As with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs vertically and horizontally.
Principle 13: Use of relevant and quality information.
Principle 14: Communicate internally.
Principle 15: Communicate externally.
There must be communications up and down from the Board and within an organization to disseminate the appropriate compliance-related information. The CCO or compliance practitioner should also evaluate the communication lines to third parties for this principle. As noted, this communication can flow both ways with compliance obligations to third parties and information in the form of compliance issues back from third parties.
Internal communication is how you establish communications with your sales organization and your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, your internal auditors, your external auditors, and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.
Three key takeaways:
- Consider the use of relevant and quality information.
- You need to document your internal communications so auditors can review the audit trail.
- This objective relates to your third-party compliance program.