Committee of Sponsoring Organizations of the Treadway Commission (COSO)

From Knowledge base

COSO is an organization providing thought leadership and guidance on internal control, enterprise risk management (ERM), and fraud deterrence. In 1992, COSO released Internal Control ― Integrated Framework (the framework). The framework was recognized among the corporate and financial reporting community as the predominant framework for reporting on the effectiveness of internal control over financial reporting (ICFR) by U.S. public companies. The framework is still regarded as a leading resource for purposes of providing guidance on the design and evaluation of internal control, and evaluating the compliance of such controls with Section 404 of the Sarbanes-Oxley Act. Additionally, the COSO framework can also be applied in assessing internal control over operations, compliance, and other reporting objectives.

The five components of the framework are:

Control environment

a. How management puts into place policies and procedures that guide the organization

b. The kind of tone management sets in the organization should be clearly communicated so that everyone knows that they responsible for the controls operating effectively and achieving the intended results

Risk assessment

How the organization assesses risk to identify the things that threaten the achievement of their objectives

Information and communication

How management communicates its expectations to internal and external users and how to elicit acknowledgment and affirmation from those people that they understand the expectations

Monitoring activities

How management oversees the function of the entire organization, how it identifies when things aren’t working correctly, and how it corrects those deficiencies quickly

Existing control activities

What controls are currently in place, whether the controls were in place and operating effectively at a specified time, and how long the controls have been in place COSO revised the original framework in 2013.1 The most significant change was the addition of 17 principles and 77 focus areas. These new items expand the definition of the five core areas. For a system of internal control to be effective, each of the 17 principles must be (a) present, (b) functioning, and (c) operating together in an integrated manner. Among the 17 principles, principle 8 states:

“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

What makes the 2013 framework an important development is that it provides guidance for organizations to develop effective and efficient systems of internal control to achieve important business objectives. It also facilitates organizations’ efforts as they (a) adapt to the increasing complexity of a changing business environment, (b) manage risks to, and (c) improve the reliability of information for management’s decision-making.

Separately, COSO published guidance on fraud deterrence in 2016 in the Fraud Risk Management Guide (the guide) to be supportive of and consistent with the 2013 framework and to provide best practices guidance for organizations to follow in addressing this fraud risk assessment principle. The guide’s five fraud risk management principles fully support, are entirely consistent with, and are parallel to the 2013 COSO framework’s 17 internal control principles. The relationship between the fraud risk management principles and the 2013 COSO framework’s internal control components and principles are described in the following chart.2