Impact of COSO Frameworks on scope of Internal Controls 11



  • As I understand SOA, the required internal controls are limited to those that directly involve financial activities, namely authorizations, recording, auditing and reporting. They do not extend to operational processes, e.g. engineering design, production/service operations, quality provisions, etc., of the ‘issuer’.
    In practice, however, will the COSO Integrated Management Framework and the soon to be finalized Enterprise Risk Management (ERM) Framework actually expand the scope of controls to all processes?
    (The substance of both COSO Frameworks embody the requirments of the ISO 9001:2000 Quality Management System standard.)



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Hello Charles,
    our parent company startet off with a concept for the complete approach. This included thorough documentation of all processes in financial reporting, compliance with legal restrictions and operations on all levels plus establishing controls and testing the control system.
    This is not how I understand the legal text of the act, as I see the focus on how figures and information get into financial reporting and press releases. Surely the board must be able to clearly state that they are in control of the company at any time. However does that mean that establishing this control system and monitoring its effectivity has to cover every little sub process? What is the appropriate grade of refinement?
    By now our parent company has reduced the scope. Financial reporting is still the core process with greates focus, but operations will have to be included only as far as risk assessment plays a decisive role and soft factors of the control environment are concerned.
    Still training issues need to be revised and the complete roll-out is postponed.
    We have a web-based forum too, but nobody really dares to answer my questions or reply to my comments. I have the impression, as this subject is really a big thing in our parent company, still nobody really likes it and nobody dares to criticise the official line.



  • We also tried to bring a integrated approach to life. But that didn’t really work out and got most of the people involved confused. There’s a thin line between sox and risk management. And most of the people can’t see the difference between operational risk, which mainly causes economic loss and financial misstatement risks.
    Yes - both are process related, but the goals are different and therefore the requirements.
    After changing to push only sox and postpone the risk management assesment after sox implemention, we’re doing quit well. Even though we’re not required too, we will finish the sox project by the end of 2004.
    By then we’ll implemented COSO and CObIT for sox purposes and can start from there with out risk management project.


Log in to reply