Accountants aren't the only financial professionals who use numbers to explain the world. The financial services sector is populated by several industries that make up the foundations of America's and global economies, including banking, real estate, and investing. Not surprisingly, since the economic resources that go into those industries come from individuals, businesses, and governments, there are rules about how the sectors that receive those funds should manage them.
One group responsible for creating those rules is the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This five-member organization of financial services associations provides guidance for secure financial management practices regarding enterprise risk management, fraud deterrence, and internal controls. Its fundamental principle is that risk management and strong internal controls are necessary for any company to succeed long-term.
Fraudulent financial reporting isn't new but continues to pose immense risks to the country's communities, consumers, and governments. In 1985, a National Commission on Fraudulent Financial Reporting convened, led by five major accounting entities:
The Commission's first Chair was James C. Treadway, (hence the Commission's popular name), then Executive V.P. of Paine Webber and a former Commissioner of the U.S. Securities and Exchange Commission (SEC). The Commission also included representatives from various industries, investment firms, accounting agencies, and the New York Stock Exchange. Since its launch, the COSO has been a thought leader in the management of highly complex organizations to ensure they remain free of fraud and protect the values invested in them by millions of consumers worldwide.
Most notably, since 1992, COSO has been introducing a series of integrated frameworks that assist any sized entity in assessing and managing the risks inherent in their business. Organized around the three COSO pillars - enterprise risk management, fraud deterrence, and internal controls - these three frameworks provide the structure and organized thought processes needed to methodically assess and address risk concerns.
The 'COSO Cube' for Internal Controls offers a clearly demarcated framework that any C-Suite can use to ensure its financial and risk management practices are comprehensive to its entire enterprise, regardless of its size, configuration, or location. The Internal Controls provide guidance and best practices for managing the organization's internal governance and provides leadership with standards to look for and follow across the entire enterprise to reduce its risk of loss.
The 'Cube' displays the Internal Control's five components (and their 17 principles) as those inform the management of the two structural dimensions of the corporation: its productivity and its organization.
The five controls include:
Each control is then layered over the three functions of the organization:
Finally, users apply the controls and their directives regarding operations, reporting, and compliance to the enterprise's physical elements:
Using the Cube, a company can identify and apply 'best risk-deterring practices' at each stage of its function, and across all elements of its structural organization.
The COSO ERM looks outward from inward controls and applies the same level of risk-averse analysis to a company's strategy and performance. The COSO ERM philosophy anticipates that strategies must change as times change and that decisions should be executed only after considering all aspects of the risks that arise from any potential next step. When including risk analysis in the decision-making process, execution strategies become more transparent, and corporate performances improve.
The updated 2017 version of the COSO ERM links to the Internal Controls but is structured around its own five components (governance and culture; strategy and objective setting; performance; review and revision, and information, communication, and reporting), and its own 20 key principles related to those components.
Additionally, COSO recently released its Cyber Risk Management Guide, which provides insights and directives on how cyber risks might impact enterprise risk management decisions by Board members, executives, and audit team members.
This framework incorporates the Internal Controls into assessing and addressing the risk of fraud within or external to the company. By adding an additional, fraud-based principle to each of the five components of the Internal Controls framework, organizations can establish the comprehensive fraud-management approach they seek to build a well-functioning Fraud Risk Management Program.
"Access management" is the one of the data security standards, and "identity" is the new perimeter, according to industry professionals. Identity and Data Security strategies have eclipsed network security systems as the 'best practices' for getting and keeping corporate information safe in the public cloud. Not only does the strategy filter access to data based on who or what is seeking it, but it also filters access based on why that entity is requesting it. The strategy then limits access only to those identities who have the appropriate authority and only when they have a valid and proper purpose for retrieving it. Today's platforms, like Sonrai Dig, helps organizations achieve and maintain least privilege enforcing the security guardrails in the cloud.
Today's platforms also provide the tools needed to implement all three of the COSO frameworks. Within each of those is a component related to addressing risk, not just identifying it, but actually putting controls in place to mitigate and reduce it. For example with Internal Controls Framework:
For example, the ERM Framework [the organization] includes the considerations for:
Last example is in the Fraud Risk Framework:
In each of these instances, an identity and data security platform can:
When compared to legacy data security strategies and practices - database protections, device protections, network protections, etc. - today's identity and data security solutions stop events at their source: the identity. It prevents over-privileged identities from accessing critical corporate data regardless of their location within the network, their understanding of the database, or the device they are using. The identity gets access to only the data in which is has the right permissions.
The 'COSO Cube' for Internal Controls offers a clear framework and the C-Suite should look to find a clear solution to meet this framework.