The COSO Framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO Framework was developed to assist organisations to design or evaluate internal controls.
The COSO Framework can also be applied across various types of organisations from profit-orientated to non-profit-orientated organisations. The COSO Framework focuses on five integrated components of internal control being control environment, risk assessment, control activities, information and communication, and monitoring activities.
Control environment refers to having in place a set of policies, processes, and structures that will become the foundation of internal control for an organisation. The control environment is an essential element to either develop or operate an effective internal control.
To illustrate, an organisation may implement that for a transaction to be prepared and approved by separate personnel. However, the directors of the company often display domineering traits and override the control that was put in place.
As a result, even if there is a set of well-developed internal control policies, it will not be effective as the control environment has been jeopardised by the behaviour of the director. Hence, the key principles described by the framework that a strong Control Environment should have are as follows:
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority, and responsibility
- Demonstrates commitment to competence
- Enforces accountability
Risk assessment is how an organisation manages its identified risk. Risk is often defined as the possibility of an event occurring which may prevent an organisation from being able to achieve its goals.
Risk assessments are not limited internally. They also consider the possible changes from the external environment. This effectively allows an organization to comprehensively manage risk and potentially take appropriate action to mitigate any adverse impact arising from such risk.
An example of an internal risk is an employee being able to misappropriate assets due to insufficient safeguard on such assets whereas an example of an external risk is competitors’ advancement in technological development resulting in the obsolescence of the organisation’s own product.
Hence, the key principles described by the framework that risk assessment should have are as follows:
- Specifies suitable objectives
- Identifies and analyses risk
- Assesses fraud risk
- Identifies and analyses significant change
Control activities are steps or actions that are usually described in the organisation’s policy, standard operating procedures, or a set of standards that are adhered to throughout the organisation.
Control activities assist the organisation to reduce risk and achieve its set objectives. For example, an organisation that does not have an appropriate tendering process to approve new suppliers will give the management an opportunity to be biased and contract suppliers with higher price offerings due to the personal relationship the management has with the supplier. This will ultimately lead to the organisation suffering unnecessary losses.
Control activities can be preventive or detective and are applied across the organisation. Preventive control activities are actions set to deter an act from happening which may be detrimental to the organisation whether financially or operationally, while detective activities are to act after a certain event.
Preventive is arguably better as it helps to prevent, for example, an unfavourable event from happening at the very beginning while detective activities can only hold the responsible party accountable after the damage has been done to the organisation.
The key principles describe by the framework that control activities should have are as follow:
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys control activities through policies and procedures
Information from both internal and external sources is very important to support internal controls. The importance of information cannot be underestimated because, without relevant and accurate information, an organisation could design and implement ineffective control.
For example, management is designing procedures to reduce shipment errors made by its employee with the information that the root cause being human error. However, in actual fact, the system error was the root cause of the organisation’s high shipment error.
Communication plays an important part in disseminating important information and emphasizing the importance of adhering to control activities throughout the organisation.
Information relating to internal controls should be communicated to all levels of personnel in a manner and tone that reflects the organisation’s expectation of how internal control should be valued.
Communicating externally is as important because the expectations of stakeholders need to be managed well to ensure the organisation is continuously supported by its customer, financier, and shareholders.
The key principles describe by the framework that information and communication should have are as follow:
- Uses relevant information
- Communicates internally
- Communicates externally
Monitoring activities are an evaluation performed within a timeframe or continuously to ensure that all the five components of internal control and the related principles are present and working as intended in the environment it was established.
For instance, the organisation can have many control activities, risk assessment, and communication. However, if there is no proper monitoring, the organisation does not know if all these components are effectively managing risk, what the results are, or if improvement or changes are required.
Monitoring should also be timely and on an ongoing basis as risk changes over time. The control activities in place could have become obsolete or less effective over time. The key principles describe by the framework that monitoring activities should have are as follow:
- Conducts ongoing and/or separate evaluations
- Evaluates and communicates deficiencies
The five components in the COSO framework must work hand in hand with each other to achieve the desired level of internal control. They should not be view as separate elements that we can apply individually.
This is because only a strong control environment needs to be supported by effective risk assessment, control activities, information, communication, and control activities. It is only with that that an internal control can operate as intended within the environment it was established. An entity should also bear in mind the core principles of each component when applying the COSO Framework.