United States

COSO can help growing banks realize key internal controls efficiencies


Whether through mergers and acquisitions or organic growth, many financial institutions are growing again, and some may be considering going public. As they do, they face two additional regulatory and compliance hurdles—The Federal Deposit Insurance Corporation Improvement Act (FDICIA) and Sarbanes-Oxley Act of 2002 (SOX 404(a) or 404(b)). FDICIA requires senior management of financial institutions with $1 billion or more in assets to attest to the adequacy of their internal controls. SOX 404(b) which applies to any public company with a market capitalization of more than $75 million, which would include many public financial institutions, also includes broad regulations covering operating effectiveness of internal controls. The good news? By aligning your internal control environment with the framework provided by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), you can be ready to address one or both of these compliance challenges.

Why? COSO is the de facto framework used to meet the internal controls requirements for SOX. Also, it is an accepted framework for compliance with FDICIA requirements. Therefore, by building a COSO-compliant internal controls structure, your organization can be ready for both.

The COSO framework

As updated in 2013, COSO provides an internal controls framework based on five key components:

  • Control environment—an internal controls environment that establishes appropriate roles for everyone, from the board of directors down, that sets the appropriate tone for the organization, and that holds everyone accountable for their internal controls responsibilities

  • Risk assessment—a risk assessment approach that sets objectives which allow the clear identification of risks specific to the organization, analyzes them appropriately, includes the consideration of fraud and identifies and assesses changes that significantly affect internal controls

  • Control activities—establishes control activities that contribute to the mitigation of risks in alignment with the organization’s overall objectives, provides the right activities and supporting technology to meet those objectives, and deploys those activities through appropriate policies and procedures

  • Information and communication—collects and communicates appropriate controls-related information to all internal and external parties as needed to support controls objectives

  • Monitoring—selects and develops necessary separate evaluations to determine whether internal control components are present and functioning, and timely communicates any deficiencies to the appropriate parties so that corrective action can be made quickly

These five key components are backed by 17 principles and 81 points of focus. Using the COSO framework to design and maintain your internal controls will not only efficiently position your financial institution to comply with both FDICIA and SOX, it will also result in an internal controls environment based on current best practices.

For most financial institutions, the third COSO component proves the most challenging. How do you best align controls for your full range of operations with the COSO framework? A specific answer would depend on which control we were discussing and on your institution’s unique facts and circumstances, but in general, management should consider focusing on two issues:

  • Ensure that the control is neither too broad nor two narrow, but that it is instead drawn specifically to meet the risks it is meant to address

  • Make controls sustainable through an appropriate loop of communication, review and assessment to keep them current with your evolving process and risk environment.

Timing and implementation

While aligning your internal controls with the COSO framework will position you to meet the regulatory demands of both SOX and FDICIA, you must still adapt them to the demands of either or both, depending on your size and whether going public is in your plans. You will either need personnel with the appropriate skill sets and familiarity with COSO, SOX and FDICIA or else work with appropriate outside resources to augment your internal resources. By looking at SOX and FDICIA simultaneously instead of in silos, you can minimize redundancies and maximize efficiencies.

Finally, financial institutions considering going public or approaching the FDICIA threshold should give themselves time to get their internal controls in order. Allow a 12- to 18-month runway to get the program in place. Inevitably, control issues will arise during this process. This will give you time to address them and prevent the exercise from turning into a fire drill.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




AML and regulatory compliance webcast series: Winter 2018

  • February 13, 2018


Cybersecurity risks for employee benefit plans

  • January 11, 2018


Understanding cybersecurity and operational risks of cryptocurrency

  • November 09, 2017


Cybersecurity best practices and considerations for the public sector

  • October 26, 2017


Learn the real cost of a data breach

  • October 17, 2017