Breaking Down the COSO Framework
The History of COSO
(Source: https://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf, accessed 5/17/2019)
Throughout the middle of the 1970’s, there were untrustworthy financial acts being performed that dealt with political or foreign practices. This became concerning to corporations in 1977 and a solution became sought after. The U.S Congress, along with the U.S. Securities and Exchange Commission (SEC), released the Foreign Corrupt Practices Act (FCPA). The FCPA mandated that companies deploy programs for internal control along with outlawing transnational bribery.
The Treadway Commission were not alone on this journey as they had five accounting associations sponsors which were happy to assist with funding. The five associations were American Accounting Association (AAA), Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the American Institute of Certified Public Accountants (AICPA). With their support, the Treadway Commission created the Committee of Sponsoring Organizations (COSO) in 1985.
The COSO’s original purpose was to aide the National Commission on Fraudulent Financial Reporting. They were to study and report what they discovered on corporate financial frauds and ultimately create a framework dealing with the inner workings of internal control. With the help of Certified Public Accounting (CPA) firm, Coopers & Lybrand, they were able to release Internal Control – Integrated Framework in 1992. This was of vast importance since it provided companies with a framework on how internal control should be conducted within a company.
From 2000-2002 there were mass volumes of financial scandals happening to companies. An energy company, Enron, had one of the largest accounting scandals to occur within this time frame. The U.S. Congress acted upon this threat and to reduce the amount of fraud incidents, they released the Sarbanes-Oxley (SOX) Act in 2002. The SOX act is a federal law that has public corporations in it's cross-hairs. This act ensured actions would be taken by these organizations including the CEO and CFO certifying their financial reporting along with management being responsible for assessing internal controls annually.
Internal Controls Overview
The Committee of Sponsoring Organizations Framework is built upon internal control, which makes it such a significant concept. Internal control is best defined as a process that is “effected by plan management and other personnel, and those charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting."(Source: https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenefitplanauditquality/resources/planadvisories/downloadabledocuments/plan-advisoryinternalcontrol-hires.pdf, Accessed 5/17/2019)
To simplify that a bit, it’s a process that is aimed to accomplish four objectives:
1. Ensure an organization’s assets are protected
2. Make sure that accounting records and information is reliable and accurate
3. Encourage effectiveness in the organization’s operations
4. Compliance is measured with policies and procedures that management advises
The PDC Control Model Overview
I believe the preventative, detective, and corrective controls play a large part in the success of your internal control within your organization. This is a three-layer defensive structure that aims to reduce the number of undesirable events occur. The first layer, preventative, is passive since it will be built upon preventative measures put in place by the organization. This layer will catch most of the events but not all of them, which is why it’s important that there are still two layers these events must make it through. It is important to note that this is the most cost effective layer than fixing problems after they occur with the detective and corrective layers.
The second layer is detective, which depends on your organization’s standard operating procedures to be able to detect events that are unwanted. This detection can be done in a multitude of ways which can be something like a cashier verifying a credit card with a driver’s license or an IT device like an Intrusion Detection System (IDS) looking for threats that bypass standard firewall rules (the firewalls would be the preventative layer in this example).
The third layer is the corrective control and it reacts from the detective layer to take corrective action on the problem. This layer and the detective layer work hand in hand on cleaning up what the preventative layer missed. As you can see from the diagram below, the errors or problems (indicated with the downward arrows) never physically reach the corrective layer. Once the detective layer detects them, the third layer will assist in attempting to resolve the issue. It's important to understand that choosing the right corrective control is always a challenging area for organizations since there isn't always a pristine fix.
The COSO Framework Overview
The COSO framework was formed to support corporations to create, evaluate, and optimize their internal control. There is a substantial importance to properly utilizing the framework since it allows the organization to ensure that the financial statements produced are held up to a certain quality. The use of this framework will also provide insight to weaknesses within an organization’s internal control processes so that reevaluation can take place. We will go over the five components that make up the COSO integrated framework for internal control. These components are control assessment, risk assessment, control activities, information and communication, and monitoring activities. I am going to make sure that I go through each of these in detail so that a comfortable understanding is established.
1) Control Assessment
Upper management and the board of directors create a baseline for the control environment for how the internal control will be conducted. They will provide guidance on standards and procedures that need to be upheld within the organization. Some of these will actual pertain to core values including integrity, ethics, responsibility, and authority. Management will be expected to reinforce the standards at multiple hierarchies through the organization. The board of directors will be anticipated to have oversight on all these processes while ensuring they maintain personnel that are upholding the standards.
2) Risk Assessment
There are risks to every organization which can be sourced externally and even internally. Risk is basically just a measurement that determines the likelihood that an event will occur that has a negative effect. Risk assessment is exactly what it sounds like, which is where you assess the risk or risks of your organization. Your primary focus is to make sure that the most critical or high risks are avoided before you put all effort in mitigating a low risk. There is one thing that takes precedence over this and that will be proper prioritization. You will not be utilizing your resources properly if there is a risk being assessed in a higher or lower ranking than they should be put in. Management should make it their objective to communicate how these rankings should be determined along with determining how internal or external changes can affect internal controls.
3) Control Activities
This component is where action will be taking place at all levels of an organization to ensure that the procedures or policies established to properly avoid risks. There are two types of controls which are physical or Information Technology (IT). Here is a more detailed breakdown of each control:
Physical Control
Transaction authorization - This guarantees that there are only valid transactions processed.
Duty segregation - This works towards preventing one person from having too much power to commit some type of fraud by themselves. An easy to understand example of this would be having one person responsible for taking inventory at a warehouse and then another person that takes the inventory at the delivery location. If just one person was able to take inventory at both places, there is a possibility that inventory could go missing.
Supervision - Not all organizations are able to segregate all of their duties due to their limited size, so some personnel wear multiple hats. This is where supervision comes in handy because it is a compensating control for these types of companies.
Accounting records - These are any kind of item that provide some sort of audit trail. For example, these could be documents, journals, emails, ledgers, etc.
Access controls - This ensures that a firm's assets are only accessed by authorized personnel.
Verification procedures - These are checks independently done to locate errors or mistakes in the accounting system.
IT Control
Application controls - This makes sure that financial transactions are complete, accurate, and valid.
General controls - These apply to all of the systems which can include many things including least privilege access to systems or databases, application or development, network infrastructure, or a chance control system.
Both types of control are necessary to make sure this component is used correctly.
4) Information and Communication
Communication is a vital piece of any organization since it will allow sharing of information. If communication is not being utilized correctly, then there will be plenty of information that is unknown to parties that could substantially benefit from it. For basic workflow of an organization, this could also hinder operations which can cause a multitude of problems. For example, if IT Operations are waiting for financial to sign off on an equipment refresh purchase simply because financial was not properly communicated that their signature would be required. This can potentially prolong a project past its due date and cost the organization valuable resources and time. Communication is also required between the internal organization along with external parties to make sure workflow is being slowed down. This is especially vital when working with third parties on items like audits, projects, deployments, and more.
5) Monitoring Activities
This component’s main goal is to make sure the organization is constantly evaluating how it’s using the five components of integrated framework of internal control. These should be done by either ongoing or separate assessments which will have a varying frequency and focus. Some things that would be checked would be if each component is being used to its full potential or it could be something like determining if a component is being missed in the process entirely. Overall, this component is just ensuring that internal control and operations are being used effectively.
The 2013 COSO Framework Overview
They updated the COSO framework in 2013 and actually simplified it into 17 principals that act as a checklist to determine whether your organization is effective when it comes to financial reporting. Your organization can be viewed as not being adequate with the standard, just by simply missing just one of these principals. In the 2013 COSO figure 1, you can see the summarized versions of the principals. The 2013 version also has more emphasis on the role of the board of directors and management of an organization. You can see in the 2013 COSO figure 2 below where it demonstrates their summarized COSO principals and their points of focus for each principal. COSO officially deemed the 1992 framework as superseded by the 2013 version as of December 2014.
2013 COSO Figure 1
2013 COSO Figure 2
(Source: https://deloitte.wsj.com/riskandcompliance/2014/03/13/the-2013-coso-framework-and-the-audit-committee/ accessed 5/17/2019)
Why do we use COSO in our company?
We continue to utilize the COSO framework at our company because it provides us with multiple benefits that are too good to turn down. The first being that it optimized our internal controls to better mitigate risks and have information that is required to provide quality business decisions. The next benefit is that it vastly improves our cyber security, which has become one of the biggest threats of the 21st century. When our company has IT audits, the COSO framework ensures that we have met the requirements in this digital age to prevent cyber attacks. There are other benefits like the cost savings and positive reputation our company gains because we are dedicated to using the COSO framework as our most important tool.
*** This blog has summarized information about the Committee of Sponsoring Organization’s integrated framework and if you are wanting more information on the topic, please refer to their website at https://www.coso.org.
No comments:
Post a Comment