COSO Presentation Final

8/3/2019 COSO Presentation Final

1/52

COSO-Committee Of

Sponsoring Organizationof the TreadwayCommission

Submitted to: Submitted by: Dr.Vrijendra singh Pooja Singh

Swati PandeyAnuja Sethiya

Meera Singh


2/52

ROADMAP.1. Sponsors for COSO 3.ERM

1.1 IIA 3.1 Definition

1.2 AICA 3.2 Framework

1.3 AAA 3.3 Objectives

1.4 IMA 3.4 Components

1.5 FEI 3.5 Implementation

2. Introduction 4.Internal Control

2.1 Concerns 4.1 Definition

2.2 Effectiveness 4.2 COSO cubes


3/52

ROADMAP.

5. Limitations

6. Helpful COSO

7. Example8. References


4/52

Sponsoring organizations

for COSO COSO stands for the Committee OfSponsoring

Organizations of the Treadway Commission. The

sponsoring organizations are: Institute of Internal Auditors (IIA)

American Institute of Certified PublicAccountants (AICPA)

American Accounting Association (AAA) Institute of Management Accountants (IMA)

Financial Executives Institute (FEI)


5/52


6/52

Established in 1941, The Institute ofInternal Auditors (IIA)is a guidance-setting body.

Serving members in 165 countries.

The IIA is the internal audit profession's globalvoice, chief advocate, recognized authority, andprincipal educator, with global headquarters inAltamonte Springs, Fla., United States.


7/52

Mission:

Advocating and promoting the value that internal auditprofessionals add to their organizations;

Providing comprehensive professional education anddevelopment opportunities; standards and otherprofessional practice guidance; and certification programs;

Researching, disseminating, and promoting to practitionersand stakeholders knowledge concerning internal auditingand its appropriate role in control, risk management,and governance.

Bringing together internal auditors from all countries toshare information and experiences.


8/52

(IMA) Institute of Management Accountants isa professional organization headquartered in Montvale,New Jersey more than 60,000 professionals worldwide.

The IMA visionis to be the leading resource fordeveloping, certifying, connecting, and supporting theworlds best accountants and financial professionalsworking in business.

IMA provides best-in-class certification, the CertifiedManagement Accountant (CMA), for criticalinternal financial management responsibilities,including planning, budgeting, business reporting, decisionanalysis, and risk management.


9/52


10/52

The American Accounting Association (AAA) is an"organization of persons interested in accountingeducation and research.

It was formed in 1916. Its main publication, TheAccountingReview, was first published in 1926.

Its missionis to take further the discipline andprofession of accounting through education, research,and service.


11/52

Financial Executives International (FEI) was founded in 1931.

FEI is a member service-oriented organization for senior-level

financial executives in companies of all sizes, both public andprivate, and in all industries.

FEI operates a separate non-profit foundation: Financial

ExecutivesResearchFoundation, which acts as afinancial resource for members and foundation supporters.

The FEI headquarters and full-time staff are located in

Morristown, New Jersey.


12/52

INTRODUCTION

COSO , is a joint initiative of the five private

sector organizations.

COSO ERM framework defines essential

components and provides guidance on

enterprise risk management, internal controland fraud deterrence.


13/52

Todays organizations are

concerned about: Risk Management

Governance Control

Assurance (and Consulting)

And COSOprovides them with allthese.


14/52

EffectiveI/C, or ERM, Means:

That Management has a flow of reliableinformation about each component of

control for all the objectives, from all areas ofthe organization.

COSO does not specify who should providewhat information, just that managementshould be receiving and acting on theinformation.


15/52

Continues

Many different sources, or flows, ofinformation exist in an organization.

Soft controls relate to the people doing thework to meet the objectives of theorganization; hard controls relate the

processes and activities those people do.


16/52

ERM Defined.

a process, effected by an entity's board of

directors, management and other personnel,

applied in strategy setting and across the

enterprise, designed to identify potential events

that may affect the entity, and manage risks to

be within its risk appetite, to provide reasonable

assurance regarding the achievement of entityobjectives.


17/52

ERM FRAMEWORK

Objectives can be viewed in the context of four

categories:

Strategic

Operations

Reporting

Compliance


18/52

ERM FRAMEWORK

ERM considers activities at all levels

of the organization:

Enterprise-level

Division or subsidiary

Business unit processes


19/52

Why ERM IsImportant ..??

.


20/52

BecauseUnderlying principles:

Every entity, whether for-profit

or not, exists to realize value forits stakeholders.

Value is created, preserved, or eroded by

management decisions in all activities, fromsetting strategy to operating the enterpriseday-to-day.


21/52

Because

ERM supports value creation by enablingmanagement to:

Deal effectively with potential future eventsthat create uncertainty.

Respond in a manner that reduces thelikelihood of downside outcomes andincreases the upside


22/52

Objectives of ERM

framework.. Strategy - high-level goals, aligned with and

supporting the organization's mission

Operations - effective and efficient use ofresources

Financial Reporting - reliability of operational

and financial reporting

Compliance - compliance with applicable laws

and regulations


23/52

Eight Components of ERM

frameworkThe eight components

of the frameworkare interrelated


24/52

Internal Environment

Establishes a philosophy regarding riskmanagement. It recognizes that unexpected aswell as expected events may occur.

Establishes the entitys risk culture.

Considers all other aspects of how theorganizations actions may affect its riskculture.


25/52

Objective Setting

Objectives must exist before management can

identify potential events affecting their

achievement.

Forms the risk appetite of the entity a high-

level view of how much risk management and

the board are willing to accept.

Risk tolerance, the acceptable level ofvariation around objectives, is aligned with

risk appetite.


26/52

Event Identification

Involves identifying those incidents, occurringinternally or externally, that could affect

strategy and achievement of objectives.

Addresses how internal and external factorscombine and interact to influence the risk

profile.

Opportunities are channelled back to

managements strategy or objective-setting

processes


27/52

Risk assessment

Allows an entity to

understand the extent to

which potential events

might impact objectives.


28/52

Risk assessment continues..

Employs a combination of both qualitative and

quantitative risk assessment methodologies.

Risks are analyzed, considering likelihood andimpact, as a basis for determining how they

should be managed.

Risks are assessed on an inherent and a

residual basis.


29/52

Risk Response

Identifies and evaluates possible responses to

risk.

Selects and executes response based on

evaluation of the portfolio of risks and

responses.

Management selects risk responses

avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with

the entitys risk tolerances and risk appetite.


30/52

Control Activities

Policies and procedures that help ensure that

the risk responses, as well as other entity

directives, are carried out.

Occur throughout the organization, at all

levels and in all functions.


31/52

Information and Communication

Management identifies, captures, andcommunicates information that enables

people to carry out their responsibilities.

Communication occurs in a broader sense,

flowing down, across, and up the organization.


32/52

Monitoring

Monitoring helps determine the effectiveness

of the processes, technologies and personnel

executing enterprise risk management.

The entity establishes minimum standards for

each component of enterprise risk

management.


33/52

How to establish ERM?

Determine a risk philosophy

Survey risk culture

Consider organizational integrity

and ethical values

Decide roles and responsibilities


34/52

Internal Control Defined.

Internal control is a process, effected by anentitys board of directors, management andother personnel, designed to providereasonable assurance regarding the

achievement of objectives in the followingcategories:

Effectiveness and efficiency of operations

Reliability of financial reporting Compliance with applicable laws and

regulations


35/52

COSOInternal Control

Soft Controls

People

Openness

Shared Values

Clarity

Commitment to

Competence

Honesty

High Expectations

Communications

Hard Controls

Activities

Reviews

Inspections

Policies

Reconciliations

Structure

Limits of AuthorityUse rids and

Password

Physical Counts


36/52

The COSO cubes-I/C & ERM

Monitoring

Information and Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment


37/52

Limitations:

Reasonable, not absolute assurance Different levels of assurance for different

objectives

The future is uncertain Other limiting factors

Judgment, breakdowns Collusion, management override

Cost versus benefits Not part of IC or ERM

The objectives selected to be achieved The responses taken to the risks


38/52

How much more COSO canhelp?

Controls for reliability of financial reportingare mainly in finance areas (Financial)

Controls over effective and efficientoperations (Operational) and compliance withlaws and regulations (Compliance) are mainlyin operational areas.

Discussing objectives, risks and responses isthe most valuable part of ERM


39/52

Continues Anyone can put together a list of risks and

controls, but true ERM can only be done by thosedirectly responsible for achieving the objectives.

The samesoft controls in the COSO I/Cframework also apply to the ERM framework. I/C

is fully incorporated into ERM.

ERM does not replace good management

practices, does not replace setting the rightobjectives, and does not replace the businessexperience needed to have the right vision ofwhere an organization should be heading.


40/52

Example: ERM Organization:

ERMDirector

Vice President and

Chief Risk Officer

Corporate CreditRisk Manager

InsuranceRisk Manager

ERM

Manager

ERM

Manager

Staff Staff Staff

FES

Commodity

Risk Mg.Director


41/52

Implementation in a firm

Everyone in an entity has some responsibility forenterprise risk management. The chief executiveofficer is ultimately responsible and should

assume ownership.

A risk officer, financial officer, internal auditor, andothers usually have key support responsibilities.

Other entity personnel are responsible for executingenterprise risk management in accordance withestablished directives and protocol.


42/52

ERM Report

The report is in two volumes. The first volumecontains the Frameworkas well as theExecutive Summary.

The Framework defines enterprise risk managementand describes principles and concepts, providingdirection for all levels of management in businesses

and other organizations to use in evaluating andenhancing the effectiveness of enterprise risk

management.


43/52

The Executive Summary is a high-leveloverview directed to chief executives, other

senior executives, board members, and

regulators.


44/52

Use of the ERM report

Suggested actions that might be taken as a result

of this report depend on position and role of the

parties involved:

Board of DirectorsThe board shoulddiscuss with senior management the state of the

entitys enterprise risk management and provideoversight as needed.


45/52

The board should consider seeking input from

internal auditors, external auditors, and others.

Senior ManagementThis study suggeststhat the chief executive assess the organizations

enterprise risk management capabilities.

In one approach, the chief executivebrings

together business unit heads and key functionalstaff to discuss an initial assessment of enterprise

risk management capabilities and effectiveness.


46/52

Other Entity Personnel Managers and

other personnel should consider how they areconducting their responsibilities in light of this

framework and discuss with more senior

personnel ideas for strengthening enterprise risk

management.

Internal auditorsshould consider the

breadth of their focus on enterprise riskmanagement.


47/52

Regulators This framework can promote ashared view of enterprise risk management,

including what it can do and its limitations.

Regulators may refer to this framework inestablishing expectations, whether by rule or

guidance or in conducting examinations, for

entities they oversee.


48/52

Professional Organizations Rule-making and other professional organizations

providing guidance on financial management,auditing, and related topics should consider their

standards and guidance in light of this

framework.


49/52

With this foundation for mutual understanding,

all parties will be able to speak a commonlanguage and communicate more effectively.

Business executives will be positioned to assess

their companys enterprise risk management

process against a standard, and strengthen the

process and move their enterprise toward

established goals.


50/52

Future research can be leveraged off an

established base. Legislators and regulators willbe able to gain an increased understanding of

enterprise risk management, including its

benefits and limitations.

With all parties utilizing a common enterprise risk

management framework, these benefits will be

realized.


51/52

References

www.coso.org

www.wikipedia.com www.authorstream.com


52/52

Thank You!!

Documents

COSO Presentation Final