Since it’s origin in 1992 the COSO framework gained broad acceptance in various industries. It has been widely used in the area of GRC, particularly as a suitable – and the predominant – framework in conjunction with reporting on the effectiveness of internal control over financial reporting.
In the spirit of continuous improvement, COSO’s decision to update the framework was driven by the extent of change over the past two decades (increased expectations for governance oversight, greater attention for a risk based approach, globalization of markets, increasingly complexity of business and organizational structures, increase in demands and complexity of laws, regulations and standards).
So what’s new?
The most significant change is the explicit articulation of 17 principles representing fundamental concepts associated with the five components of internal control. COSO decided to make these principles explicit to increase management’s understanding as to what constitutes effective internal control.
Other changes include a better clarification of the role of objective setting in internal control, it reflects the increased relevance of technology, incorporates an enhanced discussion of governance concepts, expands the reporting category of objectives, enhances consideration of anti-fraud expectations and increases the focus on non-financial reporting objectives.
And how is COSO embedded in ARIS GRC?
Software AG’s Governance, Risk and Compliance (GRC) Solution is fully aligned to the COSO Framework. The solution does not only cover internal control but supports enterprise-wide risk management in all phases of the process. The solution combines ARIS Platform software, Global Consulting Services and the proven methodology of PRIME as well as time-saving reference content based on industry knowledge and project success.
The starting point for the ERM process is the organization’s objectives. These objectives can be defined in ARIS on both company and business unit level and can be strategic, tactical or operational by nature. Without clearly defined objectives, it’s impossible to identify potential events affecting the achievement of these objectives.
Once objectives are clear, possible events that could influence these objectives can be defined. Events with a positive effect are defined as opportunities and managed back to the process of objective setting. Events with a negative impact are defined and captured as risks in the ARIS repository.
Risks are then analyzed in ARIS Risk & Compliance Manager, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis and can be assessed both qualitatively (in categories such as low, medium, high) as well as quantitatively (in absolute percentages and valuta).
Based on the risk assessment output, several responses are possible for the assessed risk. Risks can be avoided, accepted, shared or reduced. ARIS supports the establishment and implementation of procedures to help ensure the risk responses are effectively carried out. Here you can think about explicit control measures to mitigate the risk, management reviews, reporting, physical controls (assets, values, stock), controls based in performance indicators and/or segregation of duties.
Monitoring is supported through ongoing management activities, separate evaluations or both. The aim of monitoring is ongoing quality assurance and improving the framework from both a design as well as an operating effectiveness perspective.
Based on the information defined in the previous phases, the system automatically generates a planning for auditing and testing activities. The execution of these activities is supported by workflows including notifications to all involved people in the process. Next to (manual) audit and testing activities ARIS also supports the monitoring of automated controls (continuous control monitoring).
Many organizations have been able to benefit from the COSO-based ARIS solution. Our customers use it to implement COSO effectively and efficiently resulting to be more agile (in managing performance by adapting to the increasing complexity and pace of a changing business environment), more confident (by mitigating risks to acceptable levels) and better informed (by providing clarity through reliable information for decision making). I'm confident that the enhanced clarifications and more explicit guidance provided by the 2013 version of COSO will continue to be relevant and maintain it's status as the de facto standard for measuring and assessing internal controls.