COSO-Committee Of Sponsoring Organization of the Treadway Commission

Submitted to: Dr.Vrijendra singh

Submitted by: Pooja Singh Swati Pandey Anuja Sethiya Meera Singh

ROADMAP.
1. Sponsors for COSO 1.1 IIA 1.2 AICA 1.3 AAA 1.4 IMA 1.5 FEI 2. Introduction 2.1 Concerns 2.2 Effectiveness 3.ERM 3.1 Definition 3.2 Framework 3.3 Objectives 3.4 Components 3.5 Implementation 4.Internal Control 4.1 Definition 4.2 COSO cubes

ROADMAP.
5. Limitations 6. Helpful COSO 7. Example 8. References

Sponsoring organizations for COSO

COSO stands for the Committee Of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations are: Institute of Internal Auditors (IIA) American Institute of Certified Public Accountants (AICPA) American Accounting Association (AAA) Institute of Management Accountants (IMA) Financial Executives Institute (FEI)

 Established in 1941, The Institute of Internal Auditors (IIA) is a guidancesetting body. Serving members in 165 countries. The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United States.

Mission:
Advocating and promoting the value that internal audit professionals add to their organizations; Providing comprehensive professional education and development opportunities; standards and other professional practice guidance; and certification programs; Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance. Bringing together internal auditors from all countries to share information and experiences.

 (IMA) Institute of Management Accountants is a professional organization headquartered in Montvale, New Jersey more than 60,000 professionals worldwide. The IMA vision is to be the leading resource for developing, certifying, connecting, and supporting the world s best accountants and financial professionals working in business. IMA provides best-in-class certification, the Certified Management Accountant (CMA), for critical internal financial management responsibilities, including planning, budgeting, business reporting, decision analysis, and risk management.

 Founded in 1887, the American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants (CPAs) in the United States. The AICPA's mission is to provide members with the resources, information and leadership that enable them to provide valuable services in the highest professional manner to benefit the public, employers and clients. The AICPA sets generally accepted professional and technical standards for CPAs in many areas.

 The American Accounting Association (AAA) is an "organization of persons interested in accounting education and research . It was formed in 1916. Its main publication, The Accounting Review, was first published in 1926. Its mission is to take further the discipline and profession of accounting through education, research, and service.

 Financial Executives International (FEI) was founded in 1931. FEI is a member service-oriented organization for senior-level financial executives in companies of all sizes, both public and private, and in all industries. FEI operates a separate non-profit foundation: Financial Executives Research Foundation, which acts as a financial resource for members and foundation supporters. The FEI headquarters and full-time staff are located in Morristown, New Jersey.

INTRODUCTION
COSO , is a joint initiative of the five private sector organizations. COSO ERM framework defines essential components and provides guidance on enterprise risk management, internal control and fraud deterrence.

Todays organizations are concerned about:

Risk Management Governance Control Assurance (and Consulting) And COSO provides them with all these.

Effective I/C, or ERM, Means:

That Management has a flow of reliable information about each component of control for all the objectives, from all areas of the organization. COSO does not specify who should provide what information, just that management should be receiving and acting on the information.

Continues
Many different sources, or flows, of information exist in an organization. Soft controls relate to the people doing the work to meet the objectives of the organization; hard controls relate the processes and activities those people do.

ERM Defined.
a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

ERM FRAMEWORK
Objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance

ERM FRAMEWORK
ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes

Why ERM Is Important ..??

.

Because
Underlying principles:

Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

Because
ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside

Objectives of ERM framework..

Strategy - high-level goals, aligned with and supporting the organization's mission Operations - effective and efficient use of resources Financial Reporting - reliability of operational and financial reporting Compliance - compliance with applicable laws and regulations

Eight Components of ERM framework

The eight components of the framework are interrelated

Internal Environment

Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity s risk culture. Considers all other aspects of how the organization s actions may affect its risk culture.

Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Forms the risk appetite of the entity a highlevel view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

Event Identification Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile. Opportunities are channelled back to management s strategy or objective-setting processes

Risk assessment Allows an entity to understand the extent to which potential events might impact objectives.

Risk assessment continues..

Employs a combination of both qualitative and quantitative risk assessment methodologies. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

Risk Response Identifies and evaluates possible responses to risk. Selects and executes response based on evaluation of the portfolio of risks and responses. Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite.

Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

Occur throughout the organization, at all levels and in all functions.

Information and Communication

Management identifies, captures, and communicates information that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.

Monitoring Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. The entity establishes minimum standards for each component of enterprise risk management.

How to establish ERM?

Determine a risk philosophy Survey risk culture Consider organizational integrity and ethical values Decide roles and responsibilities

Internal Control Defined.

Internal control is a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

COSO Internal Control

Soft Controls
People Openness Shared Values Clarity Commitment to Competence Honesty High Expectations Communications

Hard Controls
Activities Reviews Inspections Policies Reconciliations Structure Limits of Authority Use rids and Password Physical Counts

The COSO cubes- I/C & ERM

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

Limitations:
Reasonable, not absolute assurance Different levels of assurance for different objectives The future is uncertain Other limiting factors
Judgment, breakdowns Collusion, management override Cost versus benefits

Not part of IC or ERM

The objectives selected to be achieved The responses taken to the risks

How much more COSO can help?

Controls for reliability of financial reporting are mainly in finance areas (Financial) Controls over effective and efficient operations (Operational) and compliance with laws and regulations (Compliance) are mainly in operational areas. Discussing objectives, risks and responses is the most valuable part of ERM

Continues
Anyone can put together a list of risks and controls, but true ERM can only be done by those directly responsible for achieving the objectives. The same soft controls in the COSO I/C framework also apply to the ERM framework. I/C is fully incorporated into ERM. ERM does not replace good management practices, does not replace setting the right objectives, and does not replace the business experience needed to have the right vision of where an organization should be heading.

Example: ERM Organization:

Vice President and Chief Risk Officer

Insurance Risk Manager

ERM Director

Corporate Credit Risk Manager

ERM Manager

ERM Manager

FES Commodity Risk Mg. Director Staff

Staff

Staff

Implementation in a firm
Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership.
A risk officer, financial officer, internal auditor, and others usually have key support responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocol.

ERM Report
The report is in two volumes. The first volume contains the Framework as well as the Executive Summary. The Framework defines enterprise risk management and describes principles and concepts, providing direction for all levels of management in businesses

and other organizations to use in evaluating and enhancing the effectiveness of enterprise risk management.

 The Executive Summary is a high-level overview directed to chief executives, other senior executives, board members, and regulators.

Use of the ERM report

Suggested actions that might be taken as a result of this report depend on position and role of the parties involved: Board of Directors The board should discuss with senior management the state of the entity s enterprise risk management and provide oversight as needed.

 The board should consider seeking input from internal auditors, external auditors, and others. Senior Management This study suggests that the chief executive assess the organization s enterprise risk management capabilities. In one approach, the chief executive brings together business unit heads and key functional staff to discuss an initial assessment of enterprise risk management capabilities and effectiveness.

 Other Entity Personnel Managers and other personnel should consider how they are conducting their responsibilities in light of this framework and discuss with more senior personnel ideas for strengthening enterprise risk management. Internal auditors should consider the breadth of their focus on enterprise risk management.

 Regulators This framework can promote a shared view of enterprise risk management, including what it can do and its limitations. Regulators may refer to this framework in establishing expectations, whether by rule or guidance or in conducting examinations, for entities they oversee.

 Professional Organizations Rulemaking and other professional organizations providing guidance on financial management, auditing, and related topics should consider their standards and guidance in light of this framework.

 With this foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively. Business executives will be positioned to assess their company s enterprise risk management process against a standard, and strengthen the process and move their enterprise toward established goals.

 Future research can be leveraged off an established base. Legislators and regulators will be able to gain an increased understanding of enterprise risk management, including its benefits and limitations. With all parties utilizing a common enterprise risk management framework, these benefits will be realized.

References
www.coso.org www.wikipedia.com www.authorstream.com

Thank You!!