The COSO guidance was originated in the 1990’s in response to the Savings and Loan Crisis. It was developed to provide guidance to organizations while developing a system of internal control for their companies. About three years ago I was asked by Jeff Thomson, President and CEO of the Institute of Management Accountants (IMA), to join the IMA team helping to update the more than 20-year-old guidance. The team was ably led by J. Stephen McNally Finance Director/Controller of the Campbell Soup Company.
My major role was to provide quality management inputs to the guidance. This article describes the major inputs that I provided.
The COSO framework[1] has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting. Other updates and enhancements to the framework were added to help the user address changes in business and operating environments, including:
- Expectations for governance oversight.
- Globalization of markets and operations.
- Changes and greater complexity in the industry.
- Demands and complexities in laws, rules, regulations and standards.
- Expectations for competencies and accountabilities.
- Use and reliance on evolving technologies.
- Expectations related to preventing and detecting fraud.
One major addition is the inclusion of principles for each of element. They represent the fundamental concepts associated with each. A total of 17 principles were added, with each individual element having between two and four principles. For example, the principles associated with risk assessment are:
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes them as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
QUALITY AND COSO
Jeff Thomson, president and CEO of the Institute of Management Accountants (IMA), asked me to serve on the COSO team as the quality management representative. The following are examples of the inputs I provided[2]:
1. Objectives must be measurable.
Objectives, Page 6: Specifying objectives includes the articulation of specific, measurable or observable, attainable, relevant, and time-bound objectives.
2. Measurable objectives are preconditions to risk assessment
Specifies Suitable Objectives, Page 62: Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
3. Consideration of Risk Appetite and Risk Tolerance.
Internal Control and Management, Page 15: Setting the overall level of acceptable risk and associated risk appetite is part of strategic planning and enterprise risk management, not part of internal control. Similarly, setting risk tolerance levels in relation to specific objectives is also not part of internal control.
4. Strategic Objectives
Page 169: The Framework retains operations, reporting, and compliance objective categories and the concept that strategic objectives are not part of internal control. Including strategy-setting and strategic objectives would require the adding other concepts, including risk appetite and risk tolerance, to provide a complete discussion of this objective category. These concepts are more appropriate in the context of enterprise risk management as discussed below.
Enterprise Risk Management
Page 169: Some respondents called for further integration of enterprise risk management concepts into internal control, in particular seeking an expanded discussion of risk tolerance and adding risk appetite. Some also sought a merger of COSO’s ERM Framework with the (COSO Integrated) Framework. Others supported keeping the two frameworks separate and distinct.
The COSO Board considered merging the two frameworks and decided to keep them separate and distinct. Accordingly, strategy-setting, strategic objectives, and risk appetite remain part of the ERM Framework. The Framework contains the definition of risk appetite and the application of risk tolerance and retains strategy setting as a precondition of internal control.
5. Internal Control and Objective-Setting, Page 15:
It is not practical to design and implement a system of internal control unless the entity’s objectives are established, set, and specified for the organization. Establishing and setting objectives and related sub-objectives are parts of or flow from the strategic planning process, with consideration given to laws, rules, regulations, and standards as well as management’s own choices. However, internal control cannot dictate or establish what an entity’s objectives should be.
As part of internal control, an organization specifies objectives by:
- Articulating and codifying specific, measurable or observable, attainable, relevant and time- based objectives
- Assessing suitable objectives and sub-objectives for internal control based on facts, circumstances and established laws, rules, regulations, and standards.
- Communicating objectives and sub-objectives throughout the entity.
6. Internal Reporting Objectives, Page 68
Reliable internal reporting, including balanced scorecards and performance dashboards, provides management with accurate and complete information needed to manage the organization. It supports management’s decision-making and monitoring of the entity’s activities and performance. Examples of internal reports include results of marketing programs, daily sales flash reports, production quality, and employee and customer satisfaction results. Internal reporting objectives are based on preferences, judgment, and management style.
Internal reporting objectives vary among entities because different organizations have different goals, strategic directions, and levels of risk tolerance. As with external reporting, internal reporting reflects the required level of precision and accuracy suitable for internal needs and the underlying entity activities, presenting transactions and events within a range of acceptable limits.
Many organizations will apply external standards to assist in managing their operations. Such standards may relate to the control over technology, human resource management, or records management. However, as standards that apply to external reporting may not apply to internal reporting, management may choose to set different levels of acceptable variation for external and internal reporting.
7. Communicates Externally, Page 118
Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
Points of Focus
The following points of focus highlight important characteristics relating to this:
- Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties.
- Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
- Communicates with the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
- Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
- Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.
8. Reporting Objectives, pp 65-68
- Page 65: This category includes external financial reporting, external non-financial reporting, internal financial reporting and internal non-financial reporting.
- Page 67: External Non-Financial Reporting Objectives. Complies with Laws, Rules, Regulations Standards and Frameworks.
- Page 68: Internal Reporting Objectives: Including balanced scorecards and performance dashboards provides management with accurate and complete information needed to manage the organization. It supports management’s decision-making and monitoring of the entity’s activities and performance. Examples of internal reports include results of marketing programs, daily flash reports, production Quality and employee and customer satisfaction results.
PUBLICATION OF THE REVISED COSO GUIDANCE
The final framework was issued during May 2013. Four documents were issued:[3]
- Internal Control – Integrated Framework, Framework and Appendices
- Internal Control – Integrated Framework, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
- Internal Control – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Control
- Internal Control – Integrated Framework, Executive Summary
PRINCIPLES USED IN CREATING THE REVISED COSO
Objectives and Sub-objectives, Pp 12-13: There are five principles relating to Control Environment:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting sections, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Objectives and Sub-objectives, Page 13: There are four principles relating to Risk Assessment:
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Objectives and Sub-objectives, Page 13: There are three principles relating to Control Activities:
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Objectives and Sub-objectives, Page 14: There are three principles relating to Information and Communication:
13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
Objectives and Sub-objectives, Page 15: There are two principles relating to Monitoring Activities:
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
[1] Internal Control – Integrated Framework, Framework and Appendices, AICPA is the Publisher, Visit http://www.coso.org/IC.htm to purchase the documents.
[2] There are multiple examples of the use of the quality management inputs. The information provided with each input contains examples of their use in the Integrated Framework, published May 2013.
[3] To purchase these documents visit http://www.coso.org/IC.htm.
Bio:
Dr. Sandford Liebesman, Sandford Quality Consulting LLC and retired corporate ISO Manager Lucent Technology, had over 43 years experience in quality at Bell Laboratories, Lucent Technologies, Bellcore (Telcordia) and KEMA Registered Quality. He is an ISO 9000 subject matter expert and auditor and is author of the books: Competitive Advantage: Linked Management Systems; TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, 1 st & 2nd Editions and Using ISO 9000 to Improve Business Processes. He has presented seminars and published articles on linking management systems and QMS/EMS support of Sarbanes-Oxley and led the team that developed the 2005 and 2006 ASQ SOX conferences. As part of the linking effort he joined the Institute of Management Systems (IMS) and helped develop the revision of the COSO guidance to SOX compliance. He has conducted over 95 registrar audits of ISO 9001 and TL 9000. He also conducted internal audits as a member of Lucent Technologies. Dr. Liebesman has an engineering degree from the United States Naval Academy and MSEE and Ph.D. (Operations Research) degrees from New York University. He taught statistics, quality control, quality management and operations research at Rutgers University. He is the Past Chair of the ASQ Electronics and Communications Division and a Fellow of ASQ.