WHAT is the COSO GOVERNANCE FRAMEWORK?

COSO - which stands for the Committee of Sponsoring Organizations of the Treadway Commission - came up with what has been the gold standard of governance for FinTech firms. The COSO Framework helps companies evaluate and improve their internal controls, and, even more importantly, relate their internal controls to the strategy and business model.

The COSO definition of internal control is “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives” in the following categories:

  • Operational Effectiveness and Efficiency

  • Financial Reporting Reliability

  • Applicable Laws and Regulations Compliance.

COSO describes an effective internal control system through five components:

  1. Control environment

  2. Risk assessment

  3. Control activities

  4. Information and communication

  5. Monitoring activities

The COSO website makes numerous free resources available (we list them at the bottom of this article).

We will include only some of the key features of the five COSO framework components here:

Control Environment

  • Make a commitment to competence.

  • Use the board of directors and audit committee.

  • Facilitate management’s philosophy and operating style.

    Risk Assessment

  • Create companywide objectives.

  • Define and Incorporate department-level and process-level objectives.

  • Perform risk identification and analysis.

    Control Activities

  • Follow policies and procedures.

  • Improve cybersecurity, application security, data access security, etc.

  • Plan business continuity, backups, disaster recovery.

  • Identify areas for outsourcing and outsource to best-in-class vendors where needed.

    Information and Communication

  • Measure quality of information.

  • Measure effectiveness of communication.


    Monitoring

  • Perform ongoing monitoring.

  • Conduct independent evaluations.

  • Report and fix deficiencies.

The COSO internal control framework makes it clear that business objectives, including risk tolerances, are a precondition for designing and evaluating the system of internal control.

The COSO framework helps the executive team pull together strategy and internal controls of risks (that are tactical) in a coherent and systematic way.

Source: Enterprise Risk Management: Understanding and Communicating Risk Appetite, Dr. Larry Rittenberg and Frank Martens, 1, 4. Available at www.coso.org.

Key links

https://www.coso.org/pages/governance.aspx

https://www.coso.org/Pages/default.aspx

https://www.coso.org/documents/COSO-EnhancingBoardOversight_r8_Web-ready%20(2).pdf

https://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf

https://www.coso.org/Documents/2014-2-10-COSO-Thought-Paper.pdf

AlphaMille helps clients identify risks through using a risk assessment questionnaire, and then mitigate the risks in a logical and systematic way.