The COSO model is a framework used to assess and improve internal control within an organisation. It provides insight into the achievement of organisational objectives in areas such as:
The COSO framework provides a kind of coat hanger for mapping and implementing processes and helps to improve them.
COSO stands for “Committee of Sponsoring Organisations of the Treadway Commission” and was developed by a group of sponsoring organisations to help organisations manage risk and improve internal control. Since 2004, the COSO model has also been called COSO II or COSO ERM (Enterprise Risk Management).
As an organisation, you want to achieve objectives, fulfil expectations and be able to be transparent (to both internal and external stakeholders) in order to build a good relationship of trust with stakeholders. But to achieve this, you need to respond to external changes and make risk an integral part of everyday decisions. After all, we are in a rapidly changing environment and this brings both risks and opportunities that you need to be able to anticipate.
By creating insight into all risk categories and then properly managing the risks, you ensure that your organisation is in control. This process is also called integral risk management (IRM) and enables you to identify, analyse, manage and monitor all common risks.
The COSO framework is designed in a cube. In it, the four types of risks (strategic, operational, from information provision and from legislation and regulations) are interwoven with the eight components, as well as the organisational levels involved.
This visually designed cube is a tool for assessing an organisation’s internal control. It consists of eight cubes that together form a whole. Each of the cubes is associated with a specific aspect of internal control, such as managing risk, being in control of activities and recording information and data. The cubes are connected to each other by lines, indicating consistency between the different aspects of internal control. In this way, this visual tool can help managers understand and assess their organisation’s internal control.
COSO emphasises that risk management is not a line processes, where one part only affects the next, but has a multi-directional effect. Therefore, it should be applied in all organisational levels. In the COSO cube, you will find the following levels:
The COSO model emphasises an organisation’s risk appetite by managing risks in four categories to meet its objectives. Stakeholders gain added value as a result. Here we are talking about the following four categories:
The COSO model thus identifies the relationships between enterprise risks and the internal control system. This enables organisations to manage risks, build certainty and knowledge about risks, prevent possible incidents or scandals and comply with laws and regulations. And in turn, that offers the advantage of providing maximum value and transparency towards stakeholders.
More and more organisations are aware that risk management is an issue. That is a great step in the right direction. But what many organisations still forget is that risk management is an ongoing process and that the focus should not only be on identifying risks, but also on continuously managing them.
This is only possible if the entire organisation is involved in this process. So we need to increase our focus on integral risk management in order to increase the risk maturity of the entire organisation and continue to be successful in the future.
By using Zenya, organisations can implement the COSO model more efficiently and effectively.
For example, the RISK module can help identify and manage risks, monitor activities to ensure they meet internal control requirements, and capture and analyse data to measure and improve internal control performance. This can enable organisations to quickly and easily understand and improve their internal control processes based on the data collected by the software.
In addition, the software can also help implement improvements in internal control through, for example, automating certain processes with Zenya FLOW, and monitoring compliance with internal control guidelines with Zenya CHECK. This can lead to more efficient and effective implementation of the COSO model and improvements in the organisation’s internal control.
Table of contents