Introduction
Tariffs are no longer just a Joe-in-Tax’s problem. They’ve become a board-level priority―and a hot topic across business functions as companies work to manage the lasting fallout from the Trump trade agenda. Compliance and Legal teams face increased risk of criminal and civil liability arising from the DOJ’s Criminal Division prioritization of tariff enforcement and the Civil Division’s pursuit of False Claims Act cases. Tax and Finance departments navigate strategies to reduce tariff costs. Marketing manages company messaging, while sales contends with price increases. Logistics pursues new suppliers, and Corporate Development must account for new and future tariffs when exploring acquisitions and joint venture opportunities. The impact of tariffs is felt throughout the company and thus requires enterprise-wide responses.
This article is the first in a series on mitigating tariff-related risks and maximizing opportunities in today’s environment. We begin with the COSO Integrated―Internal Control Framework, widely accepted as the leading risk management framework. In parallel, tariff management serves as a practical introduction to COSO for readers unfamiliar with the framework. Future installments will address conducting tariff risk assessments, identifying and reporting competitor breaches, performing supply chain diligence, using AI and data analytics, and managing financial statement implications.
What is the COSO Internal Control Framework?
The Committee of Sponsoring Organizations of the Treadway Commission, commonly known as COSO, is a private sector initiative that provides frameworks and guidance on internal control, risk management, compliance, and fraud prevention. The Integrated Internal Control Framework (“IC Framework”) is the most well-known COSO framework.
The IC Framework gained widespread recognition when the Sarbanes-Oxley Act mandated that companies utilize a framework for evaluating internal controls over financial reporting. While most companies adopted the IC Framework, many people assume it’s only about managing financial reporting risk. However, this view undersells COSO’s scope, as it applies to much more than just financial reporting or risk management.
Why use the IC Framework for Tariff Management?
The IC Framework is particularly helpful for new and changing environments, such as tariff management, that raise business and legal issues and involve various stakeholders. Because it is principles-based and intentionally flexible, organizations can apply the IC Framework not only to mitigate tariff compliance risks, but also to improve operational efficiency and prevent overpaying tariffs.
The COSO IC Framework Cube
The framework is commonly depicted as a cube. It is called “Integrated” because all three sides of the cube are interconnected. The top side of the cube refers to the objectives the organization seeks to achieve. “Internal Control” is a process “designed to provide reasonable assurance regarding achievement of objectives relating to operations, reporting and compliance.”
Objectives
The top row includes three core objectives: operations, reporting, and compliance.
- Operations pertain to operational and financial performance goals. Operational objectives
for tariffs include efficiency and avoiding overpaying tariffs. - Reporting includes both financial and non-financial reporting. Tariff reporting encompasses Harmonized Tariff Schedule (HTS) classification, valuation of imported goods, country of origin,
and other customs documentation. - Compliance refers to adherence with tariff legal, regulatory and other requirements.
Organizational Structure
The right side of the cube reflects the IC Framework’s flexibility regarding size and structure. Tariff management is not just a US concern, but rather a global issue. Multinational companies can apply it to the entire entity, specific divisions, or operational units.
Core Components
The front side of the cube depicts the five core integrated components: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information & Communication; and (5) Monitoring Activities.
Control Environment
Refers to the corporate culture, governance, and entity-level policies that underpin internal controls. The tariff management control environment also comprises processes for responding to compliance violations through investigation and remediation. Because tariff management encompasses numerous functions, companies must establish governance structures that ensure coordination and prevent issues from falling between unintended cracks. For companies with high risk or underdeveloped tariff controls, beginning this process under attorney-client privilege can help protect sensitive findings that might carry legal or regulatory consequences.
Risk Assessment
Involves identifying and mitigating the likelihood and impact of events and scenarios that could prevent the organization from achieving its operational, reporting and compliance objectives. (Opportunities, conversely, are events and scenarios that further these objectives.) In summary, the process entails:
- Developing tariff-related operations, reporting and compliance objectives.
- Inventorying laws and regulations.
- Creating detailed process flows.
- Setting risk appetite and tolerance levels based on likelihood and impact.
- Identifying risk (and opportunity) events and scenarios.
- Linking and testing key control activities.
- Assessing inherent and residual risk.
- Responding to out-of-appetite risks
Control Activities
Comprise the policies, processes and controls on which companies rely to mitigate risks and maximize opportunities. In general, tariff controls can prevent, detect, and deter tariff under and over-payments. Tariff management considers the “control suite,” as opposed to auditing individual controls, as is the traditional approach. A control suite is a set or grouping of control activities to meet objectives, mitigate risks, and maximize opportunities.
Information and Communication
Refers to the collection and use of information to meet objectives, mitigate risks and maximize opportunities. Tariff management inherently involves gathering and communicating information and data, sourced both internally and externally. Together with the other COSO components, companies must ensure that this information is accurate and complete. The government expects―and tariff management must incorporate―the use of data analytics and AI to detect false or inaccurate information, as the excuse of “I didn’t know” is becoming increasingly less effective.
Monitoring Activities
Pertains to conducting ongoing and/or separate evaluations, as well as evaluating and communicating deficiencies. Testing considers both design and operating effectiveness. Design effectiveness assesses whether the control activities, when implemented as prescribed by competent personnel, are capable of mitigating risks within the established risk appetite. Operating effectiveness assesses whether these control activities are correctly executed in practice and whether the personnel responsible for them possess the necessary authority and competency.
Conclusion
Done right, tariff management can be more than just a defensive move. COSO helps companies proactively manage risk, uncover opportunities for savings, and stay ahead of regulators and competitors alike. In today’s high-stakes trade environment, a smart, structured approach isn’t just recommended—it’s essential.
Ready to strengthen your tariff management strategy and reduce risks? Reach out to Jonny Frank or Annie Budra for expert guidance on implementing the COSO framework and navigating the complexities of tariffs in your business.
To receive StoneTurn Insights, sign up for our newsletter.