Internal Control–Integrated Framework”, herein ‘the Framework volume.’ The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls,” herein ‘the Illustrative Guide,’ which discusses how best to assess your internal control regime and provides forms and worksheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary.’ All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program. In the 2013 update, the basic framework was retained with substantial support from user companies, and 3 specific objectives were added:
- Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss
- Reporting Objectives – internal and external financial reporting
- Compliance Objectives – adherence to laws and regulations to which the entity is subject
According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance that the organization, among other things, complies with applicable laws, rules, regulations, and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations. The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will explore throughout this series. Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework,” said that the original COSO framework from 1992 has stood the test of time “because it was built as a conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based on four general principles, which include the following:
(1) the updated Framework should be conceptual, which allows for updating as internal controls [and compliance programs] evolve;
(2) internal controls are a process which is designed to help businesses achieve their business goals;
(3) internal controls apply to more than simply accounting controls, it applies to compliance controls and operational controls; and
(4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.”
This final statement is significant for the compliance practitioner because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not simply rely upon a company’s accounting, finance, or internal audit function to do so. The primary objective is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have unique knowledge that a compliance officer has that would impact all the framework elements. The compliance officer’s role is to provide input to the Chief Financial Officer (CFO) and others involved in the implementation to be sure that there is a proper focus on the risks that are part of the compliance world. This primarily comes through risk assessment, control activities, and monitoring. Companies typically do risk assessments from an operational standpoint, address business risks going forward, and then develop the controls that deal with those risks, such as project financial results, doing business in certain countries, strategic decisions, and similar issues. This puts the compliance function in the unique position to be the fulcrum on many issues that will come up with a COSO-based analysis or implementation. The updated Framework retained the core definition of internal controls: control environment, risk assessment, control activities, information and communication, and monitoring activities.
Further, the well-known three-dimensional “COSO Cube” visually represents these five operational concepts. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, the emphasis on the principles is new to the 2013 Framework. Joe Howell noted that the COSO Framework could be seen as a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one-off things that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function sustainably throughout the organization.
Three Key Takeaways:
- You must use the COSO Framework or a similar source for your internal control structure.
- The 2013 Framework identifies the following areas: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring.
- Your internal controls must be sustainable.
For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO 2013 Framework for Internal Controls is a great guide for the internal controls required in a compliance regime.