The COSO Frameworks: ICF and ERM
The COSO Frameworks: ICF and ERM
1980s > National Commission on Fraudulent Financial Reporting > COSO (Committee of Sponsoring Organizations)
chaired by James C. Treadway
Among the issues identified was the absence of a comprehensive internal control framework.
sponsored by five professional associations: The Institute of Internal Auditors (IIA), American Institute of
Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Management
Accountants (IMA), and Financial Executives Institute (FEI).
> COSO (Committee of Sponsoring Organizations)
a private sector initiative formed in 1985 to sponsor this
National Commission on Fraudulent Financial Reporting.
established by five of the largest accounting, auditing, and
finance oversight committees in the United States.
COSO’s goal: Improve the quality of financial reporting.
1. CONTROL ENVIRONMENT
refers to the workplace environment, characterized by the way the organization is structured, the manner of
leadership, the degree of openness, management’s operating style, having and practicing the tenets of its
code of ethics and statement of values.
The tone at the top is set and promoted by the board of directors and senior management, and it refers to
the general attitude, integrity, and ethical practices of these individuals.
Organizational culture is the collection of learned beliefs, traditions, and guides for behavior shared among
members of the organization.
Happy employees deliver higher quality customer services.
Control Environment also includes the activities related to the competence and development of personnel,
the assignment of authority and responsibility, and the organizational structure.
Employee reporting lines and accountability requirements are also shaped by reporting lines, and these play
an important role in the effectiveness of internal controls.
Management establishes a risk management philosophy and the entity’s risk appetite, forms a risk culture,
and integrates ERM with related initiatives.
It is important to remember that culture plays a key role defining the control environment. According to
Trompenaars, organizational culture includes 3 key elements:
1. The general relationship between employees and their organizations
2. The vertical or hierarchical system of authority defining superiors and subordinates
3. The general views of employees about the organization’s destiny, purpose, and goals, and their place in it
The following are some examples of unethical behavior that auditors should be on the lookout for:
Undue emphasis on bottom-line performance
High-pressure sales tactics
Kickbacks or bribes
Communication, Consistency, and Belief in the Message
It is very important for management to communicate clearly, consistently, and often what is allowed and
what is not. By setting clear expectations there is a better chance that they will be followed.
Form over Substance
The five principles of the Control Environment are as follows:
Principle 1 – Commitment to integrity and ethical values
Principle 2 - BOD exercises oversight responsibility
Principle 3 - Establish structure, authority, and responsibility
Principle 4 - Commitment to competence
Principle 5 - Enforce accountability
Entity Level Controls
Entity level controls are used to determine if an organization’s values, systems, policies, and processes would
enable or dissuade fraud and encourage proper conduct.
Auditing the entity’s framework requires the examination of tangibles and intangibles.
Review items also include human resources (HR) policies, the reporting structure with the assignment
authority and responsibility, information flows, demonstration of a commitment to competence, and other
types of checks and balances in the organization.
How does management know if the organization is meeting its compliance requirements?
Is data and information complete, accurate, timely, and distributed to the correct individuals in
management to use reliably?
Does the organization have qualified accounting, tax, and operating personnel so all reports are
prepared according to generally accepted principles and standards, and records maintained in
accordance with current accounting and tax regulations and standards?
A person’s behavior may be different in unique situations, as the person acts in part in response to the
environment.
Lewin’s equation, states that behavior is a function of the person and the environment.
B = f (P, E) where B = person’s behavior; P = person; E = environment
Internal auditors must work with management to make sure there are clear standards of performance, that
rewards and sanctions are clearly communicated, and that employees are managed and aligned effectively.
Tone in the Middle
dictates workplace conditions leading to customer and employee satisfaction, turnover, profits, and the
achievement of goals and objectives.
2. RISK ASSESSMENT
Risks - events that can jeopardize the organization’s ability to achieve its objectives.
Risk assessment - the process of identifying, assessing, and measuring risks to the organization, program, or
process under review
COSO indicates in its 2013 IC-IF that the organization is subject to a variety of events
Risk assessment involves a dynamic and iterative process of identifying, analyzing, and deciding how best to
respond to these risks in relation to the achievement of objectives.
Management specifies objectives within three separate but related categories:
- Reporting
- Compliance
- Operations
Business and Process Risk
Capacity risk Health and safety risk Trademark erosion risk
Execution risk Leadership risk Reputation risk
Supply chain risk Outsourcing risk Data integrity
Business interruption risk Competitor risk Infrastructure risk
Human resources risk Catastrophic loss risk Commerce risk
Product or service failure Industry risk Access risk
risk Planning risk Availability risk
Product development Organization structure
risk risk
Cycle time risk Integrity and fraud risk
Personnel Risks
Availability risk Malfeasance risk
Competence risk Motivation risk
Judgment risk
Financial Risks
Resources risk Liquidity risk
Commodity prices risk Market
Foreign currency risk
Environmental Risks
Energy and other resources risk Transportation risk
Natural disaster risk Pandemic risk
Pollution risk
Political Risks
Regulations and legislation risk
Public policy risk
Instability risk
Social Risks
Demographics risk CSR
Privacy risk Mobility
Effects of Risk
Loss of assets Erroneous record keeping and accounting
Negative publicity Noncompliance with rules and regulations
Erroneous decisions Purchase of resources uneconomically
Customer dissatisfaction Failure to accomplish established goals
Fraudulent financial or operational reporting