COSO is the acronym of the Committee of Sponsoring Organizations of the Treadway Commission, originally established in 1985 to combat corporate fraud, led by James Treadway Jr. The Committee comprised of special-interest organisations in the accounting and auditing industry, including the American Accounting Association; Financial Executives International; the Institute of Internal Auditors; American Institute of Certified Public Accountants; and the Institute of Management Accountants. In 1992, COSO published the COSO Internal Control-Integrated Framework, a system for integrating internal controls into business processes.
These controls were intended to provide reasonable assurance that the organisations applying them were operating ethically. This Framework was updated in 2013 to show how all elements of internal control are related. COSO defines internal control as a process which provides reasonable assurance that the systems of an organisation work, that its financial reporting is sound, and that it complies with laws and regulations of the jurisdiction(s) where it operates.
The five components of the COSO Internal Control-Integrated Framework are control environment, risk assessment, control activities, information and communication, and monitoring. Internal control, however, is more than its processes; the processes are not an end in themselves but a means to an end. In today’s business environment, any internal controls based on policy and processes have come to depend more than ever on the people whose responsibility it is to operationalise them. Staff need to understand the need for stringent internal control; its importance should be set by the tone at the top, by the board and senior management, then by managers at other levels throughout the firm.
Written policies, procedures, guidelines and regulations need to be clear and carefully communicated across the board. Appropriate and adequate training should be given where required. Documentation must be done diligently; and feedback constantly sought so that improvements can be made in a timely manner. Internal control systems need to be monitored so that the systems’ performance can be continually assessed for quality. Under COSO, internal auditors play a key role in this assessment of internal control systems. However, they need to maintain their independence and should only advise how internal controls may be improved.
The COSO framework seeks to achieve the organisation’s objectives with regards to its operations, reporting and compliance, and provide reasonable assurance the controls in place are adequate and working as intended. But there are limitations to what the framework can do. In addition, it does not give much guidance on how to set one up. Smaller organisations, which may already be struggling under resource constraints, may find the framework difficult to implement. The framework, which is intentionally broad, may present problems for businesses with varied operations as it does not deal with objectives that fall under multiple categories. This lack of clarity may give rise to confusion.
