Question

Committee of Sponsoring Organizations

What is the Committee on Sponsoring Organizations (COSO)?

What are the five components which the organization outlines for an entity to use to achieve the organization’s objectives?

Please define each of the five components with a minimum of one sentence.

Answer 1

What is the Committee on Sponsoring Organizations (COSO)?

COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations ​headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI)​, The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission included representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

What are the five components which the organization outlines for an entity to use to achieve the organization’s objectives?

The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations” .

In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives.

1. Control Environment

• Integrity and Ethical Values.
• Commitment to Competence.
• Board of Directors and Audit Committee.
• Management’s Philosophy and Operating Style.
• Organizational Structure.
• Assignment of Authority and Responsibility.
• Human Resource Policies and Procedures.

2. Risk Assessment

• Company-wide Objectives.
• Process-level Objectives.
• Risk Identification and Analysis.
• Managing Change.

3. Control Activities

• Policies and Procedures.
• Security Application and Network .
• Application Change Management.
• Business Continuity/Backups.
• Outsourcing.

4. Information and Communication

• Quality of Information.
• Effectiveness of Communication.

5. Monitoring

• Ongoing Monitoring.
• Separate Evaluations.
• Reporting Deficiencies.

These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely.