As the business world focuses more on risk management, more people are turning to the frameworks developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management (ERM), internal control and fraud deterrence.
Richard Steinberg is the lead project partner of the PricewaterhouseCoopers team that in 1992 conceptualized and developed the COSO Internal Control Integrated Framework. The framework--which is in the process of being updated, with a final draft expected this April--is widely used today for designing, implementing and evaluating the effectiveness of internal controls.
Steinberg also led development of the COSO Enterprise Risk Management Integrated Framework, developed in 2004. This is a broader framework that incorporates concepts of the Internal Control framework. It describes the critical principles and components of an effective ERM process, namely, how important risks should be identified, assessed, responded to and controlled.
Bradley Schaufenbuel, director of information security at Midland States Bank, recently interviewed Steinberg for CSO.
Bradley Schaufenbuel: Has the COSO framework for internal control met your expectations for adoption?
Rick Steinberg: It's the standard used by the vast majority of public companies for enhancement and reporting as required by Sarbanes-Oxley. It has resulted in a common language of internal control that was absent before its issuance, as well as more commonly understood concepts and terminologies of internal control. I've also seen enhanced communication among executives across companies. Its principles and key concepts have stood the test of time, so yes, it has met my expectations.
You have said you believe that the updated internal control framework to be a substantial improvement over the old one. Why?
The key enhancement is that certain concepts inherent in the 1992 version--elements of control, attributes related to each principle--have been made more explicit. Also, the surrounding discussions have been brought up to date by focusing on new business models, evolving technology, third-party involvement and fraud detection.
The principles inherent in the framework have been highlighted, and if that's what security managers have been focusing on, it will be received well. If the hope is for a great deal more detail on information security, then it's probably not going to satisfy those hopes.
Does the greater recognition of third parties highlight the need for organizations to increase their focus on improving vendor management and oversight programs?
The draft updated internal control framework certainly focuses better on the risks involved and the relationships with third parties and how to better manage those risks.
We're not only talking about relationships with vendors but also other types of third parties--service providers, representatives, agents operating in foreign locations, business partners. They've all received more focus in this update.
Sign up for Computerworld eNewsletters.