November 18, 2020
Published: Journal of Accountancy
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published new guidance on how to apply the COSO enterprise risk management framework to effectively manage and mitigate compliance risks.
Compliance Risk Management: Applying the COSO ERM Framework describes the characteristics of compliance and ethics programs associated with each of the five components and 20 underlying principles of the COSO ERM Framework.
The publication was commissioned by COSO and authored by the Society of Corporate Compliance and Ethics & Health Care Compliance Association. It describes how to integrate the COSO ERM framework with guidance for compliance and ethics programs that is based on U.S. Federal Sentencing Guidelines as well as global legislation.
ERM focuses on creating, preserving, and realizing value, and effective compliance and ethics programs contribute to each of these objectives.
“Compliance risks are common and frequently material risks to achieving an organization’s objectives,” COSO Chairman Paul Sobel said in a news release. “This publication aims to provide guidance on the application of the COSO ERM framework to the identification, assessment, and management of compliance risks by aligning it with the [compliance and ethics] program framework, creating a powerful tool that integrates the concepts underlying each of these valuable frameworks.”
According to the publication, a governing board of directors and all employees have compliance responsibilities, and compliance risk often extends to activities carried out through third parties. The compliance function leads the development of the compliance and ethics program and works closely with business units in its execution, but the program needs the support of senior management and the board of directors in order to be successful.
COSO is a joint initiative of five private-sector organizations, including the AICPA, and provides thought leadership through the development of frameworks and guidance on ERM, internal control, and fraud deterrence.