COSO is a voluntary initiative to improve corporate governance and through effective

internal controls, enterprise risk management, and fraud deterrence

Improve financial reporting through internal control and corporate governance

The COSO ERM focuses on the strategic alignment of the firm’s mission with its risk
appetite, basis for developing risk-based internal control systems, to stress the
importance of considering risk in both the strategy-setting process focus of both
management and external auditors and in driving performance

 ERM is defined as “the culture, capabilities, and practices that organizations integrate with
strategy-setting and apply when they carry out that strategy, with a purpose of managing
risk in creating, preserving, and realizing value.”

 The three categories of objectives are 1. Operations objectives: effectiveness and

efficiency of a firm’s operations on financial performance goals and safeguarding
assets. 2. Reporting objectives: reliability of reporting, including internal and
external financial and nonfinancial reporting.3. Compliance objectives:
adherence to applicable laws and regulations.

1. Control Environment: The control environment is the set of standards, processes,

and structures that provide the basis for carrying out internal control across the
organization. The board of directors and senior management establish the tone at the
top regarding the importance of internal control including expected standards of
conduct. Management reinforces expectations at the various levels of the organization.
The control environment comprises the integrity and ethical values of the organization;
—sets the tone of a firm, influences the control consciousness of its employees, and
establishes the foundation for the internal control system. Control environment factors
include the management’s philosophy and operating style, integrity and ethical values
of employees, organizational structure, the role of the audit committee, proper board
oversight for the development and performance of internal control, and personnel
policies and practices.

2. Risk Assessment: Risk assessment involves a dynamic and iterative process for
identifying and assessing risks to the achievement of objectives. Risks to the
achievement of these objectives from across the entity are considered relative to
established risk tolerances. A precondition to risk assessment is the establishment of
objectives, linked at different levels of the entity. Management also considers the
suitability of the objectives for the entity. Risk assessment also requires management to
consider the impact of possible changes in the external environment and within its own
business model that may render internal control ineffective.

Risk assessment —involves a dynamic process for identifying and analysing a firm’s
risks from external and internal environments. Risk assessment allows a firm to
understand the extent to which potential events might affect corporate objectives. Risks
are analyzed after considering the likelihood of occurrence and the potential loss. The
analysis serves as a basis for determining how the risks should be managed. This
component will be discussed later in the chapter.

3. Control Activities: Control activities are the actions established through policies
and procedures that help ensure that management’s directives to mitigate risks to the
achievement of objectives are carried out. Control activities are performed at all levels