Committee of Sponsoring Organizations of the Treadway Commission

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The 'Committee of Sponsoring Organizations of the Treadway Commission' ('COSO') is a joint initiative to combat corporate fraud. It was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems. COSO has the support of five support organizations: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA)

Organizational summary[edit]

COSO was formed in 1985 to sponsor the National Fraudulent Financial Information Commission (the Treadway Commission). The Treadway Commission was originally sponsored and jointly funded by five major professional accounting associations and institutes based in the United States: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA). The Treadway Commission recommended that the sponsoring organizations of the Commission work together to develop an integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission.

The original president of the Treadway Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber and former Commissioner of the US Securities and Exchange Commission. UU. Hence the popular name "Treadway Commission." Robert B. Hirth, Jr. became the President of COSO at June 1, 2013. He held the position for 4.5 years. In February 1, 2018, Paul J. Sobel became the new president of COSO.


Due to the questionable practices of financing corporate political campaigns and corrupt foreign practices in the mid-1970s, the U.S. Securities and Exchange Commission (SEC) and the U.S. Congress enacted reforms to the campaign finance law and the Foreign Corrupt Practices Act (FCPA) of 1977 that criminalized transnational bribery and required companies to implement internal control programs. In response, the Treadway Commission, a private sector initiative, was formed in 1985 to inspect, analyze and make recommendations on fraudulent corporate financial reports.[citation needed]

The Treadway Commission studied the financial information system during the period from October 1985 to September 1987 and issued a report of findings and recommendations in October 1987, "Report of the National Commission on Fraudulent Financial Information."[1] As a result of this initial report, the Committee of Sponsoring Organizations (COSO)) was formed and retained Coopers & Lybrand, a large accounting firm, to study the problems and write a report on an integrated internal control framework.

In September 1992, the four-volume report entitled "Internal control: integrated framework"[2] was published by COSO and then published again with minor amendments in 1994. This report presented a common definition of internal control and provided a framework against which internal control systems can be evaluated and improved. This report is a standard that US companies use to assess their compliance with the FCPA. According to a survey conducted by the magazine `` CFO published in 2006, 82% of respondents said they used the COSO framework for internal controls. Other frameworks used by respondents included COBIT, AS2 (Audit Standard No. 2, PCAOB) and SAS 55/78 (AICPA).[3][needs update]

Internal Control - Integrated Framework [edit]

Key concepts of the COSO framework[edit]

The COSO framework involves several key concepts:

  • Internal Control is a "process." It is a means to an end, not an end in itself.
  • Internal control is carried out by "people." It is not simply about policies, manuals and forms, but about people at all levels of an organization.
  • Internal control can be expected to provide only "reasonable security," not absolute security, to the administration and directory of an entity.
  • Internal control is aimed at achieving "objectives" in one or more separate but overlapping categories.

Definition of internal control and framework objectives[edit]

The COSO framework defines internal control as a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide "reasonable security" with respect to the achievement of objectives in the following categories:

  • Effectiveness and efficiency of the 'operations'
  • Reliability of 'financial reports'
  • 'Compliance' with applicable laws and regulations

Five frame components[edit]

The COSO internal control framework consists of five interrelated components derived from the way in which the administration manages a business. 'According to COSO, these components provide an effective framework to describe and analyze the internal control system implemented in an organization' as required by financial regulations (see Securities Exchange Act of 1934,[4]) The five components are as follows:

'Control environment:' The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the basis of all other components of internal control, providing discipline and structure. Factors in the control environment include integrity, ethical values, the operational style of administration, the delegation of authority systems, as well as the processes for managing and developing people in the organization.

'Risk assessment:' Each entity faces a variety of risks from external and internal sources that must be assessed. A prerequisite for risk assessment is the establishment of objectives and, therefore, risk assessment is the identification and analysis of risks relevant to the achievement of the assigned objectives. Risk assessment is a prerequisite for determining how risks should be managed. The four underlying principles related to risk assessment are that the organization should have clear objectives in order to be able to identify and assess the risks relating to those objectives; should determine how the risks should be managed; should consider the potential for fraudulent behavior; and should monitor changes that could impact internal controls.

'Control activities:' Control activities are the policies and procedures that help ensure that management directives are carried out. They help to ensure that the necessary measures are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, operational performance reviews, asset safety and segregation of functions.

'Information and communication:' Information systems play a key role in internal control systems, as they produce reports, including operational, financial and compliance-related information, which make the operation and control of the business possible . In a broader sense, effective communication must ensure information flows down, across and up the organization. For example, the formalized procedures for individuals to report suspected fraud. Effective communication with external parties, such as customers, suppliers, regulators and shareholders on related political positions, must also be guaranteed.

'Monitoring' : Internal control systems must be monitored, a process that evaluates the quality of system performance over time. This is achieved through continuous monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities must be reported upstream and corrective measures must be taken to ensure continuous improvement of the system.


Internal control involves human action, which introduces the possibility of errors in prosecution or trial. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by senior management.

The magazine `` CFO reported that companies are struggling to apply the complex model provided by COSO. "One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, these objectives apply to five key components (control environment, risk assessment, control activities, information and communication , and monitoring "Given the number of possible matrices, it is not surprising that the number of audits can get out of control."[5] CFO magazine continued to state that many organizations are creating their own risk and control matrix by taking the COSO model and modifying it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.

Business Risk Management [edit]

In 2001, COSO initiated a project and hired PricewaterhouseCoopers to develop a framework that administrations could easily use to evaluate and improve the business risk management of their organizations. High-profile commercial scandals and failures (e.g., Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) generated calls to improve corporate governance and risk management. As a result, Sarbanes-Oxley Act was enacted. This law extends the long-standing requirement for public companies to maintain internal control systems, which requires management to certify and the independent auditor to certify the effectiveness of those systems. The Internal Control - Integrated Framework continues to serve as the `` widely accepted standard[citation needed] to meet those reporting requirements; however, in 2004 COSO published "Enterprise Risk Management - Integrated Framework."[6] COSO believes that this framework is expanded in internal control, providing a more robust and extensive approach to the broader issue of business risk management.

Four categories of business objectives[edit]

This business risk management framework is still aimed at achieving the objectives of an entity; However, the framework now includes four categories:

  • Strategic: high-level objectives, aligned and supporting their mission.
  • Operations: effective and efficient use of your resources.
  • Reports: reliability of reports
  • Compliance: compliance with applicable laws and regulations

Eight frame components[edit]

The eight components of business risk management encompass the five previous components of the Integrated Internal Control Framework while expanding the model to meet the growing demand for risk management:

'Internal environment': The internal environment encompasses the tone of an organization and establishes the basis of how risk is seen and addressed by the persons of an entity, including the risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

'Setting objectives': The objectives must exist before management can identify potential events that affect its achievement. Business risk management ensures that management has implemented a process to establish objectives and that the chosen objectives support and align with the mission of the entity and are consistent with its appetite for risk.

'Event identification': Internal and external events that affect the achievement of the objectives of an entity must be identified, distinguishing between risks and opportunities. The opportunities are re-channeled into management strategy or goal-setting processes.

'Risk assessment': The risks are analyzed, considering the probability and impact, as a basis for determining how they should be managed. The risks are inherently and residually assessed. Post comments Record Saved Community

'Risk response:' Management selects risk responses, avoiding, accepting, reducing or sharing risk, developing a set of actions to align risks with the entity's risk appetite and risk appetite.

'Control activities:' Policies and procedures are established and implemented to help ensure that risk responses are carried out effectively.

'Information and communication:' The relevant information is identified, captured and communicated in a way and time frame that allow people to fulfill their responsibilities. Effective communication also occurs in a broader sense, flowing down, through and up the entity.

'Monitoring:' The entire business risk management is monitored and modifications are made as necessary. Monitoring is achieved through ongoing management activities, separate evaluations or both.

COSO believes that Enterprise Risk Management - Integrated Framework provides a clearly defined interrelation between the components and risk management objectives of an organization that will satisfy the need to comply with the new laws, regulations and standards of listing and waiting that companies accept it widely. and other organizations and stakeholders.


COSO admits in its report that, although business risk management provides significant benefits, there are limitations. Business risk management depends on human judgment and, therefore, is susceptible to decision making. Human failures, such as simple errors or errors, can lead to inadequate risk responses. In addition, controls can be avoided by collusion of two or more people, and management has the ability to override business risk management decisions. These limitations prevent a board and management from having absolute security regarding the achievement of the entity's objectives.

Philosophically, COSO is more oriented towards controls. Therefore, it has a bias towards risks that could have a negative impact instead of the risks of missing opportunities. See ISO 31000.

While COSO states that its expanded model provides more risk management, companies are not required to change to the new model if they are using the Integrated Internal Control Framework.

Internal control over financial information - Guidance for small public companies[edit]

This document contains guidance to help smaller public companies to apply the concepts of 1992 Internal Control - Integrated Framework. This publication shows the applicability of these concepts to help smaller public companies design and implement internal controls to support the achievement of financial information objectives. It highlights 20 key principles of the 1992 framework, providing a principles-based approach to internal control. As explained in the publication, the 2006 guideline applies to entities of all sizes and types.[7]

Guidance on monitoring internal control systems[edit]

Companies have invested heavily in improving the quality of their internal controls; However, COSO noted that many organizations do not fully understand the importance of the monitoring component of the COSO framework and the role it plays in streamlining the evaluation process. In January 2009, COSO published its "Guidance on the monitoring of internal control systems" to clarify the internal control monitoring component.

Over time, effective monitoring can lead to organizational efficiencies and reduced costs associated with public information about internal control because problems are identified and addressed proactively, rather than reactively.

The COSO Monitoring Guide is based on two fundamental principles originally established in the 2006 COSO Guide:

  • Continuous and / or separate evaluations allow management to determine if the other components of internal control continue to function over time, and
  • Internal control deficiencies are identified and communicated in a timely manner to the parties responsible for taking corrective measures and to management and the board, as appropriate.

The monitoring guide also suggests that these principles are best achieved through monitoring based on three general elements:

  • Establish a basis for monitoring, including (a) an appropriate top tone; (b) an effective organizational structure that assigns monitoring roles to people with appropriate capacities, objectivity and authority; and (c) a starting point or "baseline" of known effective internal control from which continuous monitoring and separate evaluations can be implemented;
  • Design and execute monitoring procedures focused on "persuasive information" on the operation of "key controls" that address "significant risks" for organizational objectives; Y
  • Evaluate and report the results, including assessing the severity of any identified deficiencies and reporting the results of monitoring to appropriate staff and the board for timely action and follow-up if necessary.

Role of the internal audit[edit]

Internal auditors play an important role in assessing the effectiveness of control systems. As an independent function that informs senior management, internal audit can evaluate the internal control systems implemented by the organization and contribute to continued effectiveness. As such, internal auditing often plays an important "monitoring" role. To preserve its independence of judgment, the internal audit should not assume any direct responsibility in the design, establishment or maintenance of the controls that it is supposed to evaluate. You can only advise on possible improvements to be made.

Role of the external audit[edit]

1141/5000 Under Section 404 of the Sarbanes-Oxley Act, management and external auditors must report on the adequacy of the company's internal control over financial information. Audit Standard No. 5, published by Public Company Accounting Oversight Board, requires that auditors "use the same appropriate and recognized control framework to conduct their internal control audit on the financial information that management uses to its annual evaluation of the effectiveness of the company's internal control over financial information. "[8] Section 143 (3) (i) of the Indian Companies Act, 2013 also requires Legal Auditors to comment on internal control over financial information

Internal control - Integrated framework Update project[edit]

In November 2010, COSO announced a project to review and update the "Internal Control - Integrated Framework" to make it more relevant in the increasingly complex business environment.[9] The five components of the framework remain the same. A new feature in the updated framework is that the internal control concepts introduced in the original framework will now be coded into 17 principles explicitly listed among five components.[10] The Changes in the framework include internal controls over technology, such as email and the Internet, which were not widely used. when the original framework was published in 1992.[11] Together with the updated Framework, COSO intends to publish the following documents:

  • Internal control over external financial information (ICEFR): Compendium of approaches and examples - developed to help users when they apply the framework to external financial information objectives.
  • Illustrative tools : developed to help users evaluate the effectiveness of an internal control system based on the requirements listed in the updated Framework.[12]

See also[edit]


  1. ^, "Report of the National Commission on Fraudulent Financial Information", obtained on March 23, 2011.
  2. ^ "Archived copy". Archived from the original on 2009-02-28. Retrieved 2009-04-21.CS1 maint: archived copy as title (link), " Internal control - Integrated framework ", retrieved on March 23, 2011.
  3. ^ / 5598405 / c_2984409 /? f = archives Archived 2011-06-14 at the Wayback Machine, "The Trouble with COSO", March 15, 2006, accessed March 23, 2011.
  4. ^ 17 CFR Section 240 15d-15, obtained on March 23, 2011.
  5. ^, CFO Magazine , Accessed on March 23, 2011.
  6. ^, "Enterprise Risk Management - Integrated Framework", accessed March 23, 2011.
  7. ^, accessed December 28, 2012.
  8. ^ "Archived copy". Archived from the original (PDF) on 2007-10-07. Retrieved 2009-04-21.CS1 maint: archived copy as title (link), (AS No. 5.5), retrieved on March 23, 2011.
  9. ^ COSOReleaseNov2010_000.pdf, COSO press release, November 18, 2010.
  10. ^ 20Press% 20Release% 2012% 2019% 2011% 20FINAL2.pdf, COSO press release, December 19, 2011.
  11. ^ Tysiac, Ken (March 2012). "Internal control, revisited". Journal of Accountancy. American Institute of Certified Public Accountants. 213 (3): 24–29. ISSN 0021-8448.
  12. ^ 20Press% 20Release% 2009% 2018% 202012.pdf, COSO Press Release, September 18, 2012.

External links[edit]