HR Acuity Logo
Prove the ROI of Employee Relations Technology for Your Organization

What Is the COSO Framework?

Apr 18, 2023
HR Acuity

You know the importance of maintaining a positive work environment and preventing conflicts, but with so many moving parts, it can be difficult to know where to start. In the business world, managing risks and internal controls is essential for preserving a strong foundation for employees, building the right culture and ensuring business operations are running smoothly – all while meeting compliance standards. The COSO framework is a tool that can help your organization address common challenges and control risks that can spiral into organizational damage.

Read on to learn more about how this framework can be applied to employee relations (ER) and human resources (HR) functions to support critical tasks and initiatives in both a practical and meaningful way. 

The COSO Framework. What’s It All About?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative between five sponsoring organizations, including the American Institute of Certified Public Accountants (AICPA) and the Institute of Internal Auditors (IIA). The COSO framework is designed to provide guidance for internal control, risk management, financial reporting and corporate governance practices. It emphasizes the significance of understanding your organization’s objectives, identifying and assessing potential hazards and designing and executing control exercises to oversee those possibilities.

It can be applied to three types of internal controls:

Entity-level controls: designed to handle risks across the entire organization.

Process-level controls: intended to be applied to a specific process or function.

Transaction-level controls: implemented to ensure the accuracy and completeness of financial transactions.

From an employee relations perspective, the framework helps HR departments identify activities they can directly influence. For example, you can use the COSO framework as an entity-level control to establish and evaluate the effectiveness of your employee handbooks. Another example is using the COSO framework at the process level to identify risks in your employee selection, retention and termination practices. At a transaction level, you could evaluate the efficacy of the controls in place for employment-related transactions such as payroll, leave and benefits administration. All in all, the COSO internal control framework is a high value tool that can be applied to a wide spectrum of areas.

The 2013 updated COSO ERM framework directs enterprise risk management practices and helps organizations align their strategies with their overall business goals. COSO defines ERM as “The culture, capabilities and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving and realizing value.” 

While the COSO framework is widely adopted, it has its limitations. One is that it may not be suitable for all types of organizations: ER teams must consider their unique needs and circumstances when using it to ensure that it matches their organizational strategy.

Components of the COSO Framework

The COSO framework consists of five interrelated elements that provide a comprehensive approach to handling an organization’s challenges:

  • The control environment sets the tone for the organization’s internal control system. It includes the organization’s culture, ethical values and overall attitude toward risk. 
  • Risk assessment is the process of identifying, analyzing and addressing the threats that an organization faces. It concerns evaluating the likelihood and potential impact of different circumstances to determine which ones require the most attention.
  • Control activities are the policies and procedures that are implemented by risk managers. They can include a variety of controls such as duty segregation, authorization and documentation. For example, authorization could be ensuring that all disciplinary actions are authorized by a manager or supervisor. Documentation could include recording the steps taken during an investigation, such as interviews and evidence gathered.
  • Information and communication involve ensuring that employees have access to the information they need to carry out their duties effectively and that there’s effective communication throughout the organization.
  • Monitoring is the review and assessment of an internal control system’s effectiveness. It involves monitoring activities of key processes and controls and periodic audits and assessments of the overall system.

Executing the relevant components of the framework can help organizations decrease the risk of non-compliance, grievances, legal disputes and other issues that create a negative impact. By establishing a strong internal control system, employee relations activities have a better chance at staying ethical, efficient and effective.

Make the right play for your organization.

Design the ideal ER structure with our playbook.

How To Use COSO To Mitigate Employee Relations Risks

Employee relations risks are bad for business. HR and ER professionals must navigate complex employment laws and regulations, manage confidential data and ensure that processes are fair and transparent. Any challenges that arise can potentially lead to legal liabilities, reputational damage and lost productivity. Fortunately, the COSO framework offers a comprehensive and integrated approach to risk management for ER.

To begin using the framework, ER should assess its current control environment with senior management. You’ll start by evaluating the policies, procedures and practices that are in place to oversee employee relations challenges. By conducting thorough internal auditing, ER managers can identify areas that need improvement and prioritize what to do next accordingly. This also provides a much-needed opportunity for employee relations professionals to gain visibility and highlight the importance of process across all HR and ER practices- areas that are sometimes lacking consistency.

One of the COSO framework’s key benefits is the common language and a standardized approach it creates for the business. This makes it easier to communicate with stakeholders and benchmark their performance against industry standards. It also provides flexibility and adaptability to different industries and functions, meaning that organizations can tailor the framework to their specific needs and risk response. For example, those that operate in highly regulated industries may need to establish additional controls and risk management processes to comply with regulatory requirements.

Here’s an example of how the COSO framework can be applied to employee relations:

Samantha is the head of the employee relations department at a large retail company. She’s tasked with ensuring that the company’s policies and procedures are being followed and that staff is treated fairly and respectfully.

To accomplish this, Samantha decides to use the COSO framework. She starts by identifying the ER team’s objectives, which are to maintain a positive work environment, ensure compliance with company policies and prevent and resolve conflicts.

Next, Samantha assesses the risks associated with achieving each objective through an internal audit. During the audit she determines several risks, including inadequate communication among workers, inconsistent policy enforcement and a lack of conflict resolution resources.

To mitigate these risks, she implements several controls. For example, she creates a communication plan that ensures all employees receive clear and consistent information about company expectations. She also establishes an anonymous digital process for collecting, documenting and addressing employee complaints and focuses on making sure that all managers are trained in conflict resolution.

Finally, Samantha monitors the effectiveness of these controls and makes adjustments as necessary. She regularly surveys employees to assess their satisfaction with the work environment and analyzes policy violation data and dispute outcomes to pinpoint areas for improvement.

Implementing COSO in Your Employee Relations Software

Employee relations software can help automate many of the processes involved in managing risks and implementing the COSO framework. It can be used to follow policy and procedure compliance, monitor employee behavior and performance and generate reports. Luckily, many ER software systems have built-in COSO features that allow you to easily incorporate them into your current infrastructure and workflows.

Why HR Acuity?

HR Acuity is an employee relations software platform that is specifically designed to support organizations’ risk management. It provides a comprehensive set of illustrative tools for tracking and managing team issues, including investigations, grievances and internal control objectives. By combining the COSO framework with HR Acuity, organizations can take a proactive approach to manage their risks and ensure internal controls compliance.

Book a demo today!

HR Acuity

More Articles on Risk Management & Compliance