13. What is COSO and do you have information security policy and procedure documents that can assist with the applicable COSO frameworks?
The Committee of Sponsoring Organizations of the Treadway Commission - or simply COSO as it's known to many - is a "joint initiative" organizational body that develops and facilitates risk management frameworks and initiatives - specifically those related to internal control. Organized in 1985, COSO firmly planted its roots around issues relating to fraudulent financial reporting, providing recommendations and guidance to companies, auditors and other intended parties. It gained a strong following and recognition in subsequent years, ultimately allowing COSO to provide "thought leadership dealing with three interrelated subjects: enterprise risk management (ERM), internal control, and fraud deterrence." - source: www.coso.org
Learn more about our signature product, the Global Information Security Compliance Packet (GISCP), the world's most complete security policy packet containing over 2,850 + pages of in-depth information security policies, procedures, forms, checklists, templates, provisioning and hardening documents, and much more.
Learn more today about the GISCP by viewing sample policies, forms, hardening documents, and more.
Notable COSO Publications
Over the years, COSO has put forth numerous publications relating to internal control and risk management, such as the following highly notable releases:
- "Internal Control | Integrated Framework"- a Widely popular and well-known publication that discusses in detail the important elements of internal control, such as control environment, risk assessment, control activities, information and communication, and monitoring.
- A number of research studies and other publications that have been extensively used by organizations throughout the world.
COSO and the Concept of "Internal Controls"
At its heart, COSO has been an organization focusing on the concept of "internal controls", which according to COSO, consists of the following:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is also affected by people, thus it's much more than just policy, procedures, manuals, and forms, but also the people at every level of within an entity.
- Internal control provides "reasonable" assurance, not "absolute" assurance, to an entity’s management and board.
- Internal control is generally geared towards that of the achievement of stated objectives in one or more separate, but overlapping areas and categories.
Additionally, COSO plans on undertaking a number of initiatives in the coming years, such as updating their original landmark publication from 1992 - "Internal Control - Integrated Framework", along with providing continued thought papers relating to internal control, enterprise risk management, fraud, and all other related topics. Learn more about COSO, their current publications, and upcoming initiatives at www.coso.org.
Our Policies and Procedures can help with Adhering to the COSO Framework
If you're seeking to implement provisions found within COSO's initiatives and frameworks, then the Global Information Security Compliance Packet (GISCP) set of operational and I.T. policies, procedures and supporting documentation from Flat Iron Technologies, LLC can help.