COSO
COSO is a reference frame of internal control defined by the Committee Of Organizations Sponsoring off the Treadway Commission . It is used in particular within the framework of the installation of the provisions concerned with the laws Sarbanes-Oxley or LSF for the respectively subjugated companies with the American or French laws. The initial reference frame called COSO 1 evolved since 2002 to a second corpus called COSO 2 .
History
COSO is the acronym shortened of Committee Of Organizations Sponsoring off the Treadway Commission, a commission with nonlucrative goal which establishes in 1992 a standard definition of internal control and creates a framework to evaluate its effectiveness.
In 2002, the American Congress, in answer to the accounting scandals and accountants (Enron,…), the law Sarbanes-Oxley (the Sarbanes-Oxley Act or SOX act promulgates). This law obliges the companies calling upon the public saving to evaluate their internal control and to publish of them their conclusions in the states required by the SEC. Imposing moreover the use of a conceptual framework, the SOX act supported the adoption of the COSO like reference frame. In France, law LSF (Law of Financial Safety) promulgated shortly after in 2003, also contributed to its diffusion.
Reference frame COSO (Internal Control - Integrated Framework)
Principles
Reference frame COSO is based on the following basic principles:
- internal control is a process: it is a means, not an end
- internal control depends on each one: it is not confined with a collection of procedures but requires the implication of all on each level of the organization.
- internal control must get the insurance reasonable (but nonabsolute) of a respectful management and a direction of the laws.
- internal control is adapted to the effective realization of the objectives
The framework: cube COSO
Framework COSO rests on the concepts of objectives and components.
Three objectives
Reference frame COSO defines internal control as a process implemented by the leaders in all the levels of the company and intended to provide a reasonable insurance as for the realization of the three following objectives :
- the realization and the optimization of the operations,
- the reliability of the financial informations,
- and conformity with the laws and payments
It will be noted that these objectives correspond mainly to the concerns of the investors.
Five components
The internal control, as defined by the COSO, comprises five components. These components get a framework to describe and analyze the internal control set up in an organization. It is about:
- environment of control, which corresponds, essentially, with the values diffused in the company;
- the evaluation of the risks to the ell of their importance and frequency;
- activities of control, definite like the rules and procedures implemented to treat the risks, the COSO imposing factual matérialisation of controls;
- information and the communication, which it is a question of optimizing;
- the supervision, i.e. the “control of internal control”.
The cube
After the objectives and components, the COSO forces to distinguish the structures of the companies (companies, entities, functions,…).
Combination of the three objectives, the five components and the structures of the company, seen as three distinct axes of analysis, constitutes what is called cube COSO.
COSO 2 - Enterprise Risk Framework Management
The COSO 2, " Enterprise Risk Framework" Management; is today the framework of reference of the risk management. This chapter aims at carrying out a synthesis of it, in particular while being based on the concepts developed in the COSO 1, " Internal Control - Integrated Framework".
Positioning of the COSO 2 compared to the COSO 1
For recall, the COSO 1 proposes a framework of reference for the management of internal control. Internal control is a process implemented by the board of directors, the leaders and the personnel of an organization, intended to provide a reasonable insurance as for the realization of the following objectives:
- the realization and the optimization of the operations,
- the reliability of the financial informations,
- conformity with the laws and the regulations in force.
The COSO 2 proposes a framework of reference for the risk management of the company (Enterprise Risk Management Framework). The risk management of the company is a process implemented by the board of directors, the leaders and the personnel of an organization, exploited for the development of the strategy and transverse to the company, intended for
- to identify the potential events being able to affect the organization,
- to control the risks so that they are within the limits of “Risk Appetite ( craving with the risk)” (cf below) of the organization,
- to provide a reasonable insurance as for the realization of the objectives of the organization.
It appears that the COSO 2 includes the elements of the COSO 1 through the third point and supplements it on the concept of risk management. The COSO 2 is based on a directed vision risks of the company.
A new concept, “Risk Appetite”
The concept of “Risk Appetite” is new in the COSO 2. “Risk Appetite” is the level of taking risk accepted by the organization with an aim of increasing its value. Various strategies will expose the organization at the various risks. Consequently, “Risk Appetite” must be taken into account in the definition of the strategy of the organization in order to make sure that the results of this strategy are coherent with “Risk Appetite” defined for the organization.
Synthesis of the modifications operated on cube COSO
The model of the cube and its architecture in three plans are preserved:
- Levels of the organization
- Elements of internal control (which becomes Eléments of risk management)
- Objectifs of the organization
1. Center " Levels of the organization"
- Contribution of a more strict framework of decomposition of the structure of an organization
- Highlighted of the need for taking into account the whole of the organization so that the COSO 2 is applied successfully.
2. Center " Objectifs"
- Contribution of a new objective: “strategic”.
- Widening of the concept of reporting: this concept covers from now on not only the financial reporting, but also the non-financial feedback. Moreover, this concept henceforth covers at the same time the external but so internal feedback.
3. Center " Elements of contrôle"
Enrichment of the axis “elements of control” which becomes “elements of risk management” and which passes from five to eight categories:
- the internal element environment is supplemented concept of “Risk Appetite”,
- the element evaluation of the risks is burst in four elements of which the concepts existed already in the COSO 1 but in less detailed form: definition of objectives, Identification of the events, Evaluation of the risks, Answer to the risks,
- the element activities of control remains unchanged,
- the element Information and Communication is supplemented concepts of time and of granularity of information,
- the element piloting remains unchanged.
Modifications operated on the axis “Levels of the organization”
The COSO 2 applies to the whole of the company, as well at the highest level (“entity”) as at the operational level (“business links”). But to apply the COSO 2 successfully, it is necessary to take into account the whole of the perimeter of the activities of an organization. The COSO 2 considers the activities at various levels of the organization:
- On the level of the organization (“entity”) for activities such as strategic planning or the allowance of the resources,
- On the level of the units of trade (“business links”) for activities such as marketing, and human resources,
- On the level of the processes trade (“business process”) for activities such as the production, the purchases,
- And also on the levels of the projects or initiatives which do not have yet a place defined in the structure of the organization.
Compared to the COSO 1, the COSO 2 brings:
- a more strict framework of decomposition of the structure of an organization - by levels - which the COSO 1 which does not retain of structure of decomposition specific for an organization. This decomposition is useful for the vision in wallet of risk (cf below) exposed by the COSO 2.
- the need for taking into account the whole of the organization to be applied successfully.
Concept of wallet of risks (“Portfolio”)
It is requested from the organization to have a vision of its risks in the form of a wallet. This wallet must characterize the risks on each level of the organization. The compilation of the wallet thus makes it possible to have a comprehensive view of the risks of the organization. This vision could then be close to” Risk Appetite” defined for the organization.
Moreover, the compilation of the wallet of risks allows management:
- to highlight risks which can be tolerated on the level of a unit but which while being added would be more within the limits of “Risk Appetite” defined for the organization.
- to rather apprehend potential events (at the total level) than of the risks and thus to better include/understand how the risks interact between them on the level of the organization. For example, a fall of interest rates could positively affect the cost of the capital but negatively the products of rate.
Modifications operated on the axis “Objectives of the organization”
Contribution of a new objective: “strategic”.
An strategic objective is an objective “high-level”, which supports and contributes to the mission/vision of the organization. The strategic objectives reflect the choices of management as for the search for creation of value by the organization for its shareholders.
Three other types of objectives: operational, reporting, and lawful, are dependant on the strategic objectives. They are called the objective “related”. For example, for an organization, it will be a question of defining:
- Which is its mission/vision,
- Which are the strategic objectives supporting this mission/vision,
- Which is the strategy to be implemented to achieve these strategic objectives,
- And to deduce from them the objective “related” which support the strategy implemented.
With the difference of the COSO 1, the implementation of COSO 2 thus requires to have a vision of the strategic objectives of the company in addition to the objective “related”.
Widening of the concept of reporting
Compared to the COSO 1, this concept covers from now on:
- not only the financial reporting, but also non-financial feedback,
- not only external feedback but also internal feedback.
Modifications operated on the axis “Elements”
The axis “elements of controls”, which becomes “elements of risk management”, slightly was modified and especially enriched: The element environment of control is supplemented concept of “Risk Appetite”,
- the element evaluation of the risks is burst in four elements of which the concepts existed already in the COSO 1 but in less detailed form: definition of objectives, Identification of the events, Evaluation of the risks, Answer to the risks,
- the element activities of control remains unchanged,
- the element Information and Communication is supplemented concepts of time and of granularity of information,
- the element piloting remains unchanged.
* this concept of block of elements of risks is not present in the COSO 2. She is proposed to the reader with a teaching aim here.
Remark :
It should be noted that the pyramid which schematized the part “elements of internal control” disappears in the COSO 2.
Internal environment
The element environment interns takes again the notions of the element environment of control of the COSO 1: importance of the individuals (competence, ethics), of the style of management, the delegation of the responsibilities,…
On the other hand, this new element grows rich by a new concept: that of Risk Appetite : i.e. the taking risk accepted by the company with an aim of increasing its value. This “Risk Appetite” then makes it possible to determine the level of the tolerance of risk on the various levels of the organization. This concept is necessary and precedes the definition by the strategy of the company.
The block “Elements of risks”
Compared to COSO 1, the various components of this block are detailed and fix a more precise framework:
- for the identification of the events potientiels (last tendencies, events)
- for the evaluation of the risks (inherent risk, residual risk),
- for the answers to the risks (categorization of the types of answers).
This block comprises the five following elements:
- Definition of objectives
- Identification of the events
- Evaluation of the risks
- Answers to the risks
- Activities of control
Management must first of all lay down objectives (1) apart from the events likely to come to disturb them. These objectives are of four types: strategic, operational, related on the reporting and the adequacy with the regulation.
Then management determines for each one of its objectives the events (2) likely to have impacts, whether those are positive or negative. The events with negative impacts represent risks, those with positive impacts represent opportunities. The identification of the potential events passes by the use of combination of methods: tendencies, events releases, correlation with the last events.
One passes then to an evaluation of the risks (3) for the negative events. This evaluation must determine the probability that this event occurs and impacts then generated. This evaluation of the risks must present the inherent risk initially, i.e. the risk which exists if management does not set up any corrective action. In the second time, when the brief reply to the risk is treated, it will be possible to determine a residual risk. (Single Loop of iterative process). It is suggested using a coherent system of measuring unit between the measurement of the “Definition of objectives” and the evaluation of the risks.
The evaluated risk, it is then required to define the various possible parades. It is the answer to the risk (4). Several options are sometimes possible. It is then necessary to clarify them. These answers can be classified in the four following categories: the avoidance, the reduction, mutualisation or the acceptance of the risk. If the method of formalization (option, classification) is included in the perimeter of COSO 2, the choice of the solution does not form on the other hand part of it. Once the answer to the risk defined, the organization can make sure that the residual risk corresponds to its tolerance of risk (3).
It is then necessary to set up activities of control (5) which concretize under form of standards (“what must be made”) and see themselves declined in procedures (“how to do it”).
Information and communication
Compared to COSO 1, COSO 2 brings the following concepts:
- need for considering that information results from the events passed, present and future. This vision must in particular allow:
- a comparison of the performances of the organization (last, and potential future) and the identification of the evolutions and trends of the activity of the organization,
- assistance with the detection of the potentials future events which affect the current profile of risks of the organization, this profile of risks thus having to be close to “Risk Appetite”.
- the need for making sure that the granularity of information (level of detail and periodicity), is sufficient to identify, analyze, and answer the risks and thus to remain within the limits of its “Risk Appetite”.
Moreover, COSO 2 insists on the concept of presentation of information to communicate, i.e information must be communicated in a form adapted according to the interlocutor recipient.
Piloting
No the addition on the element “Piloting”.
Roles and responsibilities
The COSO 2 stresses the importance of the catch of responsibility in a company and details what it recovers for each actor. One finds in this part of the strong analogies with the law Sarbanes-Oxley.
Compared to the COSO 1, the COSO 2 makes some modifications to the roles of the speakers:
- a new role appears: the “Risk officer”,
- the role of the board off directors is wider than in the COSO 1.
Responsible actors (“Responsible left”)
The “Board off directors”
Board off directors supervises with attention the risk management:
- It knows the effective perimeter of cover of risk management set up by the management of the organization,
- It knows and it is of agreement with the “Risk appetite” of the organization,
- It re-examines the wallet of risks and carries out its bringing together with “Risk Appetite”
- It is informed of the most significant risks and the relevance of the assumption of responsibility of these risks.
“Risk Officer”
Risk Officer is the facilitator of the implementation of the COSO 2. He works with the other persons in charge in order to help them to set up an effective management of the risks for their perimeter of responsibility. Without being exhaustive, its attributions could be:
- development of procedures of risk management (including the roles, responsibilities),
- development of a common language of risk management (standardization of measurements of probability and impact, categories of risks.),
- accompaniment of the managers in the development of their answer to the risks (direct aid, formation…),
- the supervision of the managers for the development of the tolerances of risks,
- accompaniment of the managers for the establishment of the activities of controls,
- the supervision of the process of reporting of risk management,
Internal audits
Same manner that in COSO 1, those do not have the responsibility first implementation for COSO 2. On the other hand, they have a paramount role in the evaluation of the management system of the risks.
External listeners
Those work on the level “entity”. They give an opinion on the constitution of the financial statements and not on the control system intern/de risk management.
See too
| Random links: | 10 (número) | Treaty of prohibition partial of the nuclear tests | Public domain (weekly French) | Vica | Cheema | District of Castries | Amadan |