Committee of Sponsoring Organizations
Due to heightened corrupt practices throughout businesses in the early to late 1970s, the US Securities and Exchange Commission partnered with the US Congress to enact rules that would cover the internal control structure in companies throughout the United States. As a result, the private sector initiated what is called the Committee of Sponsoring Organizations of the Treadway Commission (otherwise known as “COSO”) to provide a framework that would help implement a strong system of internal controls in mid-1985.
Most recently, in May of 2013, COSO updated their framework to better align their guidance with the rise of ‘big data,’ ‘high volume transactions,’ and widespread use of the internet throughout corporations. The update addresses these changes while keeping the fundamental principles of internal controls consistent with the original framework.
May 2013 Update
Internal Controls are a system of operations and functions to assure a corporation’s objectives, goals, and financial reporting responsibilities are met effectively and reliably. The update in 2013 used this fundamental concept to create a framework that would aid in creating a reliable reporting environment that could coexist with the rise of the internet and big data.
The framework consists of five interrelated components that should be used as a guideline for how management runs a business:
Control Environment
The overriding structure of the control environment should set the tone of the organization and influence decision makers to act consciously and responsibly.
Risk Assessment
The Corporation should have a system of controls that identifies risks both inside and outside the organization including but not limited to fraud risk, industry factors, and regulations both internally and externally.
Control Activities
These should be put in place to ensure the company’s objectives are met and should consist of activities such as approvals, authorizations, segregation of duties, and reviews.
Information & Communication
Information should be communicated throughout the company in a process that ensures information is provided to parties both internally and externally to effectively reduce the opportunity for fraud and encourage financial and operational compliance.
Monitoring Activities
Monitoring activities should be in place to ensure all these components not only exist, but are currently functioning at the required level.
These components should exist not only at an overall entity level, but should also be present at each division and throughout individual functions of the organization.
How this Affects Closely-Held Businesses
The COSO framework provides a functional system of internal control to aid in compliance, efficiency and reporting throughout an organization. However, the framework is geared towards larger corporations that have the ability and staff to be able to effectively implement these standards. So the question is: in what ways can a closely held business implement these standards to effectively mitigate control risks that may arise from their organizational structure?
Control Environment
Ensure the ‘Tone at the Top’ encourages compliance with reporting standards and promotes strong dedication to ethical and conscious decision making throughout the organization.
Risk Assessment
All areas of management should be aware of risks both internally and externally that may affect management’s corporate performance objectives, reporting, or compliance. This should consist of being aware of industry standards, economic pitfalls, or internal factors that may contribute to reporting errors, negative business trends, as well as fraudulent or unethical behavior.
Control Activities
While the framework suggests that each reporting unit or division of a company should implement control activities, small companies often have difficulties adopting a complete system of internal control due to resource constraints. The adoption of control activities across reporting units can often help promote a solid system of internal control – e.g., segregation of duties can be achieved by having the Human Resource Manager review the Payroll Accountant’s report before submitting the payroll to the third party administrator. An individual can have varying levels of responsibilities but should not be in a position to authorize, record, report, and review a transaction. Responsibility for all stages of a transaction provides opportunity for undetected errors whether intentional or not. Mitigating this risk can come from segregation of duties and adopting management oversight in key areas such as financial reporting and compliance.
Information & Communication
Communication should flow freely from those in management down to employees of the organization as well as from employees up to management. Free-flowing communication can be emphasized by adopting a fraud reporting hotline or a comment box where individuals can report any instances of fraud or non-compliance confidentially.
Monitoring Activities
Management and owners of the company should oversee control activities to ensure the system is functioning properly. Executive reports, weekly or monthly meetings with managers, as well as quarterly or semi-annual ‘town halls’ can be used as opportunities to monitor how the company is functioning on an ongoing basis.
