In 2004, the Committee of Sponsoring Organizations of the Treadway Commission published the Enterprise Risk Management – Integrated Framework, which has been reviewed over time (the last review, COSO III, dated back to 2013). Due to the changes in the complexity of risks, the appearance of new risks and a better understanding and oversight of risk management by administrative bodies, the Committee has updated the 2004 publication. The document, entitled Enterprise Risk Management – Integrating with Strategy and Performance (COSO ERM 2017), emphasises the importance of considering the risk both in the process of establishing the strategy and in its performance.
The objective of the Integrated Framework for Internal Control is to “support management in improving control within the organisation” and “providing tools for improving the capacity for overseeing internal control”, and constitutes guidelines for designing, implementing, developing and evaluating the effectiveness of the internal control of an organisation, as it allows it to maintain a system of internal control which increases the likelihood of it meeting its objectives and adapting to constant operational changes and changes in the environment.
Documents COSO ERM 2017 and COSO III complement each other, without one replacing the other. The 2017 document focuses on areas which go beyond internal control. However, the Integrated Framework for Internal Control continues to be a viable framework suitable for implementing, developing and evaluating the effectiveness of the internal control of an organisation.
According to COSO, Internal Control is:
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”
The objective of COSO ERM 2017 is achieved through 5 components developed through 20 principles:
1. Governance and culture
Governance: reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management.
Culture: ethical values, desired behaviours, and understanding of risk in the entity.
Principles
1. The administrative bodies exercise risk oversight.
2. Management establishes operating structures.
3. The organisation defines desired culture.
4. The organisation demonstrates commitment to core values.
5. The organisation attracts, develops and retains capable individuals.
2. Strategy and objective-setting
Step 1: defining clear objectives.
Step 2: identifying and assessing risks through a dynamic interactive process, considering any changes which may occur in the environment and which may affect risk management.
6. The organisation analysis business context.
7. The organisation defines risk “appetite”.
8. The organisation assesses alternative strategies.
9. The organisation sets business objectives.
3. Performance
Risks are prioritized by severity and the organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
10. The organisation identifies the risk.
11. The organisation assesses the severity of the risk.
12. The organisation prioritises risk.
13. The organisation implements risk responses.
14. The organisation develops a portfolio view of the risks.
4. Review and revision
By reviewing entity performance, an organisation can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
15. The organisation assesses substantial changes.
16. The organisation reviews risk and performance.
17. The organisation pursues improvement in enterprise risk management.
5. Information, communication and reporting
Risk management requires a continual process of obtaining and sharing information, from both internal and external sources, which flows up, down, and across the organisation.
18. The organisation leverages information and technology.
19. The organisation communicates risk information.
20. The organisation reports on risk, culture and performance.
In short, internal control is a process carried out by persons of an organisation and which must be continually adapted to the structure of such organisation.
Montserrat Mestre Vidal, Auren Spain auditor