Implementation of the COSO internal control framework requires assessing its five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles against the organization’s current internal control system, and making adjustments accordingly.
Failing to enforce the COSO framework principles can result in violations of the federal Sarbanes-Oxley Act’s (SOX) requirements. Auditors evaluating an organization’s internal control over financial reporting (ICFR) will judge against this standard: When even one of the 17 principles doesn’t function properly, a “major deficiency” is deemed to exist—a “material weakness” under SOX Section 404. The 17 principles of internal control can serve as a handy checklist for enterprises to use to evaluate and strengthen their internal control system—but first, there is groundwork to be laid. To successfully apply COSO’s internal control or enterprise risk management (ERM) framework requires a methodical, step-by-step approach. To help, we’re providing this roadmap that includes implementation challenges and leading practices.
Implementing the COSO Framework in Five Phases:
PHASE 1: PLAN AND SCOPE- Appoint an implementation team. Here’s how it works: The board delegates implementation authority to a committee such as an audit and compliance committee. Managers assign oversight to a management function in the organization such as internal control or ERM. The team may include accounting managers and staff as well as people with a thorough knowledge of how work gets done in the organization. Develop an implementation plan that includes timing, resources needed, and roles and responsibilities of implementation team members. Determine the scope of the framework’s implementation: Which activities will it measure, and over what period of time? The implementation team at this point will also evaluate the five components of the COSO internal control framework to understand how the enterprise’s internal control system is designed, and how well it functions. In this phase, the implementation team should also meet with the external auditors who will be assessing the organization’s COSO compliance. They’ll need to learn what their roles will be, avoid redundancies, and communicate the plan to the board and managers.
PHASE 2: ASSESS AND DOCUMENT- In this phase, the implementation team assesses the organization’s control structure. Are its systems centralized or decentralized? How are entity-level controls structured? Is there a formal ERM process, with documented risk management activities? If so, the documents should be helpful in analyzing where the organization meets COSO framework guidelines and where it falls short. If there is no coordinated approach to ERM, COSO implementation may require more time and effort. Other activities during this phase include:
- Assessing fraud risk. The COSO internal control framework emphasizes the importance of considering the potential for fraud when assessing the risks to achieving objectives.
- Documenting existing processes and controls. Once managers have identified which processes are relevant to the framework’s control activities, the implementation team can study and document each of them. Doing so allows them to identify which internal controls apply to each process, and where gaps exist. This step may involve interviews with key personnel.
- Performing gap assessments. This entails comparing the COSO internal control framework’s components and principles to practices in the organization. COSO’s publication Illustrative Tools for Assessing Effectiveness of a System of Internal Control can be helpful.
PHASE 3: REMEDIATE- Now that gap assessments are drawn up, it’s time to remediate those gaps.
- Make a remediation plan. Prioritize the control deficiencies that pose the most serious vulnerabilities, and move down the list to the least serious. Include milestones and a schedule for completion.
- Implement your remediation plan
PHASE 4: DESIGN, TEST, AND REPORT
- Classify controls as critical or non-critical
- Design procedures for testing each critical control. Each test should take into consideration the risk to be mitigated and the control description—both are equally important to determining a control’s effectiveness. Choose a method of testing for each control. Common methods include:
–Inquiring: Asking control owners to explain how their controls work
–Observing: Observing the control in action
–Examining: Studying all the transactions and documentation associated with a control’s functioning
–Analyzing: Using data analytics tools to gain insights into controls’ design and operations
- Test controls, reporting to management on progress and obstacles.
PHASE 5: OPTIMIZE INTERNAL CONTROLS’ EFFECTIVENESS- How do identified risks and controls mesh with your enterprise’s goals, plans, and strategies? The COSO internal control framework can help you align or realign goals and controls. When developing or redesigning controls, consider:
- Control activities such as reconciliation, verification, supervisory and physical controls
- Whether controls are preventive, detective, i.e. occurring after a process has begun but before it has concluded, or corrective
- Whether controls are automated, partially automated (automation enabled or assisted by people) or manual
Once controls are in place, monitoring is key to ensuring that they remain effective. Continuous monitoring with software is preferable to manual monitoring. Should a control fail, study the incident carefully to determine its cause for the most effective remediation.