Key Questions to Determine Whether Your Governance Structure is Meeting COSO Requirements– October 12, 2020

Posted by Chris Ferguson

It is nearly impossible to overstate the importance of organizational governance. After all, effective governance ensures accountability, drives organizational ethics and values, and enables your business to achieve objectives.

While there are numerous highly reputed frameworks that address governance, the internal control framework created by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission can help your business achieve the gold standard. COSO is sponsored by major industry associations such as the AICPA and IIA and is the de facto standard for evaluating the effectiveness of internal controls in compliance with Sarbanes Oxley.

Why is Governance Important?

Let’s step back for a minute and talk briefly about why governance is important. Often viewed as unnecessary bureaucracy, organizational governance or the lack thereof, instrumentally affects everything from your organization’s ability to raise capital, meet stakeholder expectations, and achieve growth targets, to your effectiveness in attracting and retaining top talent and maintaining an effective system of internal controls. Governance is in fact, one of the most pervasive and important aspects of your organization.

Before you can have effective governance, you first must have a well-designed governance structure.  Governance structure is the mechanisms by which you implement governance practices throughout your organization. Governance structure generally includes processes to enable board oversight, and to translate organizational goals and strategic objectives into routine practices and procedures.

COSO Governance Requirements

The COSO internal control framework suggests the foundation of an effective system of internal controls is a strong control environment, one that can be described as having management’s and the organization’s governing body committed to competence and integrity, and valuing the assignment of responsibility over internal control.

More specifically, COSO requires organizations maintain processes that demonstrate behaviors consistent with a commitment to integrity and ethical values, enable sufficient management oversight, appropriately assign authority, accountability and responsibility, and ensure a high degree of competence.

Evaluating Your Governance Structure

An evaluation of your governance structure can help identify potential gaps in your governance processes and should be completed at least annually.

Below are some key questions to consider when evaluating your organization’s governance structure against the requirements of COSO:

  • Does my organization have processes in place that facilitate an environment of high integrity and ethical values? Consider the existence and sufficiency of processes around establishing and communicating standards of conduct, evaluating adherence to standards and addressing deviations from standards of conduct. Also consider the maturity of these processes, whether they are informal processes relying on tribal knowledge or implemented via formally documented policies and procedures. Such policies should reflect leadership’s commitment to ethics and integrity, such as conflicts of interest and whistleblower policies.
  • Does my organization structure sufficiently support the achievement of objectives? Consider the sufficiency of assigned roles, responsibilities, and reporting lines and whether department leaders and managers have sufficient authority and access to senior executive leaders. Also consider the sufficiency of the frequency and nature of board and senior leadership meetings. Keep in mind that when it comes to organizational structure, one size does not fit all. Factors such as organization size, industry, legal and regulatory requirements, and risk appetite, among others, should be considered when evaluating your organization structure design.
  • Does my organization demonstrate a commitment to attracting and retaining competent personnel? Consider the adequacy of processes around talent recruiting and hiring, succession planning, performance evaluations, and the availability of training and continuous learning initiatives for employees. Similar to your evaluation of organizational structure, also keep in mind that a one size fits all approach is not appropriate.
  • Does my organization adequately manage risk? Consider the processes in place to identify and assess risks regarding achieving organizational objectives, including risk appetite and the effectiveness and frequency of risk assessments. Consider the sufficiency of risk management processes to identify and evaluate all significant risks to the organization, including internal and external factors, fraud, IT and cybersecurity, and risks from third parties such as vendors and contractors. Note that while your governance assessment should consider the processes in place to identify and manage risk, it does not substitute a well-designed and executed risk assessment.

>> Read “The 2 Questions (and More) Your Company Should Be Asking About Internal Controls and Fraud During COVID-19”

The above are just a few items to consider when evaluating your organizational governance. In addition to your own initial evaluation, outside advisors can help you perform value added assessments of your governance structure tailored to meet your unique environment.

Contact Chris Ferguson at, Michelle Chopper at or a member of your service team to discuss this topic further.

Like what you read? Sign up to receive our latest tax, accounting and business blogs and podcasts.

Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.