Committee of Sponsoring Organizations of the Treadway Commission

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 2013), COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

History
In 1985, COSO began as a private sector initiative to investigate the causal factors that lead to fraudulent financial reporting as a result of a number of accounting scandals in the 1970s and mid-1980s. This initiative was termed the National Commission on Fraudulent Financial Reporting; the first president of the Commission was James C. Treadway, Jr., a former Commissioner of the US Securities and Exchange Commission, and therefore the initiative was commonly called the "Treadway Commission". The Treadway Commission was sponsored jointly by five major professional associations based in the United States:
 * American Institute of Certified Public Accountants (AICPA)
 * Financial Executives International (FEI)
 * American Accounting Association (AAA)
 * Institute of Internal Auditors (IIA)
 * Institute of Management Accountants (IMA)

COSO first examined financial reporting from October 1985 to September 1987, releasing "Report of the National Commission on Fraudulent Financial Information". The report included observations on the extent of fraudulent financial reporting, the root causes of such fraud, the role of independent public accountants in detecting fraud, and the steps companies could take to prevent fraudulent activity.

As an extension of the original report and to fulfill its mission of improving financial reporting, COSO prepared a set of guidelines for managing a system of internal controls over financial reporting. In 1992, COSO published "Internal Control – Integrated Framework" which detailed five key components of an effective internal control system, along with tools to evaluate the effectiveness of such a system. In 2013, COSO re-released the Integrated Framework, stating that significant changes in technology and global business trends increased the need for quality systems of internal control, and provided enhanced guidance for the application of the overall principles.

As part of the changes of the Sarbanes-Oxley Act of 2002, public companies in the United States are required to use a system of internal controls in order to evaluate the effectiveness of their own financial reporting, and to report on the results of that evaluation to their investors in their annual financial statements. The COSO framework is commonly used, given its broad applicability to all industries and enterprise sizes.

Key concepts of the COSO framework
The COSO framework defines internal control as a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide "reasonable security" with respect to the achievement of objectives in operations, financial reporting, and compliance with applicable laws and regulations.

COSO organizes its framework into five interrelated components, subdivided in 17 principles. COSO notes that in order for an effective system of internal control to reduce the risk of not achieving an entity's objectives, (i) each of the five components of internal control and relevant principles is present and functioning, and (ii) the five components are operating together in an integrated manner.

Control environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the basis of all other components of internal control, providing discipline and structure. Factors in the control environment include integrity, ethical values, the operational style of administration, the delegation of authority systems, as well as the processes for managing and developing people in the organization.

Risk assessment
Each entity faces a variety of risks from external and internal sources that must be assessed. A prerequisite for risk assessment is the establishment of objectives and, therefore, risk assessment is the identification and analysis of risks relevant to the achievement of the assigned objectives. Risk assessment is a prerequisite for determining how risks should be managed. The four underlying principles related to risk assessment are that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fraudulent behavior; and should monitor changes that could impact internal controls.

Control activities
Control activities are the policies and procedures that help ensure that management directives are carried out. They help to ensure that the necessary measures are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, operational performance reviews, asset safety and segregation of functions.

Information and communication
Information systems play a key role in internal control systems, as they produce reports, including operational, financial and compliance-related information, which make the operation and control of the business possible. In a broader sense, effective communication must ensure information flows down, across and up the organization. An example is the formalized procedures for individuals to report suspected fraud. Effective communication with external parties, such as customers, suppliers, regulators and shareholders on related political positions, must also be guaranteed.

Monitoring
Internal control systems must be monitored, a process that evaluates the quality of system performance over time. This is achieved through continuous monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities must be reported upstream and corrective measures must be taken to ensure continuous improvement of the system.

Limitations
Internal control involves human action, which introduces the possibility of errors in prosecution or trial. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by senior management.

The magazine CFO reported that companies are struggling to apply the complex model provided by COSO. "One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, these objectives apply to five key components (control environment, risk assessment, control activities, information and communication, and monitoring "Given the number of possible matrices, it is not surprising that the number of audits can get out of control." CFO magazine continued to state that many organizations are creating their own risk and control matrix by taking the COSO model and modifying it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.

Business risk management
In 2001, COSO initiated a project and hired PricewaterhouseCoopers to develop a framework that administrations could easily use to evaluate and improve the business risk management of their organizations. High-profile commercial scandals and failures (e.g., Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) prompted calls to improve corporate governance and risk management. As a result, Sarbanes–Oxley Act was enacted. This law extends the long-standing requirement for public companies to maintain internal control systems, which requires management to certify and the independent auditor to certify the effectiveness of those systems. The Internal Control – Integrated Framework continues to serve as the widely accepted standard to meet those reporting requirements; however, in 2004 COSO published "Enterprise Risk Management – Integrated Framework." COSO believes that this framework is expanded in internal control, providing a more robust and extensive approach to the broader issue of business risk management.

Four categories of business objectives
This business risk management framework is still aimed at achieving the objectives of an entity; However, the framework now includes four categories:
 * Strategic: high-level objectives, policy alignment and supporting their mission.
 * Operations: effective and efficient use of resources.
 * Reports: reliability of reports
 * Compliance: compliance with applicable laws and regulations

Eight frame components
The eight components of business risk management encompass the five previous components of the Integrated Internal Control Framework while expanding the model to meet the growing demand for risk management:
 * 'Internal environment': The internal environment encompasses the tone of an organization and establishes the basis of how risk is seen and addressed by the persons of an entity, including the risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
 * 'Setting objectives': The objectives must exist before management can identify potential events that affect its achievement. Business risk management ensures that management has implemented a process to establish objectives and that the chosen objectives support and align with the mission of the entity and are consistent with its appetite for risk.
 * 'Event identification': Internal and external events that affect the achievement of the objectives of an entity must be identified, distinguishing between risks and opportunities. The opportunities are re-channeled into management strategy or goal-setting processes.
 * 'Risk assessment': The risks are analyzed, considering the probability and impact, as a basis for determining how they should be managed. The risks are inherently and residually assessed.
 * 'Risk response:' Management selects risk responses, avoiding, accepting, reducing or sharing risk, developing a set of actions to align risks with the entity's risk appetite and risk appetite.
 * 'Control activities:' Policies and procedures are established and implemented to help ensure that risk responses are carried out effectively.
 * 'Information and communication:' The relevant information is identified, captured and communicated in a way and time frame that allow people to fulfill their responsibilities. Effective communication also occurs in a broader sense, flowing down, through and up the entity.
 * 'Monitoring:' The entire business risk management is monitored and modifications are made as necessary. Monitoring is achieved through ongoing management activities, separate evaluations or both.

Limitations
COSO admits in its report that, although business risk management provides significant benefits, there are limitations. Business risk management depends on human judgment and, therefore, is susceptible to decision making. Human failures, such as simple errors or errors, can lead to inadequate risk responses. In addition, controls can be avoided by collusion of two or more people, and management has the ability to override business risk management decisions. These limitations prevent a board and management from having absolute security regarding the achievement of the entity's objectives.

Philosophically, COSO is more oriented towards controls. Therefore, it has a bias towards risks that could have a negative impact instead of the risks of missing opportunities. See ISO 31000.

While COSO states that its expanded model provides more risk management, companies are not required to change to the new model if they are using the Integrated Internal Control Framework.

Internal control over financial information – guidance for small public companies
This document contains guidance to help smaller public companies to apply the concepts of 1992 Internal Control – Integrated Framework. This publication shows the applicability of these concepts to help smaller public companies design and implement internal controls to support the achievement of financial information objectives. It highlights 20 key principles of the 1992 framework, providing a principles-based approach to internal control. As explained in the publication, the 2006 guideline applies to entities of all sizes and types.

Guidance on monitoring internal control systems
Companies have invested heavily in improving the quality of their internal controls; However, COSO noted that many organizations do not fully understand the importance of the monitoring component of the COSO framework and the role it plays in streamlining the evaluation process. In January 2009, COSO published its "Guidance on the monitoring of internal control systems" to clarify the internal control monitoring component.

Over time, effective monitoring can lead to organizational efficiencies and reduced costs associated with public information about internal control because problems are identified and addressed proactively, rather than reactively.

The COSO Monitoring Guide is based on two fundamental principles originally established in the 2006 COSO Guide:
 * Continuous and / or separate evaluations allow management to determine if the other components of internal control continue to function over time, and
 * Internal control deficiencies are identified and communicated in a timely manner to the parties responsible for taking corrective measures and to management and the board, as appropriate.

The monitoring guide also suggests that these principles are best achieved through monitoring based on three general elements:
 * Establish a basis for monitoring, including (a) an appropriate top tone; (b) an effective organizational structure that assigns monitoring roles to people with appropriate capacities, objectivity and authority; and (c) a starting point or "baseline" of known effective internal control from which continuous monitoring and separate evaluations can be implemented;
 * Design and execute monitoring procedures focused on "persuasive information" on the operation of "key controls" that address "significant risks" for organizational objectives;
 * Evaluate and report the results, including assessing the severity of any identified deficiencies and reporting the results of monitoring to appropriate staff and the board for timely action and follow-up if necessary.

Role of the internal audit
Internal auditors play an important role in assessing the effectiveness of control systems. As an independent function that informs senior management, internal audit can evaluate the internal control systems implemented by the organization and contribute to continued effectiveness. As such, internal auditing often plays an important "monitoring" role. To preserve its independence of judgment, the internal audit should not assume any direct responsibility in the design, establishment or maintenance of the controls that it is supposed to evaluate. Internal audit may only advise on possible improvements to be made.

Role of the external audit
Under Section 404 of the Sarbanes-Oxley Act, management and external auditors must report on the adequacy of the company's internal control over financial information. The Public Company Accounting Oversight Board, formed to oversee the external audit profession, published Auditing Standard 2201 which requires that auditors "use the same appropriate and recognized control framework to conduct their internal control audit on the financial information that management uses to its annual evaluation of the effectiveness of the company's internal control over financial information." Section 143 (3) (i) of the Indian Companies Act, 2013 also requires legal auditors to comment on internal control over financial information.