The COSO frameworks provide thought leadership and guidance for organizations regarding internal controls, Enterprise Risk Management (ERM), fraud deterrence, and governance. Complying with these detailed frameworks can be challenging and complex and not always easy to incorporate into business processes. In this blog we discuss how implementing the right GRC software can streamline your journey towards COSO compliance in the areas of Internal Control and Enterprise Risk Management. We explore the fundamental principles of the guidance provided by COSO, and explain how the best-practice frameworks, workflows, templates, and forms provided by GRC software can support organizations to operate in line with the guidance and provide adequate proof of compliance.
What is the COSO Internal Control Framework?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) first published guidance on internal controls back in 1992 and the framework was revised and issued back in May 2013 to help firms design and implement internal controls to reduce fraud. According to the Association of Certified Fraud Examiners (ACFE) weak or poor internal controls are responsible for almost half of all fraud. To ensure they aren’t making themselves an easy target for fraudsters, many organizations choose to adopt the globally recognized COSO internal control model to ensure they have effective internal controls to reduce risk and fraud.
The COSO internal control framework outlines requirements for an effective internal control system, it lists five principles, and explains how they should be integrated into a process that forms part of business operations. Robust internal controls encompass the sets of processes, standards, and structures that help detect and prevent internal fraud, including policies, ethical corporate values, organizational structure, and commitment to employing competent and ethical employees – and of course the robust checking of operational and transactional data.
The COSO framework consists of five interrelated components:
- Control Environment: This component sets the tone at the top of the organization and establishes the foundation for internal control. It encompasses factors such as leadership’s commitment to integrity and ethical values, organizational structure, assignment of authority and responsibility, and the culture of the organization.
- Risk Assessment: Organizations must identify and analyze risks that may prevent them from achieving their objectives. This component involves assessing both internal and external risks, evaluating their potential impact, and determining how to manage or mitigate them.
- Control Activities: Control activities are the policies, procedures, and practices that organizations implement to mitigate risks and achieve their objectives. These activities may include segregation of duties, authorization, approval, and escalation processes, physical controls, information technology controls, business performance reviews, and employee training.
- Information and Communication: Effective internal control systems rely on timely and relevant information and clear communication channels. This component involves ensuring that relevant information is identified, captured, and communicated to the right people within the organization to support informed decision-making and accountability.
- Monitoring Activities: Monitoring activities are essential to assess the effectiveness of internal controls over time. This component involves ongoing monitoring of control activities, periodic evaluations of the internal control system’s performance, and reporting of deficiencies or weaknesses for corrective action.
The COSO internal control framework is a comprehensive approach to managing internal controls that helps organizations reduce fraud and achieve their objectives while managing risk effectively. The framework is designed to be applied across all sectors and organizations, regardless of size or complexity.
What do organizations need to do to comply with the COSO internal control framework?
To implement the COSO internal control framework, an organization must embark on a systematic process which involves the following key steps requiring commitment and support from the board of directors, senior management, and employees at all levels.
- Assess their existing internal control systems against the COSO framework’s components.
- Identify gaps or areas for improvement in their internal control environment, control activities, information & communication practices, and monitoring mechanisms.
- Implement changes or enhancements to alter their internal control systems to align with the principles and objectives of the COSO framework.
- Monitor and evaluate the effectiveness of their internal control systems and adjust as necessary to address evolving risks and changes in the business environment.
How can GRC software support an organization to meet COSO internal control requirements?
Developing a well thought out internal control system can be a daunting and time-consuming process and spreadsheets and manual processes often lack the automation and data governance required. GRC platforms offer out-of-the-box best-practice frameworks, templates, workflows, and forms that enable firms to structure their internal control processes in line with the COSO internal control framework.
GRC teams can set up automated control monitoring within the GRC platform. Control monitoring allows organizations to manage risk proactively using controls based on pre-set rules to detect risk in large data sets and notify the relevant stakeholder. From irregular transactions and failed control checks to non-compliance and audit failures – potential risks and problems can be detected based on predetermined rules and alerts are sent to stakeholders enabling them to take the necessary action.
Controls can be set to flag areas of concern across your entire GRC program – including missed deadlines, anomalies in operational and transactional data, budget overspends, business critical incidents, or when KPIs or key risk indicators (KRIs) reach intolerable levels. This level of automation detects risks that would otherwise have gone unnoticed and provides an extra layer of assurance for risk teams.
In addition, control monitoring is a critical component of SOX compliance, as it enables companies to maintain effective internal controls over financial reporting, identify and remediate weaknesses or deficiencies in their control framework, and provides assurance that their financial reporting is accurate and reliable. Internal controls provide real-time monitoring of key financial processes, such as revenue recognition, accounts payable, and payroll – detecting problems early and reducing risk. GRC software automates the entire internal control process – creating a layer of automated defence and eliminating lengthy manual checks. The escalation & resolution process is also automated using predefined workflows to facilitate step-by-step processes including escalations, approvals, signoffs, and notifications. The software keeps a complete audit trail of how controls are set, managed, escalated, and resolved providing proof of compliance with COSO internal control guidelines.
The compliance & audit functionality in GRC software can also be used to maintain compliance with COSO guidance. Firms can build an ‘obligations library’ that includes all the requirements laid out in the COSO framework and monitor compliance with each aspect. Any internal audit against COSO requirements can also be carried out in the platform.
What is the COSO Enterprise Risk Management framework?
Last updated in 2017, the COSO Enterprise Risk Management (ERM) framework provides in depth guidance for companies regarding enterprise risk management integrating with strategy and performance. It is designed to support organizations to become more adaptive to change and think strategically about how risk could impact their long-term success, strategy, and performance.
The COSO enterprise risk management framework requires organizations to implement a best-practice ERM program to manage risk with an active risk register, controls, Key Risk Indicators (KRIs), regular risk assessments, and ongoing risk monitoring & reporting. But in addition to traditional risk management, the COSO enterprise risk management framework has a strong focus on linking risk to strategic objectives and enterprise performance to support board level decision making.
The COSO risk management framework clearly outlines the boards involvement in strategy setting, risk appetite, and aligning strategy & objectives with the companies’ mission, vision, and values. It touches on how the board should handle enterprise performance fluctuations, and their involvement in significant business decisions like mergers & acquisitions, employee incentives, renumeration, and capital allocation & project funding.
The framework consists of principles organized into five connected components:
- Governance and Culture: Firms must implement good governance to establish the organization’s tone, emphasizing the importance of setting oversight responsibilities for enterprise risk management. Firms must also establish a good culture that relates to the ethical values, desired behaviors, and risk awareness within the entity.
- Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting must be integrated into the strategic planning process. A risk appetite should be defined and aligned with strategy, while business objectives and strategy should serve as the foundation for identifying, assessing, and responding to risks.
- Performance: Risks that could affect the achievement of strategic and business objectives must be identified and assessed. Risks should be prioritized based on severity relative to risk appetite. The organization should select appropriate risk responses and takes a comprehensive view of the overall risk assumed. Results of this process are reported to key stakeholders.
- Review and Revision: Organizations must review ERM performance. COSO stipulates that an organization should evaluate the effectiveness of enterprise risk management components over time and understand how risk levels fluctuate based on business decisions and operational changes – determining necessary revisions.
- Information, Communication, and Reporting: COSO states that effective enterprise risk management requires continuous gathering and sharing of relevant information from both internal and external sources, good communication must ensure it flows up, down, and across the organization.
The COSO enterprise risk management framework ensures an organization has a holistic and consistent view of the risks that may affect its objectives, operations, reputation, and stakeholders. It also supports the alignment of risk management with the organization’s strategy, vision, and values. The COSO Enterprise risk management framework is designed to improve reporting, performance measurement, and decision-making – providing assurance to stakeholders that the organization is managing its risks effectively.
What do organizations need to do to comply with the COSO enterprise risk management framework?
To implement the COSO enterprise risk management framework, an organization must implement a best-practice ERM program linked to their strategic objectives and enterprise performance. This will enable them to easily understand the impact of risk on operational performance and overall business performance and make any necessary changes. Here are 5 key processes a firm can implement to meet the COSO enterprise risk management requirements.
- Set up a best practice risk management process which includes establishing a risk register, conducting regular risk assessments, setting Key Risk Indicators, defining a risk appetite & operating within it, establishing risk response & mitigation strategies, monitoring risk levels & addressing problems, and detailed reporting on risk.
- Set sufficient controls to reduce risk and monitor and test controls regularly to ensure their effectiveness.
- Define a strategy that aligns with the organizations mission and values and set out clear steps to achieve the strategy – carefully managing any strategic risk.
- Link business performance to risk – to understand the impact of risk on overall enterprise performance.
- Create a risk aware culture throughout the organization with an established governance structure, adequate training, and clear guidelines for board involvement.
How can GRC software support an organization to meet COSO enterprise risk management requirements?
Leveraging GRC software platforms consolidates disparate risk processes, systems, and data sources into a holistic view, providing deep insight into an organizations risk profile, status, and performance. Organizations can use the platform to set up a comprehensive online risk register, where multiple departments can directly log and take responsibility for risk. Teams can utilize online risk assessment templates & questionnaires to calculate the likelihood, severity and impact of risk and generate risk ratings. Transactional & operational data can be pulled into the solution from other systems & data sources via API connections – enabling teams to set Key Risk Indicators (KRI’s) and define risk tolerances based on real data. This empowers organizations to define a risk appetite framework & operate within it.
Once the system is established and the risk register is completed, teams can set controls to monitor risk on an ongoing basis and automated notifications & alerts are sent when the degree of risk reaches an intolerable level. Teams can run instant reports and view live dashboards to get a complete overview of their risk profile and drill down into the detail to address problem areas.
Software engages the entire organization in the risk management process and ensures all stakeholders across the business can take ownership of risk. This makes risk management more accessible, accountable, trackable, and resolvable – providing visibility of risk exposure to leadership teams in accordance with the COSO risk management framework. The automated workflows save time and valuable resources and speed up the risk remediation process. GRC platforms uncover potential opportunities for growth. Instead of simply using the tool to mitigate risk, the platform utilizes analytics capabilities to weigh up potential outcomes – enabling calculated risk taking.
As well as enabling companies to implement best-practice ERM processes, many modern GRC platforms allow firms to map risk to strategic objectives and enterprise performance to further align their processes with the COSO enterprise risk management framework requirements. Firms can use the strategic planning capabilities in GRC platforms to map out their strategic plans. GRC platforms with strategic planning capabilities allow organizations to break down their overarching strategic goals and objectives into smaller programs, projects, tasks, and actions, which can be distributed across the business to various stakeholders. Each task is assigned an owner, timeline, budget, SLA’s and KPIs to ensure completion.
As information is input, and tasks are completed, progress can be easily tracked at every level of the strategy. Simple tree views help leaders visualize progress and automated notifications flag missed deadlines and incomplete actions. When tasks are completed, workflows notify the relevant individuals so they can move on to the next stage of the strategy, allowing them to proceed with the subsequent task. These tools ensure that employees at all levels understand their role in achieving the organization’s strategy, enabling leaders to monitor progress and address issues, and simplify the process of cascading strategic changes. Firms that manage risk & strategy in the same integrated platform can easily map risk to their strategic objectives, enabling them to control any strategic risks that could impact their strategy and take calculated risks in pursuit of their strategic objectives. This functionality allows organizations to easily align their processes with the COSO enterprise risk management requirements.
Modern GRC platforms offer a wide variety of API integrations enabling them to pull transactional and operational data from other spreadsheets and systems into the GRC platform. This allows firms to understand the impact of risk on operational performance – for example if a risk level was high, did performance drop. If taking a risk didn’t impact performance, the organization may want to take similar risks in the future. Or if a risk was high and performance significantly dropped, they will likely want to introduce more controls to lower the risk. Linking risk & enterprise performance helps leadership teams to make the right decisions to grow the organization, it helps with decisions regarding budget and resource allocation, and uncovers opportunities where the reward outweighs the risk. Mapping these 2 areas can be difficult when the data is dispersed across different departments, but by integrating risk and performance data in one holistic platform, firms can map these interconnected areas and easily run reports on how risk levels are impacting enterprise performance – both positively and negatively.
Discover how adopting COSO frameworks could support your organization
In today’s rapidly evolving business environment, following guidance in the COSO frameworks for internal controls & enterprise risk management is a great way for any organization to operate effectively and responsibly. Camms offers an integrated platform to simplify the implementation and management of COSO principles. Seamlessly align risk with business objectives while ensuring robust risk management and internal controls. Request a demo today to learn how Camms can help your organization to align your operations with COSO requirements and achieve compliance.