SOC 2
COSO
Consulting Overview

For organizations who wish to define internal controls driven by business objectives, COSO is the framework to follow. An organisation can use COSO to define policies, procedures and processes for the all aspects of business, thereby helping to move from people-dependent to system approach of governance that ensure ethics, integrity and protection against fraud.

Starting with business objectives, the framework allows you to define and continually improve organisational processes, with the ultimate goal of ensuring the interest of the stakeholders.

In ESA we have advised several organizations in implementing COSO, and that lead them to manage proactively enterprise risk. We have a structured approach that starts with determining the business objectives,

A typical COSO implementation involves rolling out 30+ policies across the organisation that gets measured monthly using an annual compliance plan.

What are the COSO Requirements?
COSO has 17 requirements
  • The organization demonstrates a commitment to integrity and ethical values.
  • The board of directors demonstrate independence from management and exercises oversight of the development and performance of internal control.
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  • The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  • The organization identifies and assesses changes that could significantly affect the system of internal control.
  • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • The organization selects and develops general control activities over technology to support the achievement of objectives.
  • The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
  • The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  • The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  • The organization communicates with external parties regarding matters affecting the functioning of internal control.
  • The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  • The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Project Phases

Phase I –
Determination of Objectives

This phase involves determining key business objectives, that will drive the COSO framework implementation.

Phase II –
Gap Analysis

This phase involves performing gap analysis on COSO – 17 requirements as well as defining risk and control matrix for areas that have opportunities for fraud.

Phase III –
Control Design and documentation

This phase involves our methodology that involves distribution of objectives, risks, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk and compliance officer – who will drive the ongoing compliance. Each business function has control framework.

Phase IV –
Tracking

This phase involves tracking the client risks, documentation and self-declarations till all internal controls are adequately implemented.

Phase V –
Performance Tracking

This phase involves measuring internal control changes on a scale of 0-100%. This gives assurance to internal stakeholders that the processes implemented are adequate (or at risk). If there are deviations or risks identified, they are treated. We have a structured methodology for implementation.

Phase VI –
Internal Audit

Internal audit involved an independent verification of risk and control implementation as a project and an assurance of the ongoing program.

Call or write to us at :
for proposal / roadmap / information