Committee of Sponsoring Organizations integrated framework
Committee of Sponsoring Organizations integrated framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a collaborative body focused on understanding, analyzing, and develop- ing and disseminating guidance on effective organizational governance. Originally established in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, COSO gets its current familiar full name in part by association with its first commissioner, James Treadway. The sponsoring organizations COSO com- prises include the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants. With the active participation of many private sector firms in accounting, investment banking, secu- rities trading, and financial services, COSO develops management frameworks and industry guidance on internal controls, fraud deterrence, and enterprise risk man- agement. The Commission has published formal guidance on all three subjects, including the Enterprise Risk Management—Integrated Framework referenced in Chapter 2, two research studies on fraud in financial reporting, and multiple guid- ance documents on internal controls. COSO’s most significant internal control guidance is its Internal Control—Integrated Framework, first published in 1992 and significantly updated in 2013, which defines a structured framework and set of pro- cesses for implementing, managing, and overseeing an enterprise-wide system of internal controls [5] . The internal control framework provides both a foundation for effective operational management and a basis for auditing internal controls imple- mented in an organization, including those related to information technology.
The COSO internal control framework begins with a focus on organizational objectives for operations, reporting, and compliance and identifies five compo- nents of internal control—a control environment, risk assessment, control activi- ties, information and communication, and monitoring activities—that support the achievement of those objectives. Consideration of these objectives and components occurs not only at the enterprise level, but also at the level of subsidiaries, divisions, operating units, and business or functional areas of operation. COSO’s framework integrates the three dimensions of objectives, components, and organizational struc- ture, represented graphically in the multilevel cube shown in Figure 9.1 and consid- ers the relationships among these elements.
Audit-Specific Methodologies and Frameworks 173
Control environment
Risk assessment
Control activities
Operating unit
Entity le
Information and communication
Monitoring activities
FIGURE 9.1
The COSO Internal Control Integrated Framework [5] reflects the close interrelationship among control objectives and components and organizational structure.
Source: Internal Control — Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, ©2013. All rights reserved. Used by permission.
Beneath this conceptual view of the framework, COSO defines 17 principles of internal control associated with each component and 81 attributes of the con- trol principles. Audits of internal controls in an organization that has adopted the COSO framework focus on evaluating the extent to which the organization effec- tively implements and operationalizes the control principles. To do so, auditors look for evidence of each attribute associated with a given control principle to arrive at a subjective but evidence-based opinion as to the effectiveness of each internal con- trol, the five control components, and the overall system of organizational internal controls. The principles associated with each internal control component are listed in Table 9.4 .