Professional Documents
Culture Documents
COSO Framework
COSO Framework
Answer :
The COSO
The National Committee was tasked with establishing a framework to help address
enterprise risk management (ERM), fraud deterrence, and internal controls. Of these
three topics COSO addressed, this lesson will focus on internal controls.
COSO's internal control framework is often presented as a cube, as there are three
dimensions of internal controls to consider in their framework. COSO owns the
copyright on the actual cube diagram (although they offer a free poster from their
website), but with the cube diagram, we can visualize the three dimensions of
internal controls.
Let's start with the side of the cube marked as letter 'A.' The side of the cube marked
with an 'A' represents the five objectives of an acceptable system of internal controls,
which are control environment, risk assessment, control activities, information and
communication, and monitoring activities.
The risk assessment is an activity whereby all of the activities and associated risks in
an organization are looked at and each considered on a spectrum of either low risk
or high risk. Likelihood of occurrence is also considered to determine which risks
faced by an organization should be addressed first. A risk assessment may identify
cash handling or billing as risks that need to be audited.
Control activities are those procedures and internal controls put in place to mitigate
risks, particularly those that management considered too risky during the risk
assessment. These are activities that management, their staff, and internal auditors
test to ensure compliance. For example, if the risk identified in the risk assessment is
cash handling, a control activity might be having two people involved in cash
payments.
Side 'B' of the cube represents coverage areas for internal controls. By coverage
areas, COSO is referring to the level within the organization the control is focused on
protecting. Depending on the structure of the organization, some of these areas may
not apply, but there are few, if any, situations where at least three of the areas aren't
considered when identifying internal controls.
Entity-wide controls are those that influence the entire organization. Often, these
controls are focused on establishing and maintaining a good culture and supporting
communication throughout the organization. These controls are implemented, or
influence actions, throughout the organization. For example, one entity-wide control
in an organization would be a corporate code of ethics.
Division level controls may be one level removed, or below, entity-wide controls. We
say 'may be' because, depending on the organization's structure, there may or may
not be divisions. When there are, they are often
associated with national or regional boundaries such that the internal controls align
with regulatory requirements, such as filing SEC reports on time and accurately.
An operating unit isn't always limited to a physical proximity, but instead is focused
on the activities the operating unit is responsible to perform. For example, an
accounting department may be responsible for accounts payable, accounts
receivable, cash management, and financial reporting. Accounts receivable may have
a control that requires a monthly outstanding balance report to be reviewed.
Comments