Using CSA to implement COSO

The dimensions and potential of CSA keep expanding exponentially. It's a tool for achieving attestation regarding coso controls over financial reporting. The impact of Internal Control - Integrated Framework, the coso report issued in 1992, has been extensive in the banking community. Banks with assets of more than $500 million have implemented the financial reporting category of COSO in an effort to comply with the FDIC Improvement Act of 1993, which requires external attestation regarding the existence and operation of a sound system of control over financial reporting. 

 

The Act does not directly mandate COSO; but because COSO is the most widely recognized framework for internal control, it is the model most often adopted by banks and their auditors. Although COSO has not been as extensively adopted in other industries, its impact on internal control environments is undeniable. In a recent initiative, Departmen and or Institution used control self-assessment (CSA) to assist in the implementation of the financial reporting category of COSO. Led by an effective team effort, the organization accomplished its major objective and established a model that will likely be adopted for subsidiaries. Step to Implement CSA: PROJECT INITIATION It is important for the organization to show that it is doing the right things and doing them correctly. It is against this background that the management initiated a COSO implementation project, with the ultimate objective of obtaining an external attestation letter regarding the existence of COSO controls over financial reporting. 

 

In addition, the CFO personally attended the opening of every workshop to introduce the video, reinforce the concepts introduced, and answer any employee questions. Actions like these were prevalent at various stages in the process and definitely were factors in the overall success of the project. 

 

ESTABLISHING OBJECTIVES; The initial step of the project required the team to develop an objective for the financial reporting process. Both COSO and CSA are objective-driven; but, many organizations did not have an explicitly stated financial reporting objective. The objective was present, but implicit. The objective developed for this project and adopted was " identifies, measures, classifies, records, and reports financial and related information in a timely and accurate manner." 

 

PLANNING AND CONDUCTING THE WORKSHOPS; Planning began well before the project entered the CSA workshop stage. This type of initiative cannot be accomplished by following a formula or checklist. 

Little guidance is available in research literature; but even if it existed, every organization is different. Each entity's culture and political environment must be managed to ensure a successful project. In addition, environments change - even during the course of the engagement. In fact, changing and improving the control environment and, thus, the corporate culture is one of the goals of COSO. Project directors and sponsors must be sensitive to this phenomenon, and they must adapt accordingly. A planning continuum must be in place. 

 

ANALYZING THE DATA; The common themes were an important element in the CSA report. They helped direct management's attention to root causes of problems rather than symptoms. The report provided a basis for evaluating the extent to which each of the COSO components was present and operating effectively in the organization. This, in turn, was the starting point for management to develop and implement action plans to correct deficiencies. 

 

DEVELOPING ACTION PLANS; Information obtained during the CSA workshops was combined with the flowcharts and organized into "risk management binders." These binders were prepared for each senior person (top management) who played a significant role in the control environment or the financial reporting process. The binders are the manifestation of COSO theory. They commingle soft and hard controls over financial reporting in a COSO framework for virtually the entire organization. 

 

OBTAINING ATTESTATION; Using the risk management binders as a guide, each senior person (top management) performed an internal attestation of the structure present in his or her area. This approach in essence made the senior person (top management) in charge of the various areas of the organization accountable for the presence of the documented control structure in their areas. If the documentation was not accurate, it was the senior person’s (top management) responsibility to notify the Director of Internal Control so that the binder could be corrected before it was subjected to external review. These senior person (top management)-level internal attestations were collected and forwarded to the CFO and CEO, along with a summary and opinion letter from the Director of Internal Control. In turn, these attestations served as the basis for the CEO and CFO attestation. Once the CEO and CFO attested to the control structure over financial reporting per COSO, the external auditors evaluated and tested the identified controls. based on the internal attestation and the external testing performed, the auditors issued a COSO attestation letter to the audit committee. The original project goal was achieved. One key issue that was resolved during the internal attestation phase involved the area of risk assessment. The term "risk assessment" has varied meanings and applications within the business world, especially in the auditing community. 

 

According to COSO, risk assessment should be a defined process of identifying and analyzing risks to meet established objectives. The achievement of external attestation over the financial reporting control structure depended on the risk assessment activities recommended by the external auditors.