assessing the effectiveness of control systems. As an independent function that informs senior management, internal audit can evaluate the internal control systems implemented by the organization and contribute to continued effectiveness. As such, internal auditing often plays an important "monitoring" role. To preserve its independence of judgment, the internal audit should not assume any direct responsibility in the design, establishment or maintenance of the controls that it is supposed to evaluate. Internal audit may only advise on possible improvements to be made.
Under Section 404 of the Sarbanes-Oxley Act, management and external auditors must report on the adequacy of the company's internal control over financial information. The Public Company Accounting Oversight Board, formed to oversee the external audit profession, published Auditing Standard 2201 which requires that auditors "use the same appropriate and recognized control framework to conduct their internal control audit on the financial information that management uses to its annual evaluation of the effectiveness of the company's internal control over financial information."[8] Section 143 (3) (i) of the Indian Companies Act, 2013 also requires legal auditors to comment on internal control over financial information.
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.