Question :

Answer :

The Committee of Sponsoring Organizations (COSO) was founded in 1985 to

maintain a framework combining risk management, fraud deterrence, and internal
controls. Explore the internal controls, four coverage areas, and three activities of the
COSO framework. Updated: 12/28/2021

The COSO

The Committee of Sponsoring Organizations (COSO) was established in 1985 by

five of the largest accounting, auditing, and finance oversight committees in the
United States. The committee aimed to sponsor the National Committee on
Fraudulent Financial Reporting. The National Committee was independent of COSO,
so there were no conflicts of interest. The National Committee included
representatives from regulatory agencies, public companies, and educational
institutions.

The National Committee was tasked with establishing a framework to help address
enterprise risk management (ERM), fraud deterrence, and internal controls. Of these
three topics COSO addressed, this lesson will focus on internal controls.

COSO Internal Controls

COSO's internal control framework is often presented as a cube, as there are three
dimensions of internal controls to consider in their framework. COSO owns the
copyright on the actual cube diagram (although they offer a free poster from their
website), but with the cube diagram, we can visualize the three dimensions of
internal controls.

COSO Integrated Framework

Let's start with the side of the cube marked as letter 'A.' The side of the cube marked
with an 'A' represents the five objectives of an acceptable system of internal controls,
which are control environment, risk assessment, control activities, information and
communication, and monitoring activities.

The control environment represents the culture of internal controls at the

organization. For example, this objective seeks to determine if the organization has a
culture of discipline and compliance or a culture of lax policies and procedures. This
culture often begins with the actions of executive management, so a control related
to the Board reviewing CEO performance would add to the control environment.

The risk assessment is an activity whereby all of the activities and associated risks in
an organization are looked at and each considered on a spectrum of either low risk
or high risk. Likelihood of occurrence is also considered to determine which risks
faced by an organization should be addressed first. A risk assessment may identify
cash handling or billing as risks that need to be audited.

Control activities are those procedures and internal controls put in place to mitigate
risks, particularly those that management considered too risky during the risk
assessment. These are activities that management, their staff, and internal auditors
test to ensure compliance. For example, if the risk identified in the risk assessment is
cash handling, a control activity might be having two people involved in cash
payments.

Information and communication is how management communicates the culture of

compliance and the specific policies individuals need to follow. Information and
communication are central parts of a strong culture of discipline. An example of this
would be requiring that new or amended policies be sent out to everyone in the
company so they are aware of the change.

Finally, monitoring activities are activities managers use to monitor processes or

internal controls within the organization. For example, if a purchasing manager gets a
weekly report of all purchases that were greater than $5,000, they would be
performing a monitoring activity.
The Four Coverage Areas

Side 'B' of the cube represents coverage areas for internal controls. By coverage
areas, COSO is referring to the level within the organization the control is focused on
protecting. Depending on the structure of the organization, some of these areas may
not apply, but there are few, if any, situations where at least three of the areas aren't
considered when identifying internal controls.

Entity-wide controls are those that influence the entire organization. Often, these
controls are focused on establishing and maintaining a good culture and supporting
communication throughout the organization. These controls are implemented, or
influence actions, throughout the organization. For example, one entity-wide control
in an organization would be a corporate code of ethics.

Division level controls may be one level removed, or below, entity-wide controls. We
say 'may be' because, depending on the organization's structure, there may or may
not be divisions. When there are, they are often

associated with national or regional boundaries such that the internal controls align
with regulatory requirements, such as filing SEC reports on time and accurately.

An operating unit isn't always limited to a physical proximity, but instead is focused
on the activities the operating unit is responsible to perform. For example, an
accounting department may be responsible for accounts payable, accounts
receivable, cash management, and financial reporting. Accounts receivable may have
a control that requires a monthly outstanding balance report to be reviewed.

Comments