0% found this document useful (0 votes)
91 views4 pages

The COSO Frameworks: ICF and ERM

The document discusses two frameworks created by COSO (Committee of Sponsoring Organizations) for internal controls - the Internal Control-Integrated Framework (ICF) from 2013 and the Enterprise Risk Management (ERM) framework. It provides details on the five components of the ICF, including the control environment, risk assessment, control activities, information and communication, and monitoring activities. For each component, it lists the relevant principles and describes examples of risks, controls, and other considerations for effective internal controls.

Uploaded by

Jenny Lelis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
91 views4 pages

The COSO Frameworks: ICF and ERM

The document discusses two frameworks created by COSO (Committee of Sponsoring Organizations) for internal controls - the Internal Control-Integrated Framework (ICF) from 2013 and the Enterprise Risk Management (ERM) framework. It provides details on the five components of the ICF, including the control environment, risk assessment, control activities, information and communication, and monitoring activities. For each component, it lists the relevant principles and describes examples of risks, controls, and other considerations for effective internal controls.

Uploaded by

Jenny Lelis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

The COSO Frameworks: ICF and ERM

1980s > National Commission on Fraudulent Financial Reporting > COSO (Committee of Sponsoring Organizations)
 chaired by James C. Treadway
 Among the issues identified was the absence of a comprehensive internal control framework.
 sponsored by five professional associations: The Institute of Internal Auditors (IIA), American Institute of
Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Management
Accountants (IMA), and Financial Executives Institute (FEI).
> COSO (Committee of Sponsoring Organizations)
 a private sector initiative formed in 1985 to sponsor this
National Commission on Fraudulent Financial Reporting.
 established by five of the largest accounting, auditing, and
finance oversight committees in the United States.
 COSO’s goal: Improve the quality of financial reporting.

2013 COSO Internal Control—Integrated Framework


 contains 17 principles representing the fundamental concepts associated with each component.
 typically represented in the form of a cube.
(Image 1)

1. CONTROL ENVIRONMENT
 refers to the workplace environment, characterized by the way the organization is structured, the manner of
leadership, the degree of openness, management’s operating style, having and practicing the tenets of its
code of ethics and statement of values.
 The tone at the top is set and promoted by the board of directors and senior management, and it refers to
the general attitude, integrity, and ethical practices of these individuals.
 Organizational culture is the collection of learned beliefs, traditions, and guides for behavior shared among
members of the organization.
 Happy employees deliver higher quality customer services.
 Control Environment also includes the activities related to the competence and development of personnel,
the assignment of authority and responsibility, and the organizational structure.
 Employee reporting lines and accountability requirements are also shaped by reporting lines, and these play
an important role in the effectiveness of internal controls.
 Management establishes a risk management philosophy and the entity’s risk appetite, forms a risk culture,
and integrates ERM with related initiatives.
It is important to remember that culture plays a key role defining the control environment. According to
Trompenaars, organizational culture includes 3 key elements:
1. The general relationship between employees and their organizations
2. The vertical or hierarchical system of authority defining superiors and subordinates
3. The general views of employees about the organization’s destiny, purpose, and goals, and their place in it

The following are some examples of unethical behavior that auditors should be on the lookout for:
 Undue emphasis on bottom-line performance
 High-pressure sales tactics
 Kickbacks or bribes
Communication, Consistency, and Belief in the Message
It is very important for management to communicate clearly, consistently, and often what is allowed and
what is not. By setting clear expectations there is a better chance that they will be followed.
Form over Substance
The five principles of the Control Environment are as follows:
Principle 1 – Commitment to integrity and ethical values
Principle 2 - BOD exercises oversight responsibility
Principle 3 - Establish structure, authority, and responsibility
Principle 4 - Commitment to competence
Principle 5 - Enforce accountability
Entity Level Controls
 Entity level controls are used to determine if an organization’s values, systems, policies, and processes would
enable or dissuade fraud and encourage proper conduct.
 Auditing the entity’s framework requires the examination of tangibles and intangibles.
 Review items also include human resources (HR) policies, the reporting structure with the assignment
authority and responsibility, information flows, demonstration of a commitment to competence, and other
types of checks and balances in the organization.
 How does management know if the organization is meeting its compliance requirements?
 Is data and information complete, accurate, timely, and distributed to the correct individuals in
management to use reliably?
 Does the organization have qualified accounting, tax, and operating personnel so all reports are
prepared according to generally accepted principles and standards, and records maintained in
accordance with current accounting and tax regulations and standards?
 A person’s behavior may be different in unique situations, as the person acts in part in response to the
environment.
 Lewin’s equation, states that behavior is a function of the person and the environment.
B = f (P, E) where B = person’s behavior; P = person; E = environment
 Internal auditors must work with management to make sure there are clear standards of performance, that
rewards and sanctions are clearly communicated, and that employees are managed and aligned effectively.
Tone in the Middle
dictates workplace conditions leading to customer and employee satisfaction, turnover, profits, and the
achievement of goals and objectives.

2. RISK ASSESSMENT
 Risks - events that can jeopardize the organization’s ability to achieve its objectives.
 Risk assessment - the process of identifying, assessing, and measuring risks to the organization, program, or
process under review
 COSO indicates in its 2013 IC-IF that the organization is subject to a variety of events
 Risk assessment involves a dynamic and iterative process of identifying, analyzing, and deciding how best to
respond to these risks in relation to the achievement of objectives.
 Management specifies objectives within three separate but related categories:
- Reporting
- Compliance
- Operations
Business and Process Risk
 Capacity risk  Health and safety risk  Trademark erosion risk
 Execution risk  Leadership risk  Reputation risk
 Supply chain risk  Outsourcing risk  Data integrity
 Business interruption risk  Competitor risk  Infrastructure risk
 Human resources risk  Catastrophic loss risk  Commerce risk
 Product or service failure  Industry risk  Access risk
risk  Planning risk  Availability risk
 Product development  Organization structure
risk risk
 Cycle time risk  Integrity and fraud risk

Technological and Information Technology Risks


 Data and system  System capacity risk  Commerce risk
availability risk  Data integrity  Access risk
 Data integrity risk  Infrastructure risk  Availability risk

Personnel Risks
 Availability risk  Malfeasance risk
 Competence risk  Motivation risk
 Judgment risk
Financial Risks
 Resources risk  Liquidity risk
 Commodity prices risk  Market
 Foreign currency risk

Environmental Risks
 Energy and other resources risk  Transportation risk
 Natural disaster risk  Pandemic risk
 Pollution risk

Political Risks
 Regulations and legislation risk
 Public policy risk
 Instability risk

Social Risks
 Demographics risk  CSR
 Privacy risk  Mobility

The SMARTER Model for Effective Goals


(image 2)

The link between audit findings and business objectives


(image 3)

Effects of Risk
 Loss of assets  Erroneous record keeping and accounting
 Negative publicity  Noncompliance with rules and regulations
 Erroneous decisions  Purchase of resources uneconomically
 Customer dissatisfaction  Failure to accomplish established goals
 Fraudulent financial or operational reporting

You might also like