ZenGRC

Simply Powerful GRC

Guide to COSO Framework and Compliance

· ·

Intro

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework for internal business controls helps organizations ensure that their financial statements are accurate, their assets and stakeholders are protected from fraud, and their operations are running efficiently and effectively. Its guidance encompasses the entire organization, from auditing to IT.

COSO also helps organizations comply with laws and regulations enacted over the years, including the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002 to protect public companies and their stakeholders from accounting errors and fraud, and the Foreign Corrupt Practices Act (FCPA). For compliance with SOX and FCPA, COSO is the definitive tool.

Although COSO is the United States’ most widely used framework for internal controls, compliance can be challenging and expensive. But it’s not as costly or difficult as recovering from fraud, theft, reputational loss, or legal penalties. (COSO compliance is voluntary, but SOX and FCPA compliance are not.)

To simplify your COSO journey, we’ve compiled an exhaustive trove of information for your use. Read this guide, or skip to the sections most relevant to your enterprise. Along the way, you’ll find links to take you more deeply into any topic. Click away and become an expert in all things COSO.

What Is the COSO Framework?

Fraud deterrence was the main impetus behind forming the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its 1992 framework for internal control: Internal Control—Integrated Framework.

Known as the COSO framework, this document provided the first standard definition of “internal control” and a system that organizations could use to assess the effectiveness of their internal controls.

COSO defines “internal control” as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Unpacking this definition reveals five concepts regarding internal controls.

  • Establishing them is a process, not a destination.
  • They help organizations to achieve objectives—operational, reporting, and compliance.
  • People put them into effect.
  • They can provide “reasonable assurance,” but not absolute assurance, to senior management and the board regarding:
    • Effectiveness and efficiency of operations
    • Reliability of financial reporting
    • Compliance with applicable laws and regulations.
  • They can be adapted to the “entity” structure, applied entity-wide, or to one or more subsidiaries, divisions, operating units, or business processes.

The COSO Framework: A Short History

The Committee of Sponsoring Organizations, or COSO, was initially organized in 1985 to sponsor the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

As its name implies, the NCFR was formed to study why and how fraudulent financial reporting at organizations occurs and to recommend ways to reduce it. The NCFR’s 1987 report focused on internal financial controls, highlighting this crucial topic for perhaps the first time. It also pointed out that there was no standard definition of “internal control” and began a project to create one. The COSO internal control framework, published in 1992, was the result.

Twenty years would pass before an update to the COSO framework. Increased business complexity, globalization, and the ascendant role of IT in business operations were among the factors inspiring the update, released in May 2013.

COSO’s Main Elements

COSO’s five key components of internal control (described in more detail in the next section) are:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

Each component includes principles—17 principles in all—with supporting “points of focus” to help design, implement, conduct, monitor, and assess internal control processes.

COSO has also published other documents to improve internal control management:

  • Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples—to help users apply the framework to external financial reporting objectives
  • Illustrative Tools—to help users assess the effectiveness of a system of internal control based on requirements listed in the updated framework

The organization in 2004 issued a second framework: Enterprise Risk Management—Integrated Framework, updated in 2017.

What Are the Five Components of the COSO Framework?

COSO defines five risk management components, which are what an organization needs to achieve its objectives, each with corresponding principles:

1. Control environment

  • Commitment to integrity and ethical values
  • Independent Board of Directors’ oversight
  • Structures, reporting lines, authorities, and responsibilities
  • Attract, develop, and retain competent people
  • People held accountable for internal control responsibilities

2. Risk assessment

  • Clear objectives specified
  • Risks identified to achievement of objectives
  • Potential for fraud considered
  • Significant changes identified and assessed

3. Control activities

  • Clear objectives specified
  • Risks identified to achievement of objectives
  • Potential for fraud considered
  • Significant changes identified and assessed

4. Information and communication

  • Quality information obtained, generated and used
  • Internal control information internally communicated
  • Internal information externally communicated

5. Monitoring activities

  • Ongoing or separate evaluations are conducted
  • Internal control deficiencies evaluated and communicated

The five components comprise one face of the “COSO cube,” a three-dimensional framework defining internal control from varying perspectives.

  • Operations controls
  • Reporting controls
  • Compliance controls

These are described in greater detail in this post.

The third face represents an organization’s structure: units, divisions, or processes, each of which may or may not be affected by a particular internal control:

  • Business unit activities
  • Division and function controls
  • Business entity-level controls

Benefits of using the COSO framework

The COSO framework offers several key benefits for organizations implementing it:

  • Provides a common language for internal control concepts across the organization, facilitating communication and coordination.
  • It helps design, implement, and evaluate internal controls more effectively. Principles and focus points guide the process.
  • Clarifying organizational structure, reporting lines, authorities, and responsibilities supports accountability.
  • Identifies and analyzes risks to achieving objectives, enabling risk management.
  • Considers fraud potential when assessing risks, aiding prevention.

COSO Framework Limitations

While useful, the COSO framework has some limitations:

  • Principles-based guidance, not prescriptive requirements. Implementation takes effort and judgment.
  • Subjectivity in assessing effectiveness can lead to consistent application.
  • Focus on financial reporting objectives may result in overlooking operational and compliance risks.
  • More technical guidance on control methods for specific activities like IT security is needed.
  • Ongoing monitoring and updating for changes adds to the administrative workload.

Overall, the COSO frameworks are excellent tools and have assisted organizations in establishing a solid and efficient system of internal controls and fraud protection policies and procedures over the years.

Probably one of the biggest limitations in any ERM framework doesn’t lie within the concepts of the framework itself, but in an area that’s often the most difficult to entirely control—the human factor. COSO admits that even with a well-designed internal control system, internal auditors cannot always uncover risks of human error, poor judgment, management overrides, or employees colluding to circumvent internal control.

To avoid the pitfalls inherent in any framework, more organizations are replacing manual processes with automated systems. Not only does this address many of the limitations of COSO frameworks, but also makes it easier to reduce risk to lower levels and mitigate internal control deficiencies.

What Are the 3 Types of Internal Controls for COSO?

When it was published in 1992, the COSO internal control framework established for the first time a standard, common definition of effective “internal control.” This definition refers to three types of risk management “objectives,” which is what a business hopes to achieve:

Operations Objectives

It concerns the effectiveness and efficiency of entity operations, including operational and financial performance goals and safeguarding assets against loss.

Reporting Objectives

They are concerning internal and external reporting, financial and non-financial. These controls may encompass reliability, timeliness, transparency, or other concepts set forth by regulators or the organization’s policies.

Compliance Objectives

It concerns conformance to relevant laws and regulations.

These objectives form one face of the three-sided COSO “cube,” a three-dimensional model illustrating internal control from various perspectives. The other two dimensions depict “components,” what the entity needs to achieve its objectives, and the organizational structure.

Ten years after the publication of the original COSO framework, in 2002, Congress enacted the Sarbanes-Oxley Act (SOX), which requires that U.S. publicly listed companies report on the effectiveness of their ICFR using a suitable framework. Many companies use COSO’s Integrated Control—Integrated Framework to guide SOX compliance. They may utilize the document’s appendix, The Illustrative Tools for Assessing Effectiveness of a System of Internal Control, for templates and scenarios to use when applying the COSO framework.

What are the COSO Coverage Areas?

One of the three sides of the “COSO cube,” a three-dimensional illustration of how the COSO internal control framework may be applied, lists the areas of an entity to which COSO might be used to achieve operational financial and compliance objectives:

ENTITY LEVEL

DIVISION

OPERATING UNIT

FUNCTION

These four coverage area criteria correlate to the top-down structure of a typical organization. They establish that the COSO framework can be used to gauge the effectiveness of controls for an enterprise as a whole or at the division, operating unit, or function level—and that control activities should take place at all these levels.

The higher the level, the more abstract their relation to financial reporting activities. Entity-level controls often have an indirect relationship to financial statements and can be harder to quantify than more direct process-level controls. Entity-level controls also vary according to an organization’s complexity and risk profile and must be evaluated qualitatively instead of qualitatively.

Relationship of ERM and Internal Controls

Adequate internal controls are essential to Enterprise Risk Management (ERM). ERM helps an organization manage risk at every level, from strategy-setting through review and revision, and uses internal controls to achieve four types of risk-management objectives:

  • Strategic
  • Operations
  • Financial reporting
  • Compliance

Recognizing the importance of ERM and internal control to successful enterprise governance and management, COSO has published an ERM framework as well as an internal control framework:

  • COSO Internal Control—Integrated Framework (updated 2013)
  • COSO Enterprise Risk Management—Integrating with Strategy and Performance (updated 2017)

The COSO ERM framework defines enterprise risk management as:

A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

According to COSO, the COSO ERM framework is a strategic guide to meeting business objectives, while the COSO internal control framework is a tactical guide. 

Although they differ in the key components they list, these are complementary and intended to be applied in tandem.

The internal control framework lists five critical components of internal control:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

The ERM framework lists five core business activities essential to sound risk management:

  • Governance and culture, including the formulating of mission and vision statements, board oversight, and executive management functions
  • Strategy and objective setting, in which executives and, possibly, the board, define organizational risk appetite and create a high-level plan for achieving corporate goals
  • Performance, in which risks are identified, assessed, and prioritized, and responses to risk implemented
  • Review and revision, which involves assessing performance and striving for continual improvement
  • Information, communication, and reporting, including the use of information technology

Components in the internal control framework correspond to those listed in the ERM framework. ERM and internal control go hand-in-hand; internal control is essential to ERM. One supports the other: having solid internal controls enables managers to focus on operations and business objectives, knowing that the organization has a robust risk management program and complies with applicable laws, regulations, and standards.

Internal Control-Integrated Framework (2013)

The new internal control framework fills in some of the 1992 framework gaps.

The addition of 17 principles, describing how to incorporate the five components into an effective internal control model, transformed the COSO framework into a blueprint for developing new internal controls. The new framework also Incorporated internal controls for IT systems.

A huge leap in corporate governance and risk management, the new version still contains limitations.

The 2013 Framework postulates that to be effective, an internal control system must have all five components and 17 principles “present” and “functioning” and “operating together.” What it doesn’t address is the possibility that, due to size, country of operation, or industry of the business, certain principles may not apply. 

In this case, according to the COSO Framework, a business has “major deficiencies” within the internal control system.

The limitations of the COSO framework in this instance is that it doesn’t offer guidance on how to adjust accordingly.

The New COSO ERM Framework (2017)

According to COSO’s FAQ publication regarding the new framework: “it provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy, enhances the alignment between organizational performance and enterprise risk management, and accommodates expectations for governance and oversight.”

Industry leaders and Boards of Directors alike agree the new standards offer dramatic Improvement in the areas of risk tolerance, risk appetite, and risk response. It’s also acknowledged that the 2017 Framework does a much better job of incorporating risk assessment, objective setting, corporate governance, and reporting objectives across all aspects of the organizational structure, rather than handling those items separately in a silo-based approach. 

A noticeable inadequacy to the new risk management framework is a lack of discussion on issues revolving around risks from external parties or external events.

COSO also guides using both frameworks in its 2014 paper, Improving Organizational Performance and Governance: How the COSO Frameworks Can Help.

COSO Guidance for Health Care Providers

The COSO Internal Control-Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, was published in 2013 by the Committee of Sponsoring Organizations (COSO) in collaboration with professional services firm Crowe and CommonSpirit Health.

The guide is meant to help healthcare businesses navigate the enormously complicated world of U.S. healthcare. It addresses subjects such as access control, system integrity, clinical documentation, coding, and billing procedures; all to help healthcare businesses comply with the Affordable Care Act of 2010, and to protect patient data while health records (EHR) have become the norm. COSO’s guidance provides an outline and best practices for meeting those standards.

“Healthcare organizations experience issues with system access, system integrity, clinical documentation, coding, and billing; all of which may result in potential non-compliance with federal and state regulations—and costly mistakes,” the guide’s executive summary states.

To meet those compliance obligations, the guide says, healthcare organizations “must review their control environment to confirm proper controls are in place to ensure effective and efficient operations, proper financial reporting, and compliance; and that their control environment supports the attainment of the organization’s mission and strategy; and COSO provides the direction to do this.”

How to Implement the COSO Framework

Implementing the COSO internal control framework requires assessing its five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles against the organization’s current internal control system and adjusting accordingly.

Failing to enforce the COSO framework principles can violate the federal Sarbanes-Oxley Act’s (SOX) requirements. Auditors evaluating an organization’s ICFR will judge against this standard: When even one of the 17 principles doesn’t function properly, a “major deficiency” is deemed to exist—a “material weakness” under SOX Section 404.

The 17 internal control principles can serve as a handy checklist for enterprises to use to evaluate and strengthen their internal control system—but first, there is the groundwork to be laid. Applying COSO’s internal control or enterprise risk management (ERM) framework requires a systematic, step-by-step approach. To help, we’re providing this roadmap that includes implementation challenges and leading practices.

Implementing the COSO Framework in Five Phases

PHASE 1: PLAN AND SCOPE

Appoint an implementation team. Here’s how it works: The board delegates implementation authority to a committee such as an audit and compliance committee. Managers assign oversight to a management function in the organization, such as internal control or ERM. The team may include accounting managers, staff, and people with a thorough knowledge of how work gets done in the organization.

Develop an implementation plan that includes timing, resources needed, and roles and responsibilities of implementation team members. Determine the scope of the framework’s implementation: Which activities will it measure, and over what period?

At this point, the implementation team will also evaluate the five components of the COSO internal control framework to understand how the enterprise’s internal control system is designed and how well it functions.

In this phase, the implementation team should also meet with the external auditors who will be assessing the organization’s COSO compliance. They must learn their roles, avoid redundancies, and communicate the plan to the board and managers.

PHASE 2: ASSESS AND DOCUMENT

In this phase, the implementation team assesses the organization’s control structure. Are its systems centralized or decentralized? How are entity-level controls structured? Is there a formal ERM process with documented risk management activities? If so, the documents should help analyze where the organization meets COSO framework guidelines and where it falls short. If there is no coordinated approach to ERM, COSO implementation may require more time and effort.

Other activities during this phase include:

  • Assess fraud risk. The COSO internal control framework emphasizes the importance of considering the potential for fraud when evaluating the risks to achieving objectives.
  • Document existing processes and controls. Once managers have identified which processes are relevant to the framework’s control activities, the implementation team can study and record each. Doing so allows them to identify which internal controls apply to each process and where gaps exist. This step may involve interviews with key personnel.
  • Perform gap assessments. This entails comparing the COSO internal control framework’s components and principles to practices in the organization. COSO’s publication Illustrative Tools for Assessing Effectiveness of a System of Internal Control can be helpful.

PHASE 3: REMEDIATE

Now that gap assessments are drawn up, it’s time to remediate those gaps.

  • Make a remediation plan. Prioritize the control deficiencies that pose the most severe vulnerabilities and move down the list to the least serious. Include milestones and a schedule for completion.
  • Implement your remediation plan.

PHASE 4: DESIGN, TEST, AND REPORT

  • Classify controls as critical or non-critical
  • Design procedures for testing each critical control. Each test should consider the risk to be mitigated and the control description—both are equally important to determining a control’s effectiveness. Choose a method of testing for each control. Common methods include:
    • Inquiring: Asking control owners to explain how their controls work
    • Observing: Observing the control in action
    • Examining: Studying all the transactions and documentation associated with a control’s functioning
    • Analyzing: Using data analytics tools to gain insights into controls’ design and operations
  • Test controls, reporting to management on progress and obstacles.

PHASE 5: OPTIMIZE INTERNAL CONTROLS’ EFFECTIVENESS

How do identified risks and controls mesh with your enterprise’s goals, plans, and strategies? The COSO internal control framework can help you align or realign goals and controls. When developing or redesigning controls, consider the following:

  • Control activities such as reconciliation, verification, supervisory, and physical controls
  • Whether controls are preventive, detective, i.e., occurring after a process has begun but before it has concluded, or corrective
  • Whether controls are automated, partially automated (automation enabled or assisted by people) or manual

Once controls are in place, monitoring is critical to ensuring they remain effective. Continuous monitoring with software is preferable to manual tracking. Should a control fail, study the incident carefully to determine its cause for the most effective remediation.

COSO Guidance on Cloud Computing Issues

The information in this section first appeared on radicalcompliance.com August 4th, 2021.

COSO released another guidance document last week, this one talking about how to apply COSO’s enterprise risk management framework for issues in cloud computing. Considering that just about every business under the sun is migrating to the cloud, and that the compliance risks within such migration can be considerable, let’s take a look at what COSO had to say.

The guidance was published last week — 44 pages long, free to all, and like most COSO risk management guidance we’ve seen lately, written in clear, non-technical language that any compliance, audit, or risk professional can understand.

This piece also follows the same pattern we’ve seen in prior COSO risk management guidance. It introduces the ERM framework overall (20 principles in all), and then explores how each principle can be tailored for the subject at hand. In this case the subject is cloud computing, but prior pieces of COSO guidance addressed ethics and compliance, cybersecurity, ESG issues, and other topics.

First, why is such guidance important at all? Because cloud computing has come to be a central IT strategy for most businesses today. From an operations perspective, that makes sense; cloud-based services are cheap and easy to install, and the vendors themselves are probably better at whatever business process you’re outsourcing than you are.

That said, the cloud also poses new risks for privacy, security, and compliance; plus risks around operational resilience if you outsource critical functions to a dud vendor that can’t deliver. So corporate boards, CISOs, audit executives, and compliance officers all have great need to understand what “migrating to the cloud” really means. This COSO guidance unpacks lots of those issues.

One good example comes near the beginning of the guidance. One principle in COSO’s enterprise risk management framework, relating to proper governance and oversight, is “establishes operating structures.” That’s what senior leaders in an organization are supposed to do: establish operating structures so the business can achieve its objectives.

So how does that principle apply when the company is trying to embrace cloud computing?

Well, senior management might need to imagine new roles or responsibilities for various executives as the company moves away from on-premises technology and toward the cloud. For example, vendor risk management would become much more important, since the cloud-based vendors you use would pose more risks (both in absolute number of risks, and in each risk’s severity). Would you therefore redefine the CISO’s role to include vendor risk management — or the privacy officer’s role, or the IT manager’s role? Or would you create some entirely new “chief vendor risk officer” sort of role?

There’s no single correct answer to those questions. The point is that the board and senior management should think their way through such questions before making a large migration to the cloud. That’s what “establishing proper operating structures” means in this context.

Another good example comes from two other principles in the COSO risk management framework, “evaluates alternative strategies” and “formulates business objectives.”

A company can embrace any of several cloud models: public, private, even hybrid clouds. Each one carries different benefits and risks. The public cloud, for example, can be quite cheap; but your privacy risks and need for privacy assurance go up considerably. A hybrid system would be more expensive, but still leave you with more direct control over your data, and therefore over your privacy and compliance risks.

Which one is best? That depends. Your business could make a strategic decision to collect less personally identifiable information, meaning your privacy risks would decline and you could use cheap, public cloud systems more freely. Or maybe collecting all that PII is important enough that you want to keep collecting it, even if that means you spend more time and money to manage privacy and compliance risks among your cloud-based vendors.

Again, however, the point is that migrating to the cloud raises these new questions — questions about strategy, governance, performance, and so forth, that senior leaders previously didn’t need to consider. This COSO guidance is a good framing mechanism to understand the questions you should be pondering, to assure that you embrace this technology wisely.

And since it’s so informative, here’s a chart from COSO explaining the roles and responsibilities that exist under various cloud-computing models.

diagram: Responsibility by Cloud Deployment Model and Cloud Service Delivery Model
Source: COSO

What Are The Differences Between COBIT and COSO?

Developed by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, comprising five private-sector organizations, the COSO Internal Control—Integrated Framework focuses primarily on an enterprise’s internal control system and financial reporting processes, with fraud prevention in mind.

COBIT, or Control Objectives for Information and Related Technologies, is supported by ISACA, an international professional organization focused on IT governance. The COBIT framework helps with the quality, control, and reliability of an organization’s information systems and facilitates best practices in risk management as associated with IT processes.

Both frameworks list three objectives and five components needed to achieve those objectives in their respective areas (financial controls and IT controls).

The COSO internal control framework’s objectives:

  • Operations
  • Financial reporting
  • Compliance

Its components:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

COBIT 5’s main objectives:

  • Benefits realization
  • Risk optimization
  • Resource optimization

Its “five principles”:

  • Meeting stakeholder needs
  • Covering the enterprise end-to-end
  • Applying a single integrated framework
  • Enabling a holistic approach
  • Separating corporate governance from management

In other words, COSO governs internal control, which it defines as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

COBIT 5 enables the governing and management of IT holistically throughout the enterprise. It encompasses the entire end-to-end business and IT functional areas of responsibility and considers the IT-related interests of internal and external stakeholders.

Although their focus differs, the two complementary frameworks can be applied in tandem. Doing so is recommended to maximize risk management and controls throughout the organization.

Both frameworks can effectively achieve compliance with the Sarbanes-Oxley Act (SOX), a federal law intended to prevent accounting errors and fraud in public companies.

For most entities, the COSO framework and SOX compliance go hand-in-hand. Because COSO focuses on financial controls and fraud prevention, it dovetails nicely with SOX, and COSO framework compliance guarantees SOX compliance.

Enacted in 2002, SOX does not spell out compliance requirements for IT; however, many enterprises use COBIT to help ensure that their IT systems and processes comply with the law’s requirements.

The two complement each other in another way: COSO is more theoretical, establishing the guiding principles for organizations to use for building risk tolerance and reducing fraud, while COBIT 5 is more practical, offering concrete suggestions for how to create controls related to IT.

How Do COSO Audits Work?

Because COSO’s Internal Control—Integrated Framework is a framework, not a regulation or requirement, a COSO audit, by definition, doesn’t exist.

However, the COSO framework is beneficial for compliance with SOX, which federal law requires for all publicly traded companies. The U.S. Securities and Exchange Commission watches financial reporting closely and, since SOX’s passage in 2002, demands that those reports be transparent, accurate, and verified by an independent auditor. Noncompliance could cost your organization tens of millions in fines and send your CFO to prison for 20 years.

SOX is highly complex. Each of its 11 sections delivers a different mandate, covering oversight, auditor independence, corporate responsibility, financial statements, annual reports, and more. The regulation is intended to secure public companies, stakeholders, and customers against financial fraud, which is why most organizations audit their SOX compliance using the COSO framework.

COSO was designed to help manage financial risk and improve internal control. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, was initially named the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

The Treadway Commission devised the Internal Control—Integrated Framework to help businesses comply with SOX Section 404: Management Assessment of Internal Controls, the regulation’s most complex, demanding, and expensive section. Essentially, COSO helps entities strengthen their internal control system to protect their data, especially financial information, from tampering.

Another result of SOX was the formation of the Public Company Accounting Oversight Board (PCAOB), an independent agency that regulates external audit firms and establishes auditing standards for external auditors—including Auditing Standard No. 5, or AS5, used by auditors to gauge compliance with various SOX sections including.

  • Section 404, rules for assessing internal controls
  • Section 302, establishing management’s responsibility for financial reports
  • Section 401, rules for enhanced financial reporting disclosures
  • Section 409 requires the immediate disclosure of significant changes in economic conditions and operations
  • Section 802, setting penalties for altering documents
  • Section 806 rules regarding whistleblowers

Preparing for your COSO audit

Thorough preparation is key for a successful COSO audit. Here are some tips:

  • Review framework components and principles and compare them to internal controls.
  • Identify gaps where controls fall short of principles. Develop remediation plans.
  • Document key processes and controls, detailing how they address COSO.
  • Collect evidence that controls are functioning.
  • Interview personnel to ensure they understand control responsibilities.
  • Perform trial audits, testing controls, and processes to remediate failures.
  • Coordinate with the external auditor to avoid redundancies.
  • Verify controls over financial reporting are effectively designed and operating.

Using COSO for SOX Compliance

The best way to ensure that your enterprise is audit-ready for SOX is to use COSO to establish a robust internal control framework.

The independent external auditor you will hire to audit your SOX compliance will almost certainly use COSO standards to measure your controls. ZenGRC’s “Preparing for a SOX Audit Using COSO” audit checklist walks you through the questions you must ask to prepare for this audit.

To prepare for the audit, follow these four steps, using COSO’s five components and 17 principles for achieving financial reporting objectives as a guide.

  1. Prepare a framework
  • Control environment
    • Commitment to integrity and ethical values
    • Independent Board of Directors’ oversight
    • Structures, reporting lines, authorities, and responsibilities
    • Attract, develop, and retain competent people
    • People held accountable for internal control
  • Risk assessment
    • Clear objectives specified
    • Risks identified to achievement of objectives
    • Potential for fraud considered
    • Significant changes identified and assessed
  1. Identify your internal controls
  • Control activities
    • Control activities selected and developed
    • Controls developed through policies and procedures
    • General IT controls selected and developed
  • Information and communication
    • Quality information obtained, generated and used
    • Internal control information internally communicated
    • Internal information externally communicated
  1. Test your controls
  • Monitoring activities
    • – Ongoing and separate evaluations conducted
    • – Internal control deficiencies evaluated and communicated
  1. Get help if you need it.

Modern challenges require modern solutions—including software that can automate many of these processes, greatly simplifying the task of SOX compliance using a framework such as COSOs.

How To Automate Your COSO Compliance

Created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the COSO internal control framework may initially seem simple. After all, there are only five components—control environment, risk assessment, control principles, information and communication, and monitoring activities—and 17 principles.

But the framework’s high-level mandates require a long list of action items and processes—not easy to implement manually and downright tricky if you use spreadsheets for your compliance program.

Automation is the answer. Today’s technologies take much guesswork and grunt work out of compliance with regulations, standards, and frameworks. Whether your organization struggles to manage cyber risks and achieve cybersecurity goals, improve performance management, meet business objectives, or comply with mandates, software solutions can simplify these tasks and streamline compliance efforts.

When choosing a solution, look for:

  • Fast, effortless deployment
  • User-friendly design
  • In-a-click internal audits
  • Integrated, multi-framework dashboard
  • Easy evidence collection
  • Automatic framework updates

ZenGRC Has GRC Solutions for COSO Compliance

ZenGRC’s governance, risk, and compliance software-as-a-service, ZenGRC, offers all these features. 

Used by the world’s leading companies, ZenGRC is a cloud-based solution with fast, easy deployment, unified control management, and a centralized dashboard for simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. With ZenGRC, you can comply with COSO and SOX.

Contact a ZenGRC expert today to request your free demo and embark on the worry-free path to regulatory compliance—the Zen way.