Corporate Compliance Report

In the early years of the Twenty-first Century the United States economy was rocked in part by large corporate scandals that resulted in huge losses for many stockholders and dissolved much investor confidence. In response to these unfortunate incidents of fraudulent financial reporting, laws were passed and committees were organized in an effort to prevent them from happening again. Due to earlier scandals however, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to initially research and create a report on forming integrated frameworks of internal corporate control. The report's revised completion in 1994 "presented a common definition of internal control and provided a framework against which internal control systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with [the 1977 Foreign Corrupt Passages Act]" (Wikipedia, 2007). Amidst the later corporate scandals in 2001, COSO developed a new framework "that would be readily usable by managements to evaluate and improve their organizations' enterprise risk management" (COSO, 2007). Today's COSO framework involves several key concepts and eight components for managing enterprise risk. These will be discussed throughout the following pages as part of a proposed plan to implement enterprise risk management (ERM) for small corporation named Laminated Board Manufacturing, Inc.

COSO Key Concepts

According to its web site, COSO maintains there are four key concepts regarding internal control's providing of reasonable assurance in achieving a company's objectives. The first is that "Internal control is a process. It is a means to an end, not an end in itself." Secondly, "Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization." Third, "Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board." And lastly, "Internal control is geared to the achievement of objectives in one or more separate but overlapping categories" (COSO, Key Concepts, 2005). These statements establish a realistic view of the limitations of COSO's recommended procedures and offer a reminder of the need for human diligence in auditing progress towards meeting objectives.

COSO Recommendations

Laminated Board Manufacturing, Inc. (LBM) is a small, but growing wood products company located in southern Oregon. In anticipation of much greater growth in the near future, LBM is seeking to better its enterprise risk management in part through implementing the COSO recommendations. While there are eight components to the COSO outline the Committee itself states that not all of them will function identically, and that their "application in small and midsize entities ... may be less formal and less structured" (COSO, 2007). COSO also states that its eight component format is not necessarily always to be approached in numerical order but that they are eight parts of a "multidirectional, iterative process in which almost any component can and does influence another" (COSO, 2007) In any case, those eight recommended components of enterprise risk are briefly described as follows:

Internal Environment

Perhaps related in some aspects to company "culture" a corporation's internal environment is determined by the feelings and philosophies of the people and their management group. The company's general perspectives on risk tolerance, ethics and integrity set the tone of its internal environment.

Objective Setting

A company must determine its own objectives before deciding on the course of events that will lead to their achievement. The best course will be the one that is aligned with the values of the company's internal environment.

Event Identification

In the course of proceeding towards its objectives certain events will be encountered and it must be determined whether they comprise a risk or an opportunity. Risks will require further assessment (as shown in the next component) while opportunities will be considered under re-evaluation of objective setting.

Risk Assessment

Risks can be analyzed both according to their likelihood of occurrence and their potential for creating loss or damage and assessed as per the perspectives of the internal environment.

Risk Response

In its approach to risk a company must determine its responses according to its views and tolerances for risk. The management may choose to either avoid or accept the risk, or find ways to reduce it and its negative impact.

Control Activities

A company must have pre-determined policies and procedures in place to ensure risk responses are appropriate, aligned with company philosophy and are implemented effectively.

Information and Communication

Communication regarding progress towards company goals and the events that precede their being reached needs to reach all levels and depth of the organization, keeping all parties informed, allowing them to best perform their duties.

Monitoring

Monitoring is the key to successful risk management with oversight allowing for decisions and changes to be made. It is management's duty to monitor risks and minimize any negative effects through various means.

LBM's General Implementation Plan

The COSO recommendations can be described as a format for performing internal audits as a way of enterprise risk management. To initially generate this format in a way that best suits the needs of the company, LBM's top management team should assess its own corporate culture and define its own tolerances for risk. This management team also needs to formally define and establish its views on ethics and integrity. One way to make these philosophies official is to create a company mission or vision statement, which can be prominently displayed around the company and found in employee handbooks. Once these standards and mores are firmly established, the team can then move on to defining the organization's objectives.

...