COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective III, Control Objectives.
The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
Control Activities may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.” The concept of a “second set of eyes” is directly enshrined in this objective. Finally, control activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.
Principle 10: Selects and develops controls activities. Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”
Principle 11: Selects and develops general controls over technology. The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.
Principle 12: Control activities established through policies and procedures. This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly, it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”
Discussion. While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.
From a financial reporting perspective, the objective requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets and software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.
Joe Howell has explained in the financial realm, “if you’re dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that it is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.
This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place for the disclosures you need to make for the reconciliation of that disclosure.
This objective requires that you have new ways of capturing, gathering, confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the policies and procedures needed is certainly an important consideration going forward.
Join us tomorrow for Objective IV, Information and Communications. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2nd edition which is available for presale purchase. Use the code FOX25 and go here. The Compliance Handbook 2nd edition will be available in both print and eBook editions.