COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. In this blog post, I consider Objective I, Control Environment.
The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
The first of the five objectives is control environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the control environment object are as follows:
Principle 1: Commitment to integrity and ethical values. What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.
Principle 2: Board independence and oversight. This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.
Principle 3: Structures, reporting lines, authority and responsibility. This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.
Principle 4: Attracting, developing and retaining competent individuals. This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns to the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.
Principle 5: individuals held accountable. This is the “stick” principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.
Discussion. Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight are essential to this objective because the committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under SOX 404(a); as required under Principles 1 and 2. The external auditors must then be satisfied that this requirement is met. Further, there must be evidence the company has appropriate disclosure controls in place because that is central to the objective itself. This is all tested against Board independence and committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.
Under Principle 3, structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.
Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing, as Howell stated, you must put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.
This ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Internal Controls Framework and to the spirit of the standard. Individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.
Join us tomorrow for Objective II, Risk Assessments. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go here. The Compliance Handbook 2nd edition will be available in both print and eBook editions.