CommitteeofSponsoringOrganizationsofthe

TreadwayCommission
FromWikipedia,thefreeencyclopedia

TheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)isajoint
initiativeoffiveprivatesectororganizations,establishedintheUnitedStates,dedicatedtoproviding
thoughtleadershiptoexecutivemanagementandgovernanceentitiesoncriticalaspectsoforganizational
governance,businessethics,internalcontrol,enterpriseriskmanagement,fraud,andfinancialreporting.
COSOhasestablishedacommoninternalcontrolmodelagainstwhichcompaniesandorganizations
mayassesstheircontrolsystems.COSOissupportedbyfivesupportingorganizations,includingthe
InstituteofManagementAccountants(IMA),theAmericanAccountingAssociation(AAA),the
AmericanInstituteofCertifiedPublicAccountants(AICPA),theInstituteofInternalAuditors(IIA),and
FinancialExecutivesInternational(FEI).

Contents
1Organizationaloverview
2History
3InternalControlIntegratedFramework
3.1KeyconceptsoftheCOSOframework
3.2Definitionofinternalcontrolandframeworkobjectives
3.3Fiveframeworkcomponents
3.4Limitations
4EnterpriseRiskManagementIntegratedFramework
4.1Fourcategoriesofbusinessobjectives
4.2Eightframeworkcomponents
4.3Limitations
5InternalControloverFinancialReportingGuidanceforSmallerPublicCompanies
6GuidanceonMonitoringInternalControlSystems
7Roleofinternalaudit
8Roleofexternalaudit
9InternalControlIntegratedFrameworkupdateproject
10References
11Externallinks

Organizationaloverview
COSOwasformedin1985tosponsortheNationalCommissiononFraudulentFinancialReporting(the
TreadwayCommission).TheTreadwayCommissionwasoriginallyjointlysponsoredandfundedby
fivemainprofessionalaccountingassociationsandinstitutesheadquarteredintheUnitedStates:the
AmericanInstituteofCertifiedPublicAccountants(AICPA),AmericanAccountingAssociation(AAA),
FinancialExecutivesInternational(FEI),InstituteofInternalAuditors(IIA)andtheInstituteof
ManagementAccountants(IMA).TheTreadwayCommissionrecommendedthattheorganizations
sponsoringtheCommissionworktogethertodevelopintegratedguidanceoninternalcontrol.Thesefive
organizationsformedwhatisnowcalledtheCommitteeofSponsoringOrganizationsoftheTreadway
Commission.

TheoriginalchairmanoftheTreadwayCommissionwasJamesC.Treadway,Jr.,ExecutiveVice
PresidentandGeneralCounsel,PaineWebberandaformerCommissioneroftheU.S.Securitiesand
ExchangeCommission.Hence,thepopularname"TreadwayCommission".RobertB.Hirth,Jr.
(http://www.coso.org/documents/COSO%20Chairman%20June%202013%20Release%20Final.pdf)
becamethenewestChairmanofCOSO'sboard(http://www.coso.org/board.htm)onJune1,2013.

History
Duetoquestionablecorporatepoliticalcampaignfinancepracticesandforeigncorruptpracticesinthe
mid1970s,theU.S.SecuritiesandExchangeCommission(SEC)andtheU.S.Congressenacted
campaignfinancelawreformsandthe1977ForeignCorruptPracticesAct(FCPA)whichcriminalized
transnationalbriberyandrequiredcompaniestoimplementinternalcontrolprograms.Inresponse,the
TreadwayCommission,aprivatesectorinitiative,wasformedin1985toinspect,analyze,andmake
recommendationsonfraudulentcorporatefinancialreporting.
TheTreadwayCommissionstudiedthefinancialinformationreportingsystemovertheperiodfrom
October1985toSeptember1987andissuedareportoffindingsandrecommendationsinOctober1987,
ReportoftheNationalCommissiononFraudulentFinancialReporting.[1]Asaresultofthisinitial
report,theCommitteeofSponsoringOrganizations(COSO)wasformedanditretainedCoopers&
Lybrand,amajorCPAfirm,tostudytheissuesandauthorareportregardinganintegratedframeworkof
internalcontrol.
InSeptember1992,thefourvolumereportentitledInternalControlIntegratedFramework[2]was
releasedbyCOSOandlaterrepublishedwithminoramendmentsin1994.Thisreportpresenteda
commondefinitionofinternalcontrolandprovidedaframeworkagainstwhichinternalcontrolsystems
maybeassessedandimproved.ThisreportisonestandardthatU.S.companiesusetoevaluatetheir
compliancewithFCPA.AccordingtoapollbyCFOmagazinereleasedin2006,82%ofrespondents
claimedtheyusedCOSO'sframeworkforinternalcontrols.Otherframeworksusedbyrespondents
includedCOBIT,AS2(AuditingStandardNo.2,PCAOB),andSAS55/78(AICPA).[3]

InternalControlIntegratedFramework
KeyconceptsoftheCOSOframework
TheCOSOframeworkinvolvesseveralkeyconcepts:
Internalcontrolisaprocess.Itisameanstoanend,notanendinitself.
Internalcontrolisaffectedbypeople.It'snotmerelypolicy,manuals,andforms,butpeopleat
everylevelofanorganization.
Internalcontrolcanbeexpectedtoprovideonlyreasonableassurance,notabsoluteassurance,to
anentity'smanagementandboard.
Internalcontrolisgearedtotheachievementofobjectivesinoneormoreseparatebutoverlapping
categories.

Definitionofinternalcontrolandframeworkobjectives
TheCOSOframeworkdefinesinternalcontrolasaprocess,effectedbyanentity'sboardofdirectors,
managementandotherpersonnel,designedtoprovide"reasonableassurance"regardingtheachievement
ofobjectivesinthefollowingcategories:

Effectivenessandefficiencyofoperations
Reliabilityoffinancialreporting
Compliancewithapplicablelawsandregulations.
SafeguardingofAssets(MHA)

Fiveframeworkcomponents
TheCOSOinternalcontrolframeworkconsistsoffiveinterrelatedcomponentsderivedfromtheway
managementrunsabusiness.AccordingtoCOSO,thesecomponentsprovideaneffectiveframework
fordescribingandanalyzingtheinternalcontrolsystemimplementedinanorganizationasrequired
byfinancialregulations(seeSecuritiesExchangeActof1934,[4])Thefivecomponentsarethe
following:
Controlenvironment:Thecontrolenvironmentsetsthetoneofanorganization,influencingthecontrol
consciousnessofitspeople.Itisthefoundationforallothercomponentsofinternalcontrol,providing
disciplineandstructure.Controlenvironmentfactorsincludetheintegrity,ethicalvalues,management's
operatingstyle,delegationofauthoritysystems,aswellastheprocessesformanaginganddeveloping
peopleintheorganization.
Riskassessment:Everyentityfacesavarietyofrisksfromexternalandinternalsourcesthatmustbe
assessed.Apreconditiontoriskassessmentisestablishmentofobjectivesandthusriskassessmentisthe
identificationandanalysisofrelevantriskstotheachievementofassignedobjectives.Riskassessmentis
aprerequisitefordetermininghowtherisksshouldbemanaged.
Controlactivities:Controlactivitiesarethepoliciesandproceduresthathelpensuremanagement
directivesarecarriedout.Theyhelpensurethatnecessaryactionsaretakentoaddresstherisksthatmay
hindertheachievementoftheentity'sobjectives.Controlactivitiesoccurthroughouttheorganization,at
alllevelsandinallfunctions.Theyincludearangeofactivitiesasdiverseasapprovals,authorizations,
verifications,reconciliations,reviewsofoperatingperformance,securityofassetsandsegregationof
duties.
Informationandcommunication:Informationsystemsplayakeyroleininternalcontrolsystemsas
theyproducereports,includingoperational,financialandcompliancerelatedinformation,thatmakeit
possibletorunandcontrolthebusiness.Inabroadersense,effectivecommunicationmustensure
informationflowsdown,acrossanduptheorganization.Forexample,formalizedproceduresexistfor
peopletoreportsuspectedfraud.Effectivecommunicationshouldalsobeensuredwithexternalparties,
suchascustomers,suppliers,regulatorsandshareholdersaboutrelatedpolicypositions.
Monitoring:Internalcontrolsystemsneedtobemonitoredaprocessthatassessesthequalityofthe
system'sperformanceovertime.Thisisaccomplishedthroughongoingmonitoringactivitiesorseparate
evaluations.Internalcontroldeficienciesdetectedthroughthesemonitoringactivitiesshouldbereported
upstreamandcorrectiveactionsshouldbetakentoensurecontinuousimprovementofthesystem.

Limitations
Internalcontrolinvolveshumanaction,whichintroducesthepossibilityoferrorsinprocessingor
judgment.Internalcontrolcanalsobeoverriddenbycollusionamongemployees(seeseparationof
duties)orcoercionbytopmanagement.
CFOmagazinereportedthatcompaniesarestrugglingtoapplythecomplexmodelprovidedbyCOSO.
"Oneofthebiggestproblems:limitinginternalauditstooneofthethreekeyobjectivesofthe
framework.IntheCOSOmodel,thoseobjectivesareappliedtofivekeycomponents(control

COSOpublisheditsGuidanceonMonitoringInternalControlSystemstoclarifythemonitoring
componentofinternalcontrol.
Overtimeeffectivemonitoringcanleadtoorganizationalefficienciesandreducedcostsassociatedwith
publicreportingoninternalcontrolbecauseproblemsareidentifiedandaddressedinaproactive,rather
thanreactive,manner.
COSO'sMonitoringGuidancebuildsontwofundamentalprinciplesoriginallyestablishedinCOSO's
2006Guidance:
Ongoingand/orseparateevaluationsenablemanagementtodeterminewhethertheother
componentsofinternalcontrolcontinuetofunctionovertime,and
Internalcontroldeficienciesareidentifiedandcommunicatedinatimelymannertothoseparties
responsiblefortakingcorrectiveactionandtomanagementandtheboardasappropriate.
Themonitoringguidancefurthersuggeststhattheseprinciplesarebestachievedthroughmonitoringthat
isbasedonthreebroadelements:
Establishingafoundationformonitoring,including(a)apropertoneatthetop(b)aneffective
organizationalstructurethatassignsmonitoringrolestopeoplewithappropriatecapabilities,
objectivityandauthorityand(c)astartingpointor"baseline"ofknowneffectiveinternalcontrol
fromwhichongoingmonitoringandseparateevaluationscanbeimplemented
Designingandexecutingmonitoringproceduresfocusedonpersuasiveinformationaboutthe
operationofkeycontrolsthataddressmeaningfulriskstoorganizationalobjectivesand
Assessingandreportingresults,whichincludesevaluatingtheseverityofanyidentified
deficienciesandreportingthemonitoringresultstotheappropriatepersonnelandtheboardfor
timelyactionandfollowupifneeded.

Roleofinternalaudit
Internalauditorsplayanimportantroleinevaluatingtheeffectivenessofcontrolsystems.Asan
independentfunctionreportingtothetopmanagement,internalauditisabletoassesstheinternalcontrol
systemsimplementedbytheorganizationandcontributetoongoingeffectiveness.Assuch,internal
auditoftenplaysasignificantmonitoringrole.Inordertopreserveitsindependenceofjudgmentinternal
auditshouldnottakeanydirectresponsibilityindesigning,establishing,ormaintainingthecontrolsitis
supposedtoevaluate.Itmayonlyadviseonpotentialimprovementtobemade.

Roleofexternalaudit
UnderSection404oftheSarbanesOxleyAct,managementandtheexternalauditorsarerequiredto
reportontheadequacyofthecompany'sinternalcontroloverfinancialreporting.AuditingStandardNo.
5,publishedbythePublicCompanyAccountingOversightBoard,requiresauditorsto"usethesame
suitable,recognizedcontrolframeworktoperformhisorherauditofinternalcontroloverfinancial
reportingasmanagementusesforitsannualevaluationoftheeffectivenessofthecompany'sinternal
controloverfinancialreporting".[8]

InternalControlIntegratedFrameworkupdateproject
InNovember2010,COSOhasannouncedaprojecttoreviewandupdatetheInternalControl
IntegratedFrameworktomakeitmorerelevantintheincreasinglycomplexbusinessenvironment.[9]
Thefiveframeworkcomponentsremainthesame.Anewfeatureintheupdatedframeworkisthatthe