Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO is an organization dedicated to providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence.

Website: coso.org

 

COSO releases new Enterprise Risk Management Framework (2017), updating the 2004 ERM framework

In September 2017, COSO released its highly anticipated ERM Framework entitled Enterprise Risk Management–Integrating with Strategy and Performance. This new document builds on its predecessor, Enterprise Risk Management–Integrated Framework (originally published in 2004), one of the most widely recognized and applied risk management frameworks in the world. The updated document outlines how executives can have greater confidence in addressing many critical 21st century business challenge as they navigate evolving markets, rapid innovation and heightened regulatory focus.

The Framework, authored by PwC under the direction of the COSO Board, is designed to turn a preventative, process-based risk monologue into a proactive, opportunities-focused conversation to uncover how risk management can create, preserve, and realise quality and value.

 

COSO releases new Enterprise Risk Management framework (2017), updating the 2004 ERM framework

In September 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its highly anticipated ERM Framework: Enterprise Risk Management–Integrating with Strategy and Performance. This new document builds on its predecessor, Enterprise Risk Management–Integrated Framework (originally published in 2004), one of the most widely recognized and applied risk management frameworks in the world. In 2014, COSO engaged PwC as the principal author of the update which is designed to help organizations create, preserve, and realize value while improving their approach to managing risk.The update highlights the importance of enterprise risk management in strategic planning. It also emphasizes embedding ERM throughout an organization, as risk influences strategy and performance throughout the organization.

 

Why the updated ERM framework is important

 

In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. Since that time, the publication gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk changed, new risks emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting.

COSO's 2017 update to the 2004 ERM framework addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. The first part of the updated publication offers a perspective on current and evolving concepts and applications of enterprise risk management. The second part, the Framework, is organized into five easy-to-understand components that accommodate different viewpoints and operating structures, and enhance strategies and decision-making. In short, this update:

  • Provides greater insight into the value of enterprise risk management when setting and carrying out strategy.
  • Enhances alignment between performance and enterprise risk management to improve the setting of performance targets and understanding the impact of risk on performance.
  • Accommodates expectations for governance and oversight.
  • Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies.
  • Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity.
  • Expands reporting to address expectations for greater stakeholder transparency.
  • Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-making.
  • Sets out core definitions, components, and principles for all levels of management involved in designing, implementing, and conducting enterprise risk management practices.

 

 

Key developments within the COSO Internal Control Framework

In a separate initiative, COSO released the updated Internal Control–Integrated Framework in May 2013. The 2013 Framework superseded the original 1992 Framework and went into effect at the end of the transition period on December 15, 2014.

  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the updated Internal Control–Integrated Framework (2013 Framework) in May 2013. COSO announced that the 2013 Framework will supersede the original 1992 Framework at the end of the transition period (December 15, 2014).

  • The SEC staff commented that the longer issuers continue to use the 1992 Framework (vs. the 2013 Framework), the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 Framework satisfies the SEC's requirement to use a suitable, recognized framework, particularly after December 15, 2014, when COSO  considers the 1992 Framework to have been superseded.

  • We recommend that SEC registrants subject to reporting requirements relating to internal control over financial reporting (ICFR) use the 2013 Framework for reporting periods ending after December 15, 2014. PCAOB Auditing Standard 5 requires external auditors to use the same internal control framework used by management to assess the design and operating effectiveness of the company’s ICFR.

  • As of 2016, virtually all public companies required to provide an external auditor’s report on ICFR are utilizing the 2013 Framework.

Why the COSO Internal Control Framework is important

  • COSO’s 2013 update of the Internal Control—Integrated Framework was intended to (i) clarify the requirements for effective internal control, (ii) address changes in business (e.g., globalization, use and dependence on technology, complexity) that introduce or elevate the risk of achieving entity objectives, and (iii) encourage users to apply internal control to additional entity objectives (such as regulatory reporting, operations and compliance).

  • The 2013 Framework describes two additional requirements for an effective system of internal control:    

    - Each of the five components of internal control and relevant principles is present and functioning    

    -The five components of internal control operate together in an integrated manner

  • The seventeen principles set out in the 2013 Framework are fundamental concepts associated with the five components of internal control. These concepts were implicit in the 1992 Framework. The 2013 Framework explicitly requires that each relevant principle be present and functioning (i.e. designed and operating effectively) to demonstrate that all five components of internal control are present and functioning. The Firm has developed templates and guidance to help clients assess and document how the company’s ICFR satisfies the seventeen principles.

  • We do not believe the additional criteria in the 2013 Framework fundamentally changed what is required for an effective system of internal control over financial reporting. However, as management and internal auditors assess the design and operating effectiveness of the company’s ICFR in accordance with the 2013 Framework, they may identify internal control deficiencies that require remediation.

 

 

Select COSO news releases

COSO white paper explains how to leverage COSO framework across three lines of defense

This new COSO white paper advocates applying the Three Lines of Defense model for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.

To have a deeper discussion, please contact:

Brian T. Croteau

Partner, National Professional Services Group

Email

Chris Dinkel

Partner, Assurance

Email

Dennis Chesley

PwC Global Risk Consulting Leader

Email

Stephen Zawoyski

PwC ERM Solutions Leader

Email

Jason Pett

US Leader Internal Audit, Compliance & Risk Management Solutions

Email

Contact us

Beth Paul
Strategic Thought Leader, US National Professional Services Group
Email

David Schmid
IFRS & US Standard Setting Leader, National Professional Services Group
Email

Follow us