United States

COSO can help growing banks realize key internal controls efficiencies


Whether through mergers and acquisitions or organic growth, many financial institutions are growing again, and some may be considering going public. As they do, they face two additional regulatory and compliance hurdles—The Federal Deposit Insurance Corporation Improvement Act (FDICIA) and Sarbanes-Oxley Act of 2002 (SOX 404(a) or 404(b)). FDICIA requires senior management of financial institutions with $1 billion or more in assets to attest to the adequacy of their internal controls over financial reporting (ICFR). SOX 404(b) which applies to any public company with a market capitalization of more than $75 million, which would include many public financial institutions, also includes broad regulations covering operating effectiveness of ICFR. The good news? By aligning your internal control environment with the framework provided by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), you can be ready to address one or both of these compliance challenges.

Why? COSO is the de facto framework used to meet the internal controls requirements for SOX. Also, it is an accepted framework for compliance with FDICIA requirements. Therefore, by building a COSO-compliant internal controls structure, your organization can be ready for both.

The COSO framework

As updated in 2013, COSO provides an internal controls framework based on five key components:

  • Control environment—an internal controls environment that establishes appropriate roles for everyone, from the board of directors down, that sets the appropriate tone for the organization, and that holds everyone accountable for their internal controls responsibilities

  • Risk assessment—a risk assessment approach that sets objectives which allow the clear identification of risks specific to the organization, analyzes them appropriately, includes the consideration of fraud and identifies and assesses changes that significantly affect internal controls

  • Control activities—establishes control activities that contribute to the mitigation of risks in alignment with the organization’s overall objectives, provides the right activities and supporting technology to meet those objectives, and deploys those activities through appropriate policies and procedures

  • Information and communication—collects and communicates appropriate controls-related information to all internal and external parties as needed to support controls objectives

  • Monitoring—selects and develops necessary separate evaluations to determine whether internal control components are present and functioning, and timely communicates any deficiencies to the appropriate parties so that corrective action can be made quickly

These five key components are backed by 17 principles and 81 points of focus. Using the COSO framework to design and maintain your internal controls will not only efficiently position your financial institution to comply with both FDICIA and SOX, it will also result in an internal controls environment based on current best practices.

For most financial institutions, the third COSO component proves the most challenging. How do you best align controls for your full range of operations with the COSO framework? A specific answer would depend on which control we were discussing and on your institution’s unique facts and circumstances, but in general, management should consider focusing on two issues:

  • Ensure that the control is neither too broad nor too narrow, but that it is instead drawn specifically to meet the risks it is meant to address

  • Make controls sustainable through an appropriate loop of communication, review and assessment to keep them current with your evolving process and risk environment. As with any system of controls, the controls can only be effective if they accurately represent your current processes.

While COSO is the de facto ICFR framework, it can and should be used more holistically as the COSO components, principles and points of focus apply to operations, compliance, as well as financial reporting.  Adopting the COSO framework for SOX and /or FDICIA

Timing and implementation

While aligning your internal controls with the COSO framework will position you to meet the regulatory demands of both SOX and FDICIA, you must still adapt them to the demands of either or both, depending on your size and whether going public is in your plans. You will either need personnel with the appropriate skill sets and familiarity with COSO, SOX and FDICIA or else work with appropriate outside resources to augment your internal resources. By looking at SOX and FDICIA simultaneously instead of in silos, you can minimize redundancies and maximize efficiencies.

Finally, financial institutions considering going public or approaching the FDICIA threshold should give themselves time to get their internal controls in order. Allow a 12- to 18-month runway to get the program in place. Inevitably, control issues will arise during this implementation process. This will give you time to address them and prevent the exercise from turning into a fire drill.

Lastly, avoid the pitfall of thinking of SOX and FDICIA as only a compliance exercise.  While that is partly true, going public and/or reaching the FDICIA threshold raises the bar and the level of effort needed to document your controls and implement new controls brings changes to your daily operations.  Successful and lasting internal control environments are ones where the organization have taken the requisite time to thoughtfully assess their control environment and develop a roadmap for implementation.  This can prevent issues in future years and help with scalability of the control environment as your organization grows.

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




RSM 2020 cybersecurity special report

  • July 14, 2020


Evolution of enterprise resource planning system cybersecurity

  • May 07, 2020