Beruflich Dokumente
Kultur Dokumente
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
Improving
O r g a n i z a tio n a l
P e r fo r m a n c e a n d
Governance
How the COSO Frameworks Can Help
By
James DeLoach
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Authors
Protiviti
James DeLoach
Managing Director
Acknowledgements
The authors wish to thank David Landsittel, Larry Rittenberg, James Pajakowski and
Jay Thompson for their valued input and ideas in framing this paper and Michael
McGarry and Darci Lowe for their assistance with the necessary research.
In addition, they wish to thank the COSO Board for its support of this project.
Marie N. Hollein
Financial Executives International
Douglas F. Prawitt
American Accounting Association
Charles E. Landes
American Institute of CPAs (AICPA)
Richard F. Chambers
The Institute of Internal Auditors
Sandra Richtermeyer
Institute of Management Accountants
Preface
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
www.co s o.o rg
Improving
O r g a n i z a tio n a l
P e r fo r m a n c e a n d
Governance
How the COSO Frameworks Can Help
Research Commissioned by
February 2014
Copyright 2014, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 198765432
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions please contact the
American Institute of Certified Public Accountants licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7077.
www.co s o.o rg
Governance and Operational Performance | Improving Organizational Performance and Governance | iii
Contents
Page
Introduction
Executive Summary
12
13
14
16
Closing Remarks
18
19
19
19
About COSO
24
24
www.co s o.o rg
www.co s o.o rg
Introduction
The mission of the Committee of Sponsoring Organizations
(COSO) reads, in part, to improve organizational
performance and governance. Since their inception,
COSOs Enterprise Risk Management Integrated
Framework1 and Internal Control Integrated Framework2
(collectively referred to as the COSO frameworks) were
both intended to provide guidance for management on
how to implement and evaluate effective enterprise risk
management (ERM) and internal control processes, leading
to the improvement of management and governance
processes. When applied effectively, the frameworks
concepts contribute to the end result of improving
organizational performance and governance in
significant ways.
Enterprise Risk Management Integrated Framework, Committee of Sponsoring Organizations, September 2004.
Available at www.coso.org.
Internal Control Integrated Framework, Committee of Sponsoring Organizations, May 2013. Available at www.coso.org.
See Appendix C of Enterprise Risk Management Integrated Framework and Appendix G of Internal Control Integrated
Framework.
3
www.co s o.o rg
Executive Summary
This paper describes the COSO frameworks in the context
of a fairly standard leadership umbrella for governing and
managing a successful organization. The frameworks
are intended to be integrated within the governance and
management processes to establish accountability for
ERM and internal control. Either framework can be applied
with positive results, i.e., companies can implement the
internal control framework without implementing the ERM
framework. The governance concepts included in both
frameworks,4 are vital to their effective application by
organizations.
Within the context of its mission, an organization is
designed to accomplish objectives. It is presumed that
the organizations leaders can articulate its objectives,
develop strategies to achieve those objectives, identify
the risks to achieving those objectives and then mitigate
those risks in delivering the strategy. The ERM framework
is based on objective setting and the identification and
mitigation or acceptance of risks to the achievement of
objectives. The internal control framework is designed to
control risks to the achievement of objectives by reducing
them to acceptable levels. Thus, each of the frameworks
is inextricably tied into the operation of a business through
the achievement of objectives. ERM is applied in the
strategy-setting process while internal control is applied to
address many of the risks identified in strategy setting.
Specifically, governance concepts are included in the internal environment component in Enterprise Risk
Management Integrated Framework and control environment component in Internal Control Integrated Framework.
5
For more information on the development of risk appetite, see the COSO thought paper Enterprise Risk
Management Understanding and Communicating Risk Appetite, Dr. Larry Rittenberg and Frank Martens,
January 2012. Available at www.coso.org.
www.co s o.o rg
Execution
Monitoring
6
An iterative four-step management method used in business for the control and continuous improvement of processes and
products, the Plan-Do-Check-Act cycle was made popular by Dr. W. Edwards Deming, a pioneer in modern quality control.
Richard M. Steinberg, Governance, Risk Management and Compliance (New York: John Wiley & Sons, Inc., 2011, 2.
www.co s o.o rg
10
www.co s o.o rg
Figure 2 illustrates how internal control is an integral part of ERM, while ERM is an integral part of the business model. As a
subset of the contextual business model and broader than internal control, ERM elaborates on internal control and focuses
more directly on risk. ERM focuses on strategic objectives and internal control does not, because achievement of strategic
objectives is subject to external events not always within the organizations control. ERM encompasses objective setting,
whereas internal control is applied to established objectives to provide reasonable assurance they are achieved. The
ERM framework is broader than, and encompasses, internal control because it deals with alternative risk responses (risk
avoidance, acceptance, sharing and reduction), while the internal control framework deals primarily with risk reduction.
E
IA
CO
M
PL
RT
IN
NC
S
PO
RE
ER
AT
I
GI
ST
R
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Expanded into
3 components
Risk Response
Control Activities
ENTITY-LEVEL
DIVISION
BUSINESS UNIT
FUNCTION
Control Activities
OP
AT
E
IA
PL
Risk Assessment
ENTITY-LEVEL
DIVISION
BUSINESS UNIT
FUNCTION
CO
M
Control Environment
ON
E
NC
G
IN
RT
PO
RE
OP
ER
AT
I
ON
Monitoring
Internal Control
Integrated Framework
Governance
Strategy Setting
Business
Planning
Adapting
Execution
Monitoring
www.co s o.o rg
11
David R. Koenig, Governance Reimagined: Organizational Design, Risk and Value Creation
(New York: John Wiley & Sons, Inc., 2012, 184.
12
The Eversheds Board Report: The Effective Board, Eversheds LLP, 2013.
Available at www.eversheds.com/global/en/what/publications/board-report2/index.page.
www.co s o.o rg
www.co s o.o rg
Risk Appetite
Another element of the ERM internal environment, risk
appetite reflects the enterprises risk management
philosophy, and in turn influences the entitys culture
and operating style. It is considered in strategy setting,
consistent with the view that a disciplined approach
around protecting enterprise value should be integrated
with the aspirational objectives established through the
strategy-setting process. The risk appetite statement
frames the risks the organization should accept, the risks
it should avoid and the strategic, financial and operating
parameters within which the organization should operate.
Because risk appetite sets boundaries around executing
the business model, it is fundamental to any governance
process that seeks to appropriately balance the
organizations activities around value creation and
value protection. These boundaries are not intended to
be excessively rigid. They must be flexible enough to
respond to changes and opportunities in the business
environment while at the same time being viewed as
an authoritative benchmark that has been vetted and
approved by the board. If risk appetite is constantly
altered to accommodate every emerging opportunity or
meet quarterly forecasts at all costs, it loses its value as
a disciplinary rudder for navigating through unpredictable
and rough waters.
Control Environment
The ERM framework articulates other elements of
the internal environment that are important to the
organizations governance process. These additional
elements are similar in substance to the five principles
comprising the control environment, as described by the
internal control framework:
1) The organization demonstrates a commitment to integrity
and ethical values.
2) The board of directors demonstrates independence from
management and exercises oversight of the development
and performance of internal control
3) Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
4) The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment
with objectives.
5) The organization holds individuals accountable for their
internal control responsibilities in the pursuit
of objectives.
The above principles strengthen the governance process
by laying a vital foundation for effective risk management
and internal control. The core of any business is its people
their individual attributes, including integrity, ethical
values and competence and the environment in which
they operate. The above principles strengthen that core.
In summary, applying either or both COSO frameworks will
strengthen the impact of the governance process on the
organizations risk culture and, ultimately, the achievement
of its business objectives as agreed upon by executive
management and the board.
www.co s o.o rg
Objective-setting Component
In objective setting, strategic and related objectives are
established and risk appetite and risk tolerances are
considered. For example, risk is inherent in any decision to
expand into new markets, introduce new products, acquire
a different line of business, build a new plant and invest
in uncharted research and development activities. Every
evaluation of risk ultimately leads to a decision to accept
or reject the risk based on an assessment of whether it is
desirable or undesirable.
A major factor in this discussion is the organizations risk
appetite, as discussed previously. In determining risk
appetite, management should undertake three steps: (1)
develop it, (2) communicate it and (3) monitor and update it.
These three steps should be undertaken with the boards
review and concurrence. Considerations influencing risk
appetite are illustrated in Figure 3.13
Risk
Capacity
Risk
Tolerance
Attitudes
Towards Risk
Determination
of
Risk
Appetite
13
www.co s o.o rg
Ibid.11.
14
www.co s o.o rg
www.co s o.o rg
www.co s o.o rg
www.co s o.o rg
www.co s o.o rg
www.co s o.o rg
Internal Environment
Strategy Setting
Objective Setting
Risk Assessment
Risk Response
Adapting
Business
Planning
Execution
Control Activities
Monitoring
Event Identification
Risk Assessment
Monitoring
Monitoring
Control Environment
Strategy Setting
Business
Planning
Risk Assessment
Adapting
Execution
Control Activities
Monitoring Activities
Risk Assessment
Monitoring
Monitoring Activities
www.co s o.o rg
www.co s o.o rg
Closing Remarks
Whether applied individually or together, ERM and internal
control in the context of enhancing the broader leadership
umbrella for governing and managing an organization are
critical for optimal achievement of mission and execution
of strategy. The major takeaways and observations around
successful implementation of the frameworks summarized
above provide insights as to how the COSO frameworks
support the achievement of strategic goals and objectives
in the context of an effective governance structure, as
well as suggestions for enhancing the effectiveness of
their implementation. This paper has demonstrated that
the COSO ERM and internal control frameworks contribute
value to the six attributes of the illustrative contextual
business model it introduces the governance, strategy
setting, business planning, execution, monitoring and
adapting processes of an organization.
www.co s o.o rg
15
Ibid.
16
17
www.co s o.o rg
18
For more information on risk appetite, see Enterprise Risk Management Understanding and Communicating Risk Appetite,
by Rittenberg and Martens. Available at www.coso.org.
19
www.co s o.o rg
Enterprise Risk Management Integrated Framework, page 8. See also Enterprise Risk Management Understanding
and Communicating Risk Appetite, pages 11-14, for a practical discussion of risk tolerances.
20
21
Ibid., page 1.
22
23
24
25
www.co s o.o rg
Control Activities:26
Control activities serve as mechanisms for managing
the achievement of an entitys objectives and are very
much a part of the processes by which an entity strives
to achieve those objectives. They do not exist simply for
their own sake or because having them is the right or
proper thing to do.
Monitoring:28
An entitys system of internal control will often change.
The entitys objectives and the components of internal
control may also change over time. Also, procedures
may become less effective or obsolete, may no longer
be deployed in the manner in which they were selected
or developed, or may be deemed insufficient to support
the achievement of the new or updated objectives.
Monitoring activities are selected, developed, and
performed to ascertain whether each component
continues to be present and functioning or if change
is needed. Monitoring activities provide valuable input
for management to use when determining whether the
system of internal control continues to be relevant and is
able to address new risks.
26
27
28
www.co s o.o rg
29
30
www.co s o.o rg
About COSO
Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control,
and fraud deterrence. COSOs supporting organizations are the Institute of Internal Auditors (IIA), the American Accounting
Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI),
and the Institute of Management Accountants (IMA).
This publication contains general information only and none of COSO, any of its constituent organizations or any of the
authors of this publication is, by means of this publication, rendering accounting, business, financial, investment, legal, tax or
other professional advice or services. Information contained herein is not a substitute for such professional advice or services,
nor should it be used as a basis for any decision or action that may affect your business. Views, opinions or interpretations
expressed herein may differ from those of relevant regulators, self-regulatory organizations or other authorities and may
reflect laws, regulations or practices that are subject to change over time.
Evaluation of the information contained herein is the sole responsibility of the user. Before making any decision or taking any
action that may affect your business with respect to the matters described herein, you should consult with relevant qualified
professional advisors. COSO, its constituent organizations and the authors expressly disclaim any liability for any error,
omission or inaccuracy contained herein or any loss sustained by any person who relies on this publication.
www.co s o.o rg
G ove r n a n c e a n d O p e ra t i o n a l P e r f o r m a n c e
www.co s o.o rg
G ove r n a n c e a n d O p e ra t i o n a l P e r f o r m a n c e
I m p r o v i n g
O r g a n i z a tio n a l
P e r fo r m a n c e
a n d
G o v e r n a n c e
www.co s o.o rg