The ABCs of Risk Management

Internal Controls for Non-Finance Professionals

You’ve heard the words in business circles —COSO, ERM, SOX, and COBIT. Looks like alphabet soup. But what do they mean? If you think these all relate to risk management, then you are on the right track. The difference lies in their primary focus/objective as well as the methodology. Let’s take a bird’s eye view of each.

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

In case you are curious about the unusual name, here is the explanation. The COSO internal control framework, which was issued in 1992, was sponsored and funded by five accounting and auditing associations namely, the American Accounting Association (AAA), the American Institute of Certified Public Accountants(AICPA), the Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The commission was led by James Treadway, former SEC commissioner.

COSO is recognized as the leading framework for designing, implementing, and assessing the effectiveness of internal controls. Its objective was to provide reasonable assurance regarding the achievement of organizational objectives in the following categories: operational effectiveness and efficiency, financial reporting reliability, compliance with applicable laws and regulations, and safeguarding of assets.

SOX (Sarbanes-Oxley Act)

SOX is a legislation passed by the U.S. Congress in 2002 and was sponsored in Congress by Senator Sarbanes and Representative Oxley. One of the features of this law was the addition of a requirement for management to certify and the independent auditor to attest to the effectiveness of a company’s internal control system. The goal was to protect shareholders and the public from fraudulent financial reporting practices. Among the COSO objectives, SOX’s focus was on the financial objective.

ERM (Enterprise Risk Management)

The ERM framework, issued in 2004, added a focus on the strategic objective (i.e., high-level goals that supports the mission of the organization) to COSO’s operational, financial, and compliance objectives.

ERM expanded on COSO’s risk management focus to that of seizing opportunities for achieving organizational objectives such as enhancing profits. ERM considers both positive risks (i.e., business opportunities) and negative risks (i.e., business threats).

COBIT (Control Objectives for Information and Related Technologies)

COBIT is the IT equivalent of COSO. It is a framework created by ISACA (Information Systems Audit and Control Association) for information technology management and governance. It aimed to link business risks, control requirements, and the technical infrastructure. It is used for governance of both IT implementations and on-going operations.