For organizations who wish to define internal controls driven by business objectives, COSO is the framework to follow. An organisation can use COSO to define policies, procedures and processes for the all aspects of business, thereby helping to move from people-dependent to system approach of governance that ensure ethics, integrity and protection against fraud.
Starting with business objectives, the framework allows you to define and continually improve organisational processes, with the ultimate goal of ensuring the interest of the stakeholders.
In ESA we have advised several organizations in implementing COSO, and that lead them to manage proactively enterprise risk. We have a structured approach that starts with determining the business objectives,
A typical COSO implementation involves rolling out 30+ policies across the organisation that gets measured monthly using an annual compliance plan.
COSO is supported by five supporting organizations: the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI).
This phase involves determining key business objectives, that will drive the COSO framework implementation.
This phase involves performing gap analysis on COSO – 17 requirements as well as defining risk and control matrix for areas that have opportunities for fraud.
This phase involves our methodology that involves distribution of objectives, risks, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk and compliance officer – who will drive the ongoing compliance. Each business function has control framework.
This phase involves tracking the client risks, documentation and self-declarations till all internal controls are adequately implemented.
This phase involves measuring internal control changes on a scale of 0-100%. This gives assurance to internal stakeholders that the processes implemented are adequate (or at risk). If there are deviations or risks identified, they are treated. We have a structured methodology for implementation.
Internal audit involved an independent verification of risk and control implementation as a project and an assurance of the ongoing program.