Limitations of the COSO Framework

The business landscape constantly changes and evolves. Advances in technology, growing global competition, and fluctuating market conditions are only a few of the issues companies face today. To stay competitive, organizations must constantly monitor, adapt, and reconsider business objectives and processes. This also holds true for systems designed to serve as foundations for effective internal control structures.

Since the first Internal Control-Integrated Framework was published by the Committee of Sponsoring Organizations of the Treadway Commission COSO in 1992, COSO has developed several new and improved frameworks. The history of COSO frameworks looks like this:

• 1992: The original Internal Control-Integrated Framework is presented to the business world
• 2004: To fill certain gaps recognized in the original framework, COSO releases Enterprise Risk Management-Integrated Framework
• 2013: An updated and enhanced version of the Internal Control-Integrated Framework is dispensed
• 2017: A new ERM Framework is published (ERM – Integrating with Strategy and Performance)

Regardless of the control framework—ISO 31000, COBIT or COSO—no system is 100% efficient.

Let’s look at some of the identified limitations of the COSO framework that prompted each rendition.

A Summary of COSO’s First Internal Control Framework

The original framework defines internal control as, “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Accepted internationally as the standard for internal control systems, COSO’s 1992 Framework included five precepts for effective internal control.

The five components:

• Control environment 
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

Effective as a tool for appraising internal controls already in place, limitations of the COSO framework from 1992 became apparent as the business environment rapidly changed.

The 2004 Enterprise Risk Management (ERM)-Integrated Framework

It’s no coincidence COSO released its new standard, not long after Congress passed the Sarbanes-Oxley Act (SOX) in 2002. The 2004 framework addresses Section 404 of SOX, requiring public companies to test internal control over financial reporting, holding management responsible for certifying there is reasonable assurance financial statements are free of material misstatement.

Although the 2004 ERM Framework was created to expand the scope of internal controls to address strategy-setting objectives and better develop the risk management process, the consensus was that the framework was still too heavily focused on auditable business processes and fiduciary responsibilities. The failure to address the role risk management has in developing and improving business strategies was seen as one of the most glaring limitations of the COSO framework.

Enter the ERM Framework of 2017.

Internal Control-Integrated Framework (2013)

The new internal control framework fills in some of the 1992 framework gaps.

The addition of 17 principles, describing how to incorporate the five components into an effective internal control model, transformed the COSO framework into a blueprint for developing new internal controls. The new framework also Incorporated internal controls for IT systems.

A huge leap in corporate governance and risk management, the new version still contains limitations.

The 2013 Framework postulates that to be effective, an internal control system must have all five components and 17 principles “present” and “functioning” and “operating together.” What it doesn’t address is the possibility that, due to size, country of operation, or industry of the business, certain principles may not apply. 

In this case, according to the COSO Framework, a business has “major deficiencies” within the internal control system.

The limitations of the COSO framework in this instance is that it doesn’t offer guidance on how to adjust accordingly.

The New COSO ERM Framework (2017)

According to COSO’s FAQ publication regarding the new framework: “it provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy, enhances the alignment between organizational performance and enterprise risk management, and accommodates expectations for governance and oversight.”

Industry leaders and Boards of Directors alike agree the new standards offer dramatic Improvement in the areas of risk tolerance, risk appetite, and risk response. It’s also acknowledged that the 2017 Framework does a much better job of incorporating risk assessment, objective setting, corporate governance, and reporting objectives across all aspects of the organizational structure, rather than handling those items separately in a silo-based approach. 

A noticeable inadequacy to the new risk management framework is a lack of discussion on issues revolving around risks from external parties or external events.

Additional Limitations of the COSO Framework

Overall, the COSO frameworks are excellent tools and have assisted organizations in establishing a solid and efficient system of internal controls and fraud protection policies and procedures over the years.

Probably one of the biggest limitations in any ERM framework doesn’t lie within the concepts of the framework itself, but in an area that’s often the most difficult to entirely control—the human factor. COSO admits that even with a well-designed internal control system, internal auditors cannot always uncover risks of human error, poor judgment, management overrides, or employees colluding to circumvent internal control.

To avoid the pitfalls inherent in any framework, more organizations are replacing manual processes with automated systems. Not only does this address many of the limitations of COSO frameworks, but also makes it easier to reduce risk to lower levels and mitigate internal control deficiencies.

Schedule a demo to learn how ZenGRC improves risk management strategies.