Introduction
Control and risk frameworks enable entities to evaluate risks to ensure that their process is conducted effectively and efficiently. The Committee of Sponsoring Organizations (COSO) framework was founded in 1985 to back the National Committee on Fraudulent Fraud Reporting (D’Aquila, 2013). It was later updated in 2013. The framework has been adopted as the standard framework for internal control; thus, it is widely recognized as the definitive benchmark against which organizations gauge the efficiency of their internal control systems. However, COSO also constitutes other elements such as enterprise risk management (ERM). This paper aims to discuss the objectives and components of the COSO framework and how it is applied at the auditing and entity levels.
Impact on the COSO Framework
Internal control is a process that is realized by an organization’s personnel to afford a reasonable guarantee for the attainment of objectives. The objectives of the COSO model are grouped into financial reporting, operations, and compliance objectives (D’Aquila, 2013). In an acceptable system of internal controls, the following five components have to be integrated to sponsor the realization of an organization’s mission and objectives. These components constitute 17 principles that embody the concepts of the components are associated with COSO (D’Aquila, 2013). There is a direct association between COSO’s objectives and its five components.
Control Environment
It operates under five principles that enable it to achieve its purpose in establishing responsibility and oversight in an entity, setting the ‘tone at the top’ and compelling accountability (D’Aquila, 2013). This ensures that the management has to be aware of the importance of regulatory compliance, reporting, and operations, and accept the need to comply with the factors; hence, they are incorporated into the entity’s code of conduct. Therefore, this will ultimately enable the organization to achieve COSO’s compliance, reporting, and operating objectives.
Risk Assessment
It aims to identify potential and significant risks and validates the presence of controls. Moreover, it is regarded as an iterative process; thus, it has to be reviewed periodically to ensure that the current risks are properly and effectively addressed. It constitutes four principles, which include specifying suitable objectives, identify and analyze risks, weigh fraud risk, and identify and scrutinize substantial change (D’Aquila, 2013). The purpose of risk assessment is to attain compliance, provide transparent financial reports, and appropriately maintain operations in the eyes of the regulators and management. Working with experts can help identify and prioritize compliance, reporting, and auditing risks.
Control Activities
These constitute procedures developed to address significant risks. It has three principles, which are the identification and development of control activities and general controls over technology, and implementation using policies and procedures. Experts are required to design specific procedures to mitigate compliance and non-compliance risks based on priority. Furthermore, organizations can launch internal compliance, financial reporting, and operational standards through the formalization of company policy and procedure manual, and also designing standard templates to mitigate the risks.
Information and Communication
Information that helps set ‘ground rules’ and that used to obtain actual findings should be communicated to internal and external stakeholders. It is based on three principles which include the employment of relevant information, internal and external communication. Various information such as process flow charts, policies, procedures, and other tools developed from compliance, reporting, and operational programs should be appropriately communicated to all personnel for knowledge management purposes. A vital information source is the monitoring activities component.
Monitoring Activities
The COSO principles revolve around the performance of evaluations for deficiencies (D’Aquila, 2013). It is the instrumental part of the compliance, reporting, and operating program. It provides the auditor with the opportunity to evaluate the quality of regulatory compliance, transparency of financial reporting and operations, and identify improvement opportunities in the system. Furthermore, it requires the engagement of an auditor to periodically review the effectiveness of the program in relation to COSO’s objectives.
IT Audits From an Auditor’s Perspective
Auditors are only required to understand controls relevant to the audit. Thus when conducting an information technology (IT) audit, the auditor will focus on the IT general and application controls. The necessity of considering IT risk is substantiated by Lanz (2018) in which the evolution of cyber threats has been established to introduce new risks into an entity. The second IT problem facing most organizations is data governance.
This is because the companies do not perceive data as an asset, therefore, they end up not inventorying it, its source, or whomever they are selling it to. The internal audit function is usually driven by risk, and in today’s business, technology is directly associated with risks. Upon factoring in the COSO framework, the purpose of an IT audit is regarded as organizational activity. Therefore, its objectives are modified to entail ensuring that IT projects are operationally effective, and they efficiently use the entity’s resources; the IT projects performed in a manner that does not impact the reliability of overall financial reporting; and the IT projects are compliant with relevant laws and regulations. Collectively, these objectives facilitate the identification of risk and implementation of the best risk-mitigating practices.
An IT audit comprises of two parts, which are the overview and risk assessment, and the detailed evaluation. The purpose of the overview is to identify the existing audit population of IT projects and to establish the degree to which risk-mitigating best practices are integrated. Consequentially, the obtained information is used to make a judgment as to the level of residual risk of project failure. According to Fourie and Ackerman (2013), although the five components of the COSO framework are essential in improving internal control, the findings revealed that the risk assessment had the highest-rated mean score.
This means that internal auditors perceive risk assessment to be the most significant predisposing factor to the efficiency of internal control systems. The results of the overview and risk assessment will determine if the IT auditor is to proceed to the next portion, which is regarded as an optional process. If the outcome is not substantial enough for the auditor to draw a recommendation or make a conclusion, then a detailed evaluation is conducted.
The detailed evaluation comprises of two options which include further control verification and testing of individual IT projects. A further control verification is selected only when the first part illustrated the existence of risk-mitigating best practices, but there is uncertainty as to the extent to which the practices are deemed operational. Therefore, the IT auditor is required to do the further evaluation to determine the status of the practices conclusively. On the other hand, the testing on individual IT projects is only performed when the first part illustrated control insufficiency, but there was not a unanimous agreement with the management regarding the insufficiency or possible mitigative action.
Integrating COSO into an Organization’s Strategic Policy
The process of establishing an entity’s internal control system is integrative, and most importantly, it should consider the fulfillment of the organization’s strategic objectives. Building an efficient system entails compliance with the COSO framework. When implementing COSO into an organization’s strategic policy, it is best to start at the base of the ‘pyramid’. Therefore, an organization has to follow the procedural steps in developing, executing, operating, and monitoring in its internal control framework.
The first step in designing and implementation begins with establishing a controlled environment. Factors such as skills, vision, resources, and incentives are required to effect change successfully; hence, they should be included. Intriguingly, in implementing or improving the system of internal control, the control environment serves as a pervasive factor that affects all other components (Rae, Sands, & Subramaniam, 2017). Therefore, an ineffective ‘tone at the top’ by the board of directors may adversely affect the other aspects.
The next step is to identify and evaluate the risks to the attainment of the organization’s objectives. Risk assessment should be conducted across all business processes, to develop and establish preventive measures and plans. Risks identified are usually categorized by risk type, for instance, environmental, strategic, operational, and financial, for reporting purposes. The prioritized risks that are identified by the management can be mitigated by incorporating policies and procedures, that is, control activities, to enable the organization to mitigate; hence achieve its objectives. Control activities comprise measures that are observable and can be recorded for future inspection or reference by a third party.
When designing control activities for the COSO framework, it is critical that an entity employs a risk-based approach. Therefore, this suggests that the controls should be devised to focus on risk factors detected in the risk assessment instead of using a pre-defined control list. Therefore, this will ensure that the COSO framework is correctly aligned with the organization’s policies.
After designing and implementing the COSO model, large entities can establish an internal audit department. These internal auditors will continuously assess the organization’s operations to ensure that it is compliant with the designed internal controls and to identify and report deficiencies in the design. Furthermore, monitoring activities can extend beyond the scope of the organization; that is, it can extend to include providers whose services may affect their clients’ internal controls over financial reporting.
The before-mentioned four components of the COSO framework – the control environment, assessment of risks, implementing controls, and monitoring – all require communication of relevant information. Communication is best realized when personnel can associate the influence of their operations on the organizational objectives.
Conclusion
Organizations that have effective internal control systems can progress their efficacy in attaining their strategic objectives and delivering value. Aligning the COSO model to an organization’s policy is not challenging, and it is valuable in ensuring that the entity’s efforts mirror the COSO objectives. However, it is only effective when the components and principles of the control environment, risk assessment, control activities, information and communication, and monitoring activities are implemented procedurally. Moreover, rather than focusing solely on addressing financial reporting, operations, and compliance objectives, the COSO framework can also be used as a regulatory tool to assess the efficiency of internal control over financial reporting.
References
D’Aquila, J. (2013). COSO’s internal control-integrated framework: Updating the original concepts for today’s environment. Web.
Fourie, H., & Ackerman, C. (2013). The impact of COSO control components on internal control effectiveness: An internal audit perspective. Journal of Economic and Financial Sciences, 6(2), 495-518. Web.
Lanz, L. (2018). Enterprise technology risk in a new COSO ERM world. Web.
Rae, K., Sands, J., & Subramaniam, N. (2017). Associations among the five components within COSO internal control-integrated framework as the underpinning of quality corporate governance. Australasian Accounting, Business and Finance Journal, 11(1), 28-54. Web.