What is the COSO model and what can you do with it?

The COSO model is a framework used to assess and improve internal control within an organisation. It provides insight into the achievement of organisational objectives in areas such as:

• The effectiveness and efficiency of business processes
• Compliance with laws, regulations, policies and procedures
• Risk management

The COSO framework provides a kind of coat hanger for mapping and implementing processes and helps to improve them.

COSO stands for “Committee of Sponsoring Organisations of the Treadway Commission” and was developed by a group of sponsoring organisations to help organisations manage risk and improve internal control. Since 2004, the COSO model has also been called COSO II or COSO ERM (Enterprise Risk Management).

COSO and integrated risk management: the perfect match

As an organisation, you want to achieve objectives, fulfil expectations and be able to be transparent (to both internal and external stakeholders) in order to build a good relationship of trust with stakeholders. But to achieve this, you need to respond to external changes and make risk an integral part of everyday decisions. After all, we are in a rapidly changing environment and this brings both risks and opportunities that you need to be able to anticipate.

By creating insight into all risk categories and then properly managing the risks, you ensure that your organisation is in control. This process is also called integral risk management (IRM) and enables you to identify, analyse, manage and monitor all common risks.

What is the COSO cube?

The COSO framework is designed in a cube. In it, the four types of risks (strategic, operational, from information provision and from legislation and regulations) are interwoven with the eight components, as well as the organisational levels involved.

This visually designed cube is a tool for assessing an organisation’s internal control. It consists of eight cubes that together form a whole. Each of the cubes is associated with a specific aspect of internal control, such as managing risk, being in control of activities and recording information and data. The cubes are connected to each other by lines, indicating consistency between the different aspects of internal control. In this way, this visual tool can help managers understand and assess their organisation’s internal control.

The 8 control components

1. Internal environment – this includes topics such as culture, leadership style, integrity, how people deal with ethics, what the distribution of tasks and authority is like, and what the level of risk-taking is;
2. Setting objectives – what do we actually want to achieve?
3. Identification of events – what opportunities or risks that could have a positive or negative impact on achieving the objectives do we see?
4. The risk assessment is where we analyse how high the probability is that risks will occur, and what consequences it will entail
5. The risk management measures – what risks can we avoid, accept, share or mitigate?
6. Control measures – what will we do to manage risks?
7. Information and communication
8. Monitoring with periodic evaluation of the entire system of internal control and coherence

The 4 activities

COSO emphasises that risk management is not a line processes, where one part only affects the next, but has a multi-directional effect. Therefore, it should be applied in all organisational levels. In the COSO cube, you will find the following levels:

1. The whole of the organisation
2. Department
3. Business units
4. Subsidiaries

The 4 organisational objectives

The COSO model emphasises an organisation’s risk appetite by managing risks in four categories to meet its objectives. Stakeholders gain added value as a result. Here we are talking about the following four categories:

1. Strategic – set at a high level, aligned with an organisation’s mission and vision.
2. Operations – these are the activities carried out to achieve goals, looking at effectiveness and efficiency.
3. Reporting – this embraces the need for reliable reporting on activities and results
4. Compliance – this objective refers to the need for organisations to comply with laws and regulations

Using the COSO ERM framework effectively? Do it together!

The COSO model thus identifies the relationships between enterprise risks and the internal control system. This enables organisations to manage risks, build certainty and knowledge about risks, prevent possible incidents or scandals and comply with laws and regulations. And in turn, that offers the advantage of providing maximum value and transparency towards stakeholders.

More and more organisations are aware that risk management is an issue. That is a great step in the right direction. But what many organisations still forget is that risk management is an ongoing process and that the focus should not only be on identifying risks, but also on continuously managing them.

This is only possible if the entire organisation is involved in this process. So we need to increase our focus on integral risk management in order to increase the risk maturity of the entire organisation and continue to be successful in the future.

Applying the COSO model within your organisation? Use Zenya software

By using Zenya, organisations can implement the COSO model more efficiently and effectively.

For example, the RISK module can help identify and manage risks, monitor activities to ensure they meet internal control requirements, and capture and analyse data to measure and improve internal control performance. This can enable organisations to quickly and easily understand and improve their internal control processes based on the data collected by the software.

In addition, the software can also help implement improvements in internal control through, for example, automating certain processes with Zenya FLOW, and monitoring compliance with internal control guidelines with Zenya CHECK. This can lead to more efficient and effective implementation of the COSO model and improvements in the organisation’s internal control.