coso-2013 - Software AG

What’s new in COSO 2013: how is it embedded in ARIS GRC?
Since it’s origin in 1992 the COSO framework gained broad acceptance in various industries. It has
been widely used, particularly as a suitable – and the predominant – framework in conjunction with
reporting on the effectiveness of internal control over financial reporting.
In the spirit of continuous improvement, COSO’s decision to update
the framework was driven by the extent of change over the past two
decades (increased expectations for governance oversight, greater
attention for a risk based approach, globalization of markets,
increasingly complexity of business and organizational structures,
increase in demands and complexity of laws, regulations and
So what’s new?
The most significant change is the explicit articulation of 17 principles Figure 1: COSO cube 2013
representing fundamental concepts associated with the five components of internal control. COSO
decided to make these principles explicit to increase management’s understanding as to what
constitutes effective internal control. Other changes include a better clarification of the role of
objective setting in internal control, it reflects the increased relevance of technology, incorporates an
enhanced discussion of governance concepts, expands the reporting category of objectives,
enhances consideration of anti-fraud expectations and increases the focus on non-financial reporting
And how is COSO embedded in ARIS GRC?
Software AG’s Governance, Risk and Compliance (GRC) Solution is fully aligned to the COSO
Framework. The solution does not only cover internal control but supports enterprise-wide risk
management in all phases of the process. The solution combines ARIS Platform software, Global
Consulting Services and the proven methodology of PRIME as well as time-saving reference content
based on industry knowledge and project success.
Figure 2: Process for Enterprise Risk Management (ERM)
The starting point for the ERM process is the organization’s objectives. These objectives can be
defined in ARIS on both company and business unit level and can be strategic, tactical or operational
by nature. Without clearly defined objectives, it’s impossible to identify potential events affecting the
achievement of these objectives.
Once objectives are clear, possible events that could influence these objectives can be defined.
Events with a positive effect are defined as opportunities and managed back to the process of
objective setting. Events with a negative impact are defined and captured as risks in the ARIS
Risks are then analyzed in ARIS Risk & Compliance Manager, considering likelihood and impact, as a
basis for determining how they should be managed. Risks are assessed on an inherent and a residual
basis and can be assessed both qualitatively (in categories such as low, medium, high) as well as
quantitatively (in absolute percentages and valuta).
Based on the risk assessment output, several responses
are possible for the assessed risk. Risks can be avoided,
accepted, shared or reduced. ARIS supports the
establishment and implementation of procedures to
help ensure the risk responses are effectively carried
out. Here you can think about explicit control measures
to mitigate the risk, management reviews, reporting,
physical controls (assets, values, stock), controls based
in performance indicators and/or segregation of duties.
Figure 3: Risk heatmap
ARIS supports monitoring through ongoing management activities, separate evaluations or both. The
aim of monitoring is ongoing quality assurance and improving the framework from both a design as
well as an operating effectiveness perspective. Based on the information defined in the previous
phases, the system automatically generates a planning for auditing and testing activities. The
execution of these activities is supported by workflows including notifications to all involved people
in the process. Next to (manual) audit and testing activities ARIS also supports the monitoring of
automated controls (continuous control monitoring).
Figure 4: Monitor control activities
Many organizations have been able to benefit from the COSO based ARIS solution. Our customers
used ARIS to implement COSO effectively and efficiently resulting to be more agile (in managing
performance by adapting to the increasing complexity and pace of a changing business environment),
more confident (by mitigating risks to acceptable levels) and better informed (by providing clarity
through reliable information for decision making).