No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

4 COSO Risk Assessment Principles of the 2013 Framework

These points of focus are important -- but not required

by Warren W. Stippich
March 4, 2015
in Risk
Gold Number 4 on Blue Background

The 2013 COSO Framework introduces 17 principles of internal control, each attached to one of the five components of the COSO Framework –and each principle included several points of focus within it. The analysis here looks at the four principles for the COSO risk assessment component (In this case, Principles 6, 7, 8 and 9).

All relevant principles of the 2013 Framework should be implemented for an entity to conclude that it has effective internal controls. The points of focus (which we’ll explain below), help users understand each principle — but they’re not explicit requirements.

First, a little background:

Public companies listed in the United States, as well as other companies in various jurisdictions, have been working on adopting the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control Framework.[1] The 2013 Framework is an enhancement and update, rather than a massive overhaul, of the original 1992 guidance and is intended to update the framework to address the changes in the economic, technological and regulatory climate that have occurred over the past 20 years.

While the five broad components of internal control did not change in the updated Framework, the new guidance accompanying the risk assessment component presents companies with an excellent opportunity to define and achieve important operational, reporting and compliance objectives. Indeed, for some companies, the new guidance — and the linkages to an existing strategic planning process it requires — can substantially change how they manage their business, create operational efficiencies and even boost profitability.

Principle 6: Specify objectives with clarity

This principle lays the groundwork to do the risk assessment itself. For some companies, this may be an area to consider enhanced processes and related documentation. A company ordinarily needs to describe its operational, reporting (external financial, external nonfinancial, internal) and compliance objectives. As the guidance states, “While setting strategies and objectives is not part of the internal control process, objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established.”[2] The risk assessment component is now tied much more closely to the overall objectives of the company and the strategic reporting process.

Operations objectives

Objectives for external financial reporting requirements are an important focus of external auditors, and hence a focus of company financial staff. It is important for management to be vigorous in specifying objectives for each category as appropriate to the organization. Specifying operations objectives can be particularly valuable. The points of focus for the operations objectives can help a company become better managed and help it mitigate risk. Indeed, from an operational standpoint, they can be as important as those objectives that apply to financial statement risk.

Developing and implementing operations objectives is essential for executing the strategic planning that some companies sorely lack. For many firms, especially large companies that already have a robust strategic planning process, the new risk assessment guidance may have little impact. But many medium-size firms, and in particular, start-up firms, have not developed robust strategic planning processes. Those companies could benefit from achieving sufficient clarity of objectives in order to identify and assess risk.

Reporting objectives

The 1992 Framework included language applicable to various forms of company reporting other than external financial reporting. But with the passage of the Sarbanes-Oxley Act, and related Securities and Exchange Commission rulemaking, the COSO internal control framework became closely associated with external financial reporting[3]. The 2013 Framework discusses in detail the use of the guidance for other reporting situations in order to provide context for applying the components and principles more broadly.

In describing external nonfinancial reporting objectives, the Framework specifically mentions sustainability reporting, which is far more prevalent and important now than 20 years ago; indeed, the oft-used Global Reporting Initiative guidelines weren’t published until the late 1990s. Internal reporting systems have also become more important and sophisticated–not only for managing the company, but ensuring that expanded regulatory requirements are met.

Compliance objectives

In following the compliance objectives of Principle 6, a company also has to manage the enormous amount of guidance it receives from a wide variety of regulatory bodies. A recommended approach would be to first meet COSO requirements. Next, homogenize, where reasonable, the language in your documentation to other compliance mandate checklists that address a similar attribute (Financial Industry Regulatory Authority, Basel III, etc.). In other words, a company should have a single response, applying a “one-to-many” concept, where applicable, for all of the risk assessment mandates it must follow.

Principle 7: Identify and analyze risks across the entity

Principle 7 is used to answer the following questions:

(1) What are the risks of achieving the objectives identified in Principle 6 across the various levels of the entity — subsidiary, division, operating unit and function — as well as the entity itself?

(2) What is the likelihood of a specific risk occurring, how severe could it be, how quickly will it affect the company and for how long?

(3) In the event of an occurrence, how should management respond? There are four types of responses: acceptance, avoidance, reduction and sharing.

Under the 1992 guidance, the focus was on transactional risk, i.e., risks in processes carried out at operational and functional levels. The 2013 Framework, with its emphasis on organizational objectives, puts a greater weight on entity-level risk. Moreover, this approach demands that risk be looked at on an ongoing basis, rather than as a once-a-year exercise.

Principle 8: Consider the potential for fraud in assessing risks to the achievement of objectives

This principle looks at how fraud could prevent the entity from achieving the objectives identified in Principle 6. The assessment management performs with respect to this principle considers fraudulent reporting, possible loss of assets and corruption resulting from the various ways that fraud and misconduct can occur.

In tackling the demands of the new principle, companies can adopt various approaches. The “illustrative tools”[4] COSO has issued offer helpful recommendations including the following:

(1) Conduct a fraud risk assessment to identify the various ways fraud risk can occur. Management should consider:

  • The degree of estimates and judgments in external financial reporting
  • Methodology for recording and calculating certain accounts, like inventory
  • Fraud schemes and scenarios common to the industry sector and markets where the company operates
  • The geographic regions where the company does business
  • Nature of automation
  • Unusual and complex transactions subject to significant management influence
  • Last-minute transactions

(2) Consider approaches to how individuals in the firm might circumvent or override fraud controls.

(3) Consider fraud risk in the internal audit plan.

(4) Review pressures and incentives in compensation programs for management and employees to commit fraud.

Read: Reimagining Enterprise Fraud Risk Management

Principle 9: Identify and assess changes that could significantly impact the system of internal control

This principle requires an assessment of change in the organization on an ongoing basis — both externally and internally —that could affect risk. External changes include those in the economic, regulatory and physical environment. Internal changes include those in company’s business lines and operations, overseas markets and operations, new technologies, as well as changes in leadership and company philosophy.

Implementing the COSO risk assessment component

All of the relevant principles in the Framework should be present and functioning in order for management to conclude that internal controls are effective. Many companies are starting with the Framework, determining if there are existing controls that satisfy the principles and then considering what new controls or improved documentation may need to be implemented to evidence how a principle is satisfied.

As discussed above, points of focus may be particularly helpful in assisting management and auditors in evaluating principles that may not have been as thoroughly developed in the 1992 Framework. As a best practice, management should at least consider every point of focus, determine whether the relevant points of focus are present and determine if other considerations are appropriate. They should then document and support that the appropriate number of points of focus have been satisfied to substantiate that the underlying principle is in place and operating effectively.

In adopting the new guidance for COSO risk assessment and other Framework components, internal audit will ordinarily be responsible for the facilitation of the mapping of controls to principles. Implementing controls and remediating control weaknesses, however, will generally be the work of the CFO, the controller’s function and general counsel, and others such as internal audit. Boards and audit committees also have an important role to play in ensuring that any deficiencies in internal control noted by those charged with monitoring and reporting, including external bodies, are corrected. Overall responsibility, however, falls to management: It is their responsibility to ensure that the checks and balances in the organization exist for a sound system of internal control.

While the transition to COSO 2013 may take a great effort for some companies, the new guidance around risk assessment presents an opportunity to achieve important operational objectives. When implemented, the Framework can be more than just a compliance exercise — the requirements can help improve operational efficiencies and increase productivity.

[1] See the COSO website at http://www.coso.org/ic.htm for more information.

[2] COSO, Internal Control Integrated Framework 2013, p. 42

[3]McNally, J. Stephen. “The 2013 COSO Framework and SOX Compliance,” Strategic Finance, July 2013.

[4] “Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples,” COSO, 2013.


Tags: COSOStartups
Previous Post

10 FCPA Compliance Tips for Private Equity

Next Post

Farewell to Mr. Spock and Risk Assessment Under COSO

Warren W. Stippich

Warren W. Stippich

warren stippich grant thornton Warren is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada. He has lectured on governance, risk and compliance. Experience Warren began his career with Arthur Andersen in the external audit practice and later in the internal audit services practice. Later, he joined DEKALB Genetics Corporation, a $500 million multi-national public company, as the Vice President of Internal Audit and Worldwide Consulting. Subsequent to DEKALB, Warren was a Managing Director at American Express Tax and Business Services and a Partner in the related attest entity of Altschuler, Melvoin & Glasser LLP and worked in the attest and business consulting areas. Professional certifications

  • Certified Public Accountant (Illinois)
  • Certified Internal Auditor
Memberships
  • American Institute of Certified Public Accountants; Illinois CPA Society
  • Institute of Internal Auditors
  • Board Member and Audit Committee Chair of Gateway Foundation, Inc., Chicago, IL
  • Advisory Board Member of CIBER (Center for International Business Education & Research) at University of Illinois at Urbana-Champaign
  • Board Member of the College of Business Alumni Association of the University of Illinois at Urbana-Champaign
Education Bachelor of Science in Accountancy -University of Illinois at Urbana – Champaign. Warren writes a regular column, Internal Audit Revolution, for CCI.

Related Posts

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

businessman jumping between increasingly taller stacks of coins

The Board-Management Risk Appetite Dialogue

by Jim DeLoach
December 17, 2019

Considering unpredictable markets, myriad uncertainties and unprecedented market opportunities, how should the board and executives engage with respect to the...

illustration of scattered financial reports on green background

Financial Reporting Control Considerations

by Ron Kral
September 18, 2019

Ron Kral espouses the benefits of a well-designed system for financial reporting controls and provides five ways organizations can improve...

illuminated light bulb with brain inside, in businessman's hands

A Cognitive Risk Framework for the 4th Industrial Revolution

by James Bone
June 10, 2019

As we move into the 4th Industrial Revolution (4IR), risk management is poised to undergo a significant shift. James Bone...

Next Post
Farewell to Mr. Spock and Risk Assessment Under COSO

Farewell to Mr. Spock and Risk Assessment Under COSO

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT