Accountants aren’t the only financial professionals who use numbers to explain the world. The financial services sector is populated by several industries that make up the foundations of America’s and global economies, including banking, real estate, and investing. Not surprisingly, since the economic resources that go into those industries come from individuals, businesses, and governments, there are rules about how the sectors that receive those funds should manage them.
One group responsible for creating those rules is the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This five-member organization of financial services associations provides guidance for secure financial management practices regarding enterprise risk management, fraud deterrence, and internal controls. Its fundamental principle is that risk management and strong internal controls are necessary for any company to succeed long-term. At the core of this need is cloud data governance.
The Treadway Commission
Fraudulent financial reporting isn’t new but continues to pose immense risks to the country’s communities, consumers, and governments. In 1985, a National Commission on Fraudulent Financial Reporting convened, led by five major accounting entities:
- the American Accounting Association;
- the American Institute of Certified Public Accountants (AICPA);
- Financial Executives International (FEI);
- the Institute of Internal Auditors (IIA), and
- the National Association of Accountants [now the Institute of Management Accountants (IMA)].
The Commission’s first Chair was James C. Treadway, (hence the Commission’s popular name), then Executive V.P. of Paine Webber and a former Commissioner of the U.S. Securities and Exchange Commission (SEC). The Commission also included representatives from various industries, investment firms, accounting agencies, and the New York Stock Exchange. Since its launch, the COSO has been a thought leader in the management of highly complex organizations to ensure they remain free of fraud and protect the values invested in them by millions of consumers worldwide.
Most notably, since 1992, COSO has been introducing a series of integrated frameworks that assist any sized entity in assessing and managing the risks inherent in their business. Organized around the three COSO pillars – enterprise risk management, fraud deterrence, and internal controls – these three frameworks provide the structure and organized thought processes needed to methodically assess and address risk concerns.
COSO Framework Cube
The COSO ‘Internal Controls’ Cube:
The ‘COSO Cube‘ for Internal Controls offers a clearly demarcated framework that any C-Suite can use to ensure its financial and risk management practices are comprehensive to its entire enterprise, regardless of its size, configuration, or location. The Internal Controls provide guidance and best practices for managing the organization’s internal governance and provides leadership with standards to look for and follow across the entire enterprise to reduce its risk of loss.
The ‘Cube’ displays the Internal Control’s five components (and their 17 principles) as those inform the management of the two structural dimensions of the corporation: its productivity and its organization.
The five controls include:
- the control environment of the company – how it manages its actions to address risk;
- the company’s risk assessment based on corporate activities and industry;
- the control activities – those actions taken or avoided to reduce or mitigate risk;
- how it informs and communicates with its internal and external stakeholders about risk, and
- how it monitors those risks and adapts over time to maintain a reduced exposure to intrusions.
Each control is then layered over the three functions of the organization:
- its operations – how does it maintain the controls within its operations?
- its reporting – how do the controls contribute to its reporting capacities and the content of those reports? And
- its compliance – how do the controls contribute to the company’s compliance with industry regulations?
Finally, users apply the controls and their directives regarding operations, reporting, and compliance to the enterprise’s physical elements:
- at each entity, when there is more than one entity involved;
- in each division, assuming when there are separate divisions that each accomplishes its distinct corporate functions according to the overarching organizational goals;
- in each operating unit, assuming it has more than one, and
- within each individual capacity of the company – how do corporate functions adhere to control expectations?
Using the Cube, a company can identify and apply ‘best risk-deterring practices’ at each stage of its function, and across all elements of its structural organization.
COSO Enterprise Risk Management – (COSO ERM)
The COSO ERM looks outward from inward controls and applies the same level of risk-averse analysis to a company’s strategy and performance. The COSO ERM philosophy anticipates that strategies must change as times change and that decisions should be executed only after considering all aspects of the risks that arise from any potential next step. When including risk analysis in the decision-making process, execution strategies become more transparent, and corporate performances improve.
The updated 2017 version of the COSO ERM links to the Internal Controls but is structured around its own five components (governance and culture; strategy and objective setting; performance; review and revision, and information, communication, and reporting), and its own 20 key principles related to those components.
Additionally, COSO recently released its Cyber Risk Management Guide, which provides insights and directives on how cyber risks might impact enterprise risk management decisions by Board members, executives, and audit team members.
COSO Fraud Risk Management
This framework incorporates the Internal Controls into assessing and addressing the risk of fraud within or external to the company. By adding an additional, fraud-based principle to each of the five components of the Internal Controls framework, organizations can establish the comprehensive fraud-management approach they seek to build a well-functioning Fraud Risk Management Program.
COSO Components, Identity and Cloud Data Governance
“Access management” is the one of the data security standards, and “identity” is the new perimeter, according to industry professionals. Identity and Data Security strategies have eclipsed network security systems as the ‘best practices’ for getting and keeping corporate information safe in the public cloud. Not only does the strategy filter access to data based on who or what is seeking it, but it also filters access based on why that entity is requesting it. The strategy then limits access only to those identities who have the appropriate authority and only when they have a valid and proper purpose for retrieving it. Today’s platforms, like Sonrai Dig, helps organizations achieve and maintain least privilege enforcing the security guardrails in the cloud.
Today’s platforms also provide the tools needed to implement all three of the COSO frameworks. Within each of those is a component related to addressing risk, not just identifying it, but actually putting controls in place to mitigate and reduce it. For example with Internal Controls Framework:
- Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to achieve policy-based, acceptable-level objectives.
- Principle 11: The organization selects and develops general control activities over technology to support the achievement of risk mitigation objectives.
- Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
For example, the ERM Framework [the organization] includes the considerations for:
- 10: identifies risk
- 13: implements risk responses
- 14: develops portfolio view
Last example is in the Fraud Risk Framework:
- Component 3 – Control Activities: The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.
In each of these instances, an identity and data security platform can:
- identify the risk based on the identity of the user;
- assess the risk based on the request from the user, and
- mitigate the risk by denying access to unauthorized users.
When compared to legacy data security strategies and practices – database protections, device protections, network protections, etc. – today’s identity and data security solutions stop events at their source: the identity. It prevents over-privileged identities from accessing critical corporate data regardless of their location within the network, their understanding of the database, or the device they are using. The identity gets access to only the data in which is has the right permissions.
The ‘COSO Cube‘ for Internal Controls offers a clear framework and the C-Suite should look to find a clear solution to meet this framework.