1.coso 2.ERM Khawar Shahzad Jaffar ACCA, CPA
What is Control? 
Control is a term used to describe a process to mitigate risk. If risks are obstacles in achieving goals and objectives, then controls are enablers.

Controls prevent the consequences of risk events from affecting operations, or controls detect when the risks have affected the management process and alert management to the need for corrective action.
COSO
COSO is a control framework given by Committee of Sponsoring Organizations of the Treadway Commission.
The original name of the framework is Internal Controls – Integrated Framework but it is commonly known by the name of COSO framework after the name of the organization which presented it.
COSO
The COSO framework defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:
Operating – effectiveness and efficiency of operations
Reporting – reliability of financial reporting
Compliance – compliance with applicable laws and regulations
COSO 
The COSO internal control framework consists of five interrelated components derived from the way management runs a business. According to COSO, these components provide an effective framework for describing and analyzing the internal control system implemented in an organization as required by financial regulations, The five components are the following:
COSO Control Environment 
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
COSO Risk Assessment 
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
COSO Control Activities 
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
COSO Information and Communication 
Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization.
COSO 
For example, formalized procedures exist for people to report suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions.
COSO Monitoring 
Internal control systems need to be monitored i.e. a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
ERM
ERM is an extension of the COSO framework given by Committee of Sponsoring Organizations of the Treadway Commission.
The original name of the framework is Enterprise Risk Management – Integrated Framework.
ERM 
Enterprise Risk Management is defined as;
A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
ERM
This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories:
Strategic – high-level supporting its mission
goals,
aligned
with
and
Operations – effective and efficient use of its resources
Reporting – reliability of reporting
Compliance – compliance with applicable laws and regulations.
ERM 
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:
ERM Internal Environment 
The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
ERM Objective Setting 
Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
ERM Event Identification 
Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
ERM Risk Assessment 
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
ERM Risk Response
Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
ERM Control Activities 
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
ERM Information and Communication 
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
ERM Monitoring 
The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.