COSO model
The COSO model, or the Committee of Sponsorship Organizations of the Treadway Commission, provides a framework for internal control and risk management. It is also known as COSO ERM (Enterprise Risk Management). As the name implies, COSO is a model. The COSO model and a digital management system is then a great combination that helps to identify, evaluate and manage risks that are specific to your own organization and all relevant processes. With the digital management system, a COSO framework can be set up and used.
What is COSO
COSO describes and defines the different elements of an internal control system. An organization that wants to achieve its objectives must deal well with risks and ensure good risk management.
In the COSO cube, the model shows the direct relationship between:
- The objectives of an organization
- The control components
- the entities / units for which the internal control is required
The 8 management components of COSO
The COSO cube contains 8 management components:
- Internal environment (culture, style of leadership, integrity, ethics, division of tasks and powers, the extent to which risks are taken (the risk appetite of an organization is defined here, also called risk appetite))
- Objective setting
- Identification of the events (opportunities/risks that may have a positive or negative impact on the achievement of the objectives)
- The risk assessment or assessment of the identified risks (likelihood that risk will materialise and the consequences if it occurs)
- Risk response measures (avoiding, accepting, sharing or reducing risks)
- Control measures (e.g. locks on the door, fire hoses, passwords for the PCs, segregation of duties, etc.)
- Information and communication
- Monitoring (periodic review of the whole system of internal control and its coherence)
COSO and the Metaware platform
With a digital management system platform such as the Metaware platform, a COSO model can be set up and applied. A mature management system set up on the Metaware platform offers many starting points for the COSO model.
An overview of functionalities of a mature management system, which can be applied directly to a COSO model:
| Internal environment |
- A clear and up-to-date overview of how tasks and responsibilities are assigned within the organization
- An implemented risk management process: risk methodology, risk owners, risk acceptance, risk treatment plan
|
| Setting objectives |
- Setting and communicating objectives
- Monitoring of objectives (KPIs) based on realizations
|
| Identification of events |
- A dynamic risk management process is integrated into the platform
- Risk and related control measures can be included in the control framework
|
| The risk assessment |
- Risk assessment is part of the risk management process
- Process/risk owners play an active role
|
| The risk management measures |
- Risk response is part of the risk management process
- Effectiveness of risk measures is fed back
|
| Control measures |
- The control framework is expandable to other control measures
|
| Information and communication |
- The management system platform is a social platform with various communication functions
- Users can be actively informed of new information
|
| Monitoring |
- Monitoring is a fixed part of the control framework
- Workflows can be defined yourself, also to include a monitoring step, for example
|