Overview of COSO Framework - Essay Example

COSO Model Table of Contents Introduction 3 Overview of COSO Framework 3 Purpose of COSO Framework 6 Application of the Framework in a Computerised Environment 7 Example 1: Use of COSO Framework in Distributed Computerised Environment 7 Example 2: Use of COSO Framework in Cloud Computerised Environment 8 Example 3: Use of COSO Framework in Cluster Computerised Environment 10 Risk Identification 10 Incorrect Data Input 11 Computer Crash 11 Information Security Breach 12 12 Conclusion 13 References 14 Introduction Over the years, organisational leaders have focused on devising a set of pertinent methods to control the organisational activities in a better way. They believe that better internal control is necessary in order to keep the organisation on course towards profitability and accomplishment of the set out mission. Better internal control also enables to empower the management to deal with the present days’ rapidly changing business environment along with shifting customers’ interests and concerns. Internal control promotes effectiveness, minimises the risk of loss of assets and helps to ensure the reliability of financial statements and obedience with laws and regulations as well. Since internal control serves several purposes, there is an increasing urge for better internal control system in the organisation (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Based on the importance of internal control, Committee of Sponsoring Organisations of the Treadway Commission (COSO) has developed ‘Internal Control – Integrated Framework’. Hence, the study provides a brief description of the framework with increased emphasis on how it can be applied in a computerised environment. Overview of COSO Framework COSO is a voluntary private-segment initiative which is devoted towards developing organisational performance and control by efficient internal control, risk management and fraud recognition. This framework has gained comprehensive acceptance and is currently used extensively within various organisations. It is identified as a leading framework for planning, executing and assessing the efficiency of internal control. COSO believes that this framework will allow organisations to effectively develop and maintain the structure of their internal control which is able to enhance the possibility of accomplishing the organisational objectives and adjusting to the changes in the operating environment (The Committee of Sponsoring Organizations of the Treadway Commission, 2011). COSO framework comprises five unified elements that can be regarded as its key feature which are incorporated with the administration procedure of an organisation. Although the elements are applicable to every entity, organisations can implement them in different ways on the basis of their size. The following figure demonstrates an overview of the COSO framework. Fig 1: COSO Framework Source: (McNally, 2013) Control Environment: Control environment sets the tone related to the activities of an organisation and directs the control perception of its members. It is the basis for other elements of internal control and delivers discipline as well as structure for internal control. Control environment factors comprise integrity, ethical values and competency of organisational members. It further includes organisational philosophy, operating method and the way in which the management allocates authority, responsibility and organises the employees (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Risk Assessment: Risk assessment is the identification and evaluation of risks which should be managed in order to accomplish organisational objectives. Control Activities: Control activities are regarded as the strategies and processes which ensure that the directions lay down by the management are carried out effectively. Control activities also ensure that essential actions are taken in order to address risks and accomplish organisational objectives. Control activities occur at every level in the organisation. It comprises activities such as approvals, sanctions, confirmations, reconciliations, assessment of operating performance, safety of assets and separation of responsibilities (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Information and Communication: For better internal control, relevant information must be recognised, captured and communicated which would allow individuals to perform their duties competently. Information systems not only deal with internally produced data, but also deliver information regarding external happenings, activities and circumstances which are essential to make informed decisions. In the similar context, communication is also essential across the organisation for better internal control. Every employee should obtain a clear message from the senior management so that they can carry out their duties earnestly. There is also a requirement for effective communication with external stakeholders such as the clients, suppliers and regulators among others (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Monitoring: Internal control system requires to be monitored. Monitoring in this context is a procedure that evaluates the quality of the organisational performance. Monitoring is accomplished by on-going observation and reporting of deficiencies to the senior management (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Purpose of COSO Framework COSO framework serves two key purposes. The primary purpose of the framework is to assist the management to have better control over organisational performance. It provides the management with an additional capability to supervise internal control. Implementing COSO framework permits the management to concentrate on operational improvement and achievement of financial objectives, while complying with relevant laws. The framework allows an organisation to effectively manage the business with changing competitive environment and progressing business models. It stimulates the efficiency of business operations and supports consistent reporting (The Committee of Sponsoring Organizations of the Treadway Commission, 2011). The secondary purpose of the COSO framework is to ensure transparency of internal control through the utilisation of several concepts. The framework is aimed for supporting the management and other concerned parties in evaluating the efficiency of organisational system of internal control and reporting (The Committee of Sponsoring Organizations of the Treadway Commission, 2011). Application of the Framework in a Computerised Environment The purpose of COSO framework cannot be changed in a computerised environment. However, the use of computer has surely changed the processing, storage, recovery and communication of information which can influence the internal control system employed by COSO. In the present day business environment which is driven by computer technology, there is a need to consider the information systems environment while controlling internal operations. Furthermore, better understanding is also required regarding the significance and the complexity of computer technology and accessibility of information for better internal control (Basu, 2009). Certain examples of the use of COSO framework for better internal control in the computerised environment have given below: Example 1: Use of COSO Framework in Distributed Computerised Environment Distributed computing is a method where a diverse portion of one program runs instantaneously on two or more computer systems over a single network. Distributed computing makes information accessible to several users. Thus, there is an increasing level of threat if internal control is not comprehended effectively. Accordingly, COSO framework can be used in order to control the distributed computerised environment. COSO framework can provide two types of internal control in distributed system namely application control and general control. Application control can be protective or detective in nature and is intended to ascertain the truthfulness of information. Application control is associated with the procedures used to initiate, record and report information. Application control helps to certify that any kind of business transactions are authorised and recorded accurately. Application control applies to information processing activities such as sales or purchase information. On the other hand, general controls are regarded as strategies that relate to several applications and support efficient functioning of application control. General control applies to the end user environment. It helps to maintain integrity and security of information and comprises control over network function, information centre, application change, security access and system improvement (Byrne, 2009). Example 2: Use of COSO Framework in Cloud Computerised Environment Cloud computing is a model which allows an organisation to obtain computing resources from any location by the use of the internet. In any cloud environment, an organisation no longer possesses direct control over the technology and the associated management procedures. Thus, the management should recognise the risk appetite for possible events which are related with cloud computing. In such a computing environment, the COSO framework can be used in order to construct an effective governance suite which is tailored specially for cloud solution (Horwath & et. al., 2012). The following figure demonstrates that how COSO framework can be used in the cloud computing environment. Fig 2: Use of COSO Framework in Cloud Computerised Environment Source: (Horwath & et. al., 2012) COSO framework can be applied in cloud computing environment in order to create, improve or execute a quality assurance check for the governance program through certifying that every key aspect of internal control has been addressed with regard to the management’s requirements. The best application of COSO framework in cloud computing is when the management identifies the perfect arrangement of business procedures and disposition model among others which comply with the management’s risk appetite. Through assessing cloud solution in the setting of COSO framework, an organisation can concisely recognise associated risks, preferred risk acceptance level and risk mitigation approaches. Such assessment also allows an organisation to make judicious risk management and governance decisions while choosing an ideal set of cloud solutions. Consequently, it helps to establish a well-planned governance program for cloud computing (Horwath & et. al., 2012). Example 3: Use of COSO Framework in Cluster Computerised Environment In cluster computing, a group of computers is linked and perform together cooperatively. In cluster computerised environment, information is necessary for the organisation in order to undertake better internal control. Thus, COSO framework can be used in such organisation which follows the cluster computerised system. COSO framework can help to identify the information requirements for supporting the functioning of internal control. Moreover, for better internal control, there is a need to maintain the quality of information throughout the environment. Adoption of data flow diagram and flowcharts among others can help to support better internal control in the cluster computerised environment. These documents can simply be generated and can easily be understood by the employees throughout the organisation (The Committee of Sponsoring Organizations of the Treadway Commission, 2014). Risk Identification In the COSO framework, risk identification plays a vital part in the process of risk assessment. The objective of risk identification is to evaluate the level of risks along with prioritising the risks accordingly. Besides, risk identification also helps to react to the risks. Risk identification generates a comprehensive list of risks which is organised by various risk categories (such as financial risk, operational risk and strategic risk) and sub-categories (such as market related risk, credit risk and liquidity risk) for organisational functions. In the risk identification phase, an extensive net is cast in order to comprehend the type of risks. While capturing every type of risk is vital for the management, the list of risks necessitates prioritisation for better focus of the management and for shifting comprehensive attention towards the major risks (Curtis & Carey, 2012). In the computerised environment, three most important risks are incorrect data input, computer crash and information security breach. Incorrect Data Input One of the worst risks in organisations’ internal system is incorrect data that appears on the reports such as financial report or performance evaluation report. Incorrect data can disrupt the organisational reputation and hamper the possible adoption of measures for the enhancement of performance (EYGM Ltd, 2010). Control Activities: Control activities act as a mechanism for managing the accomplishment of organisational objectives. Control activities support every element of internal control and are particularly related with risk identification. Apart from identification of risk, control activities recognise the actions necessary to undertake specific risk reactions. With respect to the risk of incorrect data entry, input control activities can be taken. Input control comprises appraisal and approval of data entry, maintaining check and verification of supportive documents, review and validation of changes in database and restriction of access to the changes in the database. In particular, documented procedures must exist for any data, manually entered in the computer system (EYGM Ltd, 2010). Computer Crash The other critical risk in the computerised environment is computer crash. The key cost associated with computer crash is loss of information. Loss of information can have varied harmful influences on an organisation in terms of being unable to deal with customers’ request and unable to fulfil the expectations of business associates. Moreover, the organisation also faces the need to make additional efforts to recreate and to recover the lost information (McGraw-Hill Education, 2013). Control Activities: There are several control activities that can be taken in order to deal with the risk of computer crash. For instance, the organisation can make regular multiple backup copies of the information stored in the computer system. While performing in specific computerised environment, organisational members must be aware regarding the stability of such environment. The other control activities for dealing with the risk of computer crash are offsite and automatic backups, regular system maintenance and inbuilt software application safeguards among others (McGraw-Hill Education, 2013). Information Security Breach Information security breach can influence an organisation by exposing it to a number of vulnerabilities. Security breach can hinder the integrity of information, which in turn can affect the consistency and privacy of relevant data (FFIEC, n.d.). Control Activities: There are various control activities that can be taken in order to deal with this risk. For example, an organisation must have the awareness regarding information security threats. It should also have the ability to support timely security updates, maintain a consistent procedure to become aware of new vulnerabilities and to react accordingly. It should further ensure cautious control on external network access, incorporate instruments to minimise the risk of hidden system interruption, have strong policy and well-administered procedure to positively identify authorised users and should mitigate the risks generated by unauthorised physical access to computer system (FFIEC, n.d.). Conclusion COSO framework is useful for board members and managers for better organisational performance. The principles of COSO framework can be adopted for better internal control system in any organisation irrespective of its size or industry. COSO framework has the ability to properly evaluate the internal system of an organisation and accordingly influence various operations. Furthermore, COSO framework can also be utilised in order to control various activities in a computerised environment. In modern organisations, COSO framework is expected to minimise risks, enhance regulatory compliance and strengthen the performance. References Basu, S. K., 2009. Fundamentals of Auditing. Pearson Education India. Byrne, P., 2009. Auditing in A Computer – Based. Student Accountant. [Online] Available at: http://www.chinaacc.com/upload/html/2013/06/27/lixingcun664dfe3a070b47b7bf32254d6f6c6151.pdf [Accessed July 09, 2014]. Curtis, P. & Carey, M., 2012. Risk Assessment in Practice. Deloitte & Touche LLP. [Online] Available at: http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20-%20for%20merge_files/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf [Accessed July 09, 2014]. EYGM Ltd, 2010. Improving Internal Controls: The Ernst & Young Guide for Humanitarian Aid Organisations. Humanitarian Aid Resource and Delivery Framework. [Online] Available at: http://www.ey.com/Publication/vwLUAssets/Improving-internal-controls_Framework/$FILE/Improving-internal-controls_Framework.pdf [Accessed July 09, 2014]. FFIEC, No Date. Information Security Controls. Risk Management of E-Banking Activities. [Online] Available at: http://ithandbook.ffiec.gov/it-booklets/e-banking/risk-management-of-e-banking-activities/information-security-program/information-security-controls.aspx [Accessed July 09, 2014]. Horwath, C. & et. al., 2012. Enterprise Risk Management for Cloud Computing. COSO. [Online] Available at: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf [Accessed July 09, 2014]. McNally, J. S., 2013. The 2013 COSO Framework & SOX Compliance. Strategic Finance, pp. 1-8. McGraw-Hill Education, 2013. Risk Mitigation, Monitoring and Management Plan. Graphics. [Online] Available at: http://www.mhhe.com/engcs/compsci/pressman/graphics/Pressman5sepa/common/cs2/rmmm.pdf [Accessed July 09, 2014]. The Committee of Sponsoring Organizations of the Treadway Commission, 2011. Internal Control – Integrated Framework. COSO. [Online] Available at: http://kontrol.bumko.gov.tr/Eklenti/6877,cosodraftinternal-control-framework-draft-dec12011.pdf?0 [Accessed July 09, 2014]. The Committee of Sponsoring Organizations of the Treadway Commission, 2014. Internal Control - Integrated Framework. Documents. [Online] Available at: http://www.coso.org/documents/Internal%20Control-Integrated%20Framework.pdf [Accessed July 09, 2014]. Read More