Committee of Sponsoring Organizations

Committee of Sponsoring Organizations is a private-sector initiative formed in 1985 to develop frameworks and guidance for internal control, enterprise risk management, and fraud deterrence. The organization brought together professional associations and standard-setters including American Institute of Certified Public Accountants, Institute of Internal Auditors, Financial Executives International, American Accounting Association, and Institute of Management Accountants to respond to calls from Securities and Exchange Commission and Congress for improved corporate reporting and control practices. Over decades the organization influenced regulatory developments such as the Sarbanes–Oxley Act of 2002 and guidance from Public Company Accounting Oversight Board and FASB.

History

The initiative originated after a 1985 report convened by the five sponsoring bodies to address rising concerns following high-profile failures like Enron scandal, WorldCom scandal, and governance scrutiny from hearings in United States Congress. Early work produced the original internal control framework responding to demands voiced by regulators such as the Securities and Exchange Commission and oversight bodies including the Government Accountability Office. Subsequent milestones included publication revisions in 1992, 2013, and updates aligning with international standards like guidance from International Federation of Accountants, International Organization for Standardization, and dialogues with OECD. The group engaged with stakeholders including Audit Committee members from listed companies, chief executives from Fortune 500 firms, and academic researchers at institutions such as Harvard Business School and Wharton School.

Structure and Membership

The sponsoring coalition is composed of professional associations and standard-setting organizations headquartered in North America and with global outreach. Founding sponsors included American Institute of Certified Public Accountants, Institute of Internal Auditors, Financial Executives International, American Accounting Association, and Institute of Management Accountants. Over time COSO expanded collaboration with organizations such as International Federation of Accountants, World Bank, International Monetary Fund, and regional bodies like Canadian Institute of Chartered Accountants and Australian Securities and Investments Commission. Governance typically involves advisory councils drawn from chief audit executives at General Electric, chief financial officers at IBM, board members from JP Morgan Chase, academics from Stanford Graduate School of Business, and regulators associated with Public Company Accounting Oversight Board and national securities commissions. Working groups have included participants from firms such as Deloitte, PwC, Ernst & Young, and KPMG.

COSO Frameworks and Guidance

The organization is best known for frameworks addressing internal control and risk. The original Internal Control—Integrated Framework introduced five components widely cited in guidance from Sarbanes–Oxley Act of 2002 compliance programs and audit methodologies used by PricewaterhouseCoopers and Grant Thornton. COSO later published the Enterprise Risk Management—Integrated Framework, which informed enterprise practices at multinational corporations like Procter & Gamble and Siemens. Subsequent guidance encompassed fraud risk management, evaluation tools for board members from NASDAQ-listed companies, and updates addressing cybersecurity and information technology risks relevant to entities such as Microsoft and Cisco Systems. The frameworks have been referenced in reports by Basel Committee on Banking Supervision and integrated into standards published by International Organization for Standardization and Financial Stability Board dialogues.

Implementation and Applications

Practitioners implement COSO frameworks across industries including banking institutions supervised by Federal Reserve System, insurers regulated by National Association of Insurance Commissioners, and healthcare systems such as Mayo Clinic. Corporate audit committees and external auditors from firms like KPMG and Deloitte use the frameworks to assess control effectiveness, design control testing plans, and support financial reporting at public companies listed on New York Stock Exchange and NASDAQ. Risk officers apply the enterprise risk management guidance to strategic planning, business continuity programs influenced by FEMA recommendations, and vendor risk assessments in supply chains involving firms such as Walmart and Amazon (company). Academic research at Columbia Business School and London Business School has evaluated COSO adoption, while consulting practices at McKinsey & Company and Boston Consulting Group advise on tailored implementations.

Criticisms and Revisions

Critics argue the frameworks can be resource-intensive for small entities like community banks chartered by FDIC and for nonprofit organizations such as universities represented by American Council on Education. Commentators from Harvard Law School and policy analysts at Brookings Institution noted that prescriptive interpretations contributed to compliance check-box exercises rather than effective risk management, prompting revisions. Revisions in 2013 and subsequent guidance sought to emphasize principles-based approaches and scalability, incorporating stakeholder feedback from Securities and Exchange Commission, external auditors, and corporate directors from Council of Institutional Investors. Ongoing debates involve alignment with international risk taxonomies advocated by International Organization for Standardization and practical integration with technological controls used by Oracle Corporation and SAP SE.

Category:Risk management Category:Internal control frameworks