In 1985, five private sector organizations formed a joint initiative to combat corporate fraud. These organizations are called The Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is dedicated to helping organizations improve performance by developing thought leadership that enhances internal controls for organizational governance, business ethics, enterprise risk management, fraud, and financial reporting. It has established an internal control model against which organizations may assess their internal controls. The COSO internal control framework defines Internal Control as a process, effected by an entity’s Board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
The five components of COSO, summarized below, are often referred to by the acronym CRIME. They can be thought of as COSO-recommended “high-level control capabilities.” All five components need to be present and functioning effectively to have a sound internal control system.
1. Control Environment is the set of standards, processes, and structures that ensure internal control is carried out across the organization. It is the foundation of all other internal control components. The control environment consists of the integrity and ethical values of the organization, the parameters that enable the Board to carry out its governance oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process of attracting, developing, and retaining competent individuals, and the rigor around performance measures and rewards to drive accountability for performance.
2. Risk Assessment forms the basis for determining how risks will be managed. It involves a dynamic process of assessing risks against the achievement of objectives. It also requires that management consider the suitability of objectives and the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.
3. Information and Communication enable the organization to carry out its internal control responsibilities. Communication is the continual, iterative process of obtaining, providing, and sharing information from internal and external sources across the company. It enables senior management to clearly communicate that control responsibilities must be taken seriously.
4. Monitoring Activities such as ongoing or separate evaluations, or some combination of the two, are used to demonstrate whether each of the five components is present and functioning. Ongoing evaluations are built into business processes and provide timely information. Separate evaluations are done periodically and vary in scope and frequency depending on management considerations.
5. Existing Control Activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks are carried out. They are performed at all company levels, at various stages within the business processes, and over the technology environment. They encompass a range of manual and automated activities:
Related Reading: A Practical Guide to the COSO Framework
GRC 20/20 Report
Get the blueprint on effective internal control management strategies to transform governance from GRC Pundit, Michael Rasmussen.
In 2013, COSO updated its Internal Control-Integrated Framework to clearly describe 17 principles of effective internal controls. These guiding principles describe detailed control capabilities to help management design, implement, assess, and remediate their internal controls. Organizations should evaluate their current internal controls against these 17 principles to identify opportunities to improve the effectiveness of their existing control environment capability.
Leveraging the COSO framework to benchmark your current control environment against the 5 components and 17 principles can create valuable benefits for companies of all sizes.
Poor governance and oversight of business performance have led to countless business failures and lower shareowner value. A fundamental goal of COSO is to improve the corporate governance function within organizations that monitor security, risk, and compliance programs to ensure adherence to policies, goals, and laws.
More often than not, people think that incidents occur due to employee negligence or mistakes. In fact, most workplace incidents occur due to insufficient management controls. Your proactive effort to implement effective risk assessments can prevent most incidents from occurring.
The COSO framework can help organizations improve their fraud risk management effectiveness. The framework also enables organizations to have controls that first prevent the fraud from occurring, detect fraud as soon as it happens, and respond effectively to fraud incidents when they occur.
The COSO framework offers companies more effective internal controls to mitigate risks and have the necessary data to support sound decision-making.
Companies face an onslaught of fraudulent activity, security threats, and other application risks. The COSO framework provides guidelines for organizations to assess and improve their own application control environment to better detect and prevent cyber threats.
If organizations implement the COSO framework correctly, it will streamline processes, establish more effective internal controls, and better manage risk and compliance costs.
Investors are scrutinizing the performance of public companies more than ever before. If your company adopts the COSO framework, you’ll have a more effective set of risk management controls in place, making your organization more attractive to potential investors and better prepared for an IPO.
Pathlock helps you protect access to all of your applications, business transactions, and data. In addition, we can help you achieve and maintain your audit requirements for evidence of effective internal controls and enable automation to improve control effectiveness and realize significant cost savings.
Contact us today to request a demonstration or learn more about the Pathlock’s control capabilities.
Share