The wide view of controls means that internal controls cover all aspects of an organization and there is a clear need for a way of pulling together control concepts to form an integrated whole, that is a “control framework”. Where there are risks to the achievement of objectives, which mean failure is a strong possibility, controls have to be put in place to address these risks. If not failure becomes likely. At the same time, controls cost money and they have to be worthwhile. A lot depends on the risk appetite and what is considered acceptable as opposed to unacceptable to the organization and its stakeholders. Poor controls lead to losses, scandals, failures, and they damage the reputation of organizations in whatever sector they are from. Where risks are allowed to run wild and new ventures are undertaken without a means of controlling risk, there are likely to be problems.
The internal control banner is being waved by many authorities and regulators. Most authorative bodies on control framework and models are: COSO, CoCo, CobiT and the Basle Committee on Banking Supervision [BCBS] which I overview in this post. Follow on…
COSO Control Framework
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission devised one such model that has an international recognition as a useful standard. All larger organizations need a formal control framework as a basis for their systems of internal control and IIA Implementation Standard 2120.A4 notes the importance of a set of organizational criteria that auditor can use to review control systems (www.coso.org):
Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. In the past the silo approach has been to consider whatever individual system we were auditing at the time. Systems were defined and audited, while the resultant report detailed the weak areas and how they could be improved. There is no possible way the aggregation of separate internal audit reports over a period could be used to comment on the overall state of controls in an organization. It is only by considering the adopted control model that the internal auditor is able to make board level declarations concerning internal control. In fact we can develop our control model to reflect the valuable platform provided by the control framework.
The control framework needs to be in place to promote the right control environment. Some might argue that the control environment in turn inspires an organization to build a suitable framework, although we will see that our first framework, COSO, incorporates the control environment as a separate component. The framework drives the environment, which in turn enables an organization to develop its control strategy in response to the assessment of various risks to achieving objectives. Risk assessment and control design is fragmented when not attaching to a clear control framework and any audit effort not directed at the big picture will itself be less valuable. The next areas to cover are based around the COSO components and the entire model.
The COSO website gives the official background to their work:
In 1985 the National Commission of Fraudulent Financial Reporting, known as the Treadway Commission, was created through the joint sponsorship of the AIPCA, American Accounting Association, FEI, IIA and Institute of Management Accountants. Based on its recommendations a task force under the auspices of the Committee of Sponsoring Organizations conducted a review of internal control literature. The eventual outcome was the document Internal Control—Integrated Framework. COSO emphasized the responsibility of management for internal control.
Each component of the COSO model is dealt with next. Read on…
Turning once again to the COSO website, their summary of the control environment follows:
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
The COSO website provides a summary of where risk assessment fits into the control equation:
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
The COSO website provides a summary of where this aspect fits into their model:
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and Communication
The COSO website provides a summary of where this aspect fits into their model:
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
The COSO website provides a summary of where this aspect fits into their model:
Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity’s operating activities and exists for fundamental business reasons.
Internal control is most effective when controls are built into the entity’s infrastructure and are a part of the essence of the enterprise. ‘Built in’ controls support quality and empowerment initiatives, avoid unnecessary costs and enable quick response to changing conditions. There is a direct relationship between the three categories of objectives, which are what an entity strives to achieve, and components, which represent what is needed to achieve the objectives. All components are relevant to each objective’s category. When looking at any one category—the effectiveness and efficiency of operations, for instance—all five components must be present and functioning effectively to conclude that internal control over operations is effective.
The COSO model is quite dynamic in that it covers most aspects of structures and processes that need to be in place to provide control. It is difficult to know how a board can state that it has reviewed its systems of internal control without reference to a comprehensive model or criteria for evaluating these controls at a corporate level.
COSO simply asks five key questions:
- Do we have the right foundations to control our business? (control environment)
- Do we understand all those risks that stop us from being in control of the business? (risk assessment)
- Have we implemented suitable control activities to address the risks to our business? (control activities)
- Are we able to monitor the way the business is being controlled? (monitoring)
- Is the control message driven down through the organization and associated problems and ideas communicated upwards and across the business? (communication and information)
If we can assess the quality of the responses to these five questions, we are on the way to achieving control and being able to demonstrate to all parties that their business concerns are in safe hands, even though no absolute guarantees are possible.
CoCo [by CICA] Control Framework
The COSO framework is a powerful tool in that it allows an organization to focus on key structures, values and processes that together form this concept of internal control, far outside the narrow financial focus that used to be the case. The individual is part of the process but it can be hard to get a corporate solution down to grassroots. The criteria of control (CoCo) is a further control framework that can mean more to teams and individuals and includes an interesting learning dynamic. CoCo was developed by the Canadian Institute of Chartered Accountants (CICA) and is now an international standard.
The CICA website (www.cica.ca) gives an account of their understanding of control as a platform for the criteria that was developed:
Control needs to be understood in a broad context. Control comprises those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization’s objectives. The effectiveness of control cannot be judged solely on the degree to which each criterion, taken separately, is met. The criteria are interrelated, as are the control elements in an organization. Control elements cannot be designed or evaluated in isolation from each other. Control is as much a function of people’s ethical values and beliefs as it is of standards and compliance mechanisms.
Control should cover the identification and mitigation of risks. These risks include not only known risks related to the achievement of a specific objective but also two more fundamental risks to the viability and success of the organization:
- failure to maintain the organization’s capacity to identify and exploit opportunities;
- failure to maintain the organization’s capacity to respond and adapt to unexpected risks and opportunities, and make decisions on the basis of the telltale indications in the absence of definitive information.
The principles may be organized according to the four groupings of the CICA criteria of control framework. The main components are explained below:
- Purpose – The model starts with the need for a clear direction and sense of purpose. This includes objectives, mission, vision and strategy; risks and opportunities; policies; planning; and performance targets and indicators. It is essential to have a clear driver for the control criteria and since controls are about achieving objectives, it is right that people work to the corporate purpose. Much work can be done here in setting objectives and getting people to have a stake in the future direction of the organization. The crucial link between controls and performance targets is established here as controls must fit in with the way an organization measures and manages performance to make any sense at all.
- Commitment – The people within the organization must understand and align themselves with the organization’s identity and values. This includes ethical values, integrity, human resource policies, authority, responsibility and accountability, and mutual trust. Many control systems fail to recognize the need to get people committed to the control ethos as a natural part of the way an organization works. Where people spend their time trying to ‘beat the system’, there is normally a lack of commitment to the control criteria. The hardest part in getting good control is getting people to feel part of the arrangements.
- Capability – People must be equipped with the resources and competence to understand and discharge the requirements of the control model. This includes knowledge; skills and tools; communication processes; information; co-ordination; and control activities. Where there is a clear objective, and everyone is ready to participate in designing and installing good controls, there is still a need to develop some expertise in this aspect of organizational life. Capability is about resourcing the control effort by ensuring staff have the right skills, experience and attitudes not only to perform well but also to be able to assess risks and ensure controls make it easier to deal with these risks. Capability can be assisted by training and awareness seminars, either at induction or as part of continuing improvement programs.
- Action – This stage entails performing the activity that is being controlled. Before employees act, they will have a clear purpose, a commitment to meet their targets and the ability to deal with problems and opportunities. Any action that comes after these prerequisites has more chance of leading to a successful outcome.
- Monitoring and learning – People must buy into and be part of the organization’s evolution. This includes monitoring internal and external environments, monitoring performance, challenging assumptions, reassessing information needs and information systems, follow-up procedures, and assessing the effectiveness of control. Monitoring is a hard control in that it fits in with inspection, checking, supervising and examining. Challenging assumptions is an important soft control in that it means people can develop and excel.
Each activity is seen as part of a learning process that lifts an organization to a higher dimension. Some organizations employ people who have tried and failed to start their own high risk venture, on the basis that they have had invaluable experiences that, if they have learnt lessons from, will make them stronger and much more resilient in growing a new business. Organizations that are based around blame cultures will not encourage positive learning experiences, and will interpret controls as mechanisms for punishing people whose performance slips. The CoCo criteria encourages a positive response to feedback on activities.
Control Objectives for Information and Related Technology [CobiT]
This control standard, known as CobiT, 3rd edition, covers security and control for information technology (IT) systems in support of business processes and is designed for management, users and auditors. Several definitions are applied to this standard including:
- Control: The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesirable events will be prevented or detected and corrected.
- IT control objective: Statement of the desired results of purpose to be achieved by implementing control procedures in a particular IT activity.
- IT governance: A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus returns over IT and its processes.
CobiT has four main components (domains) and for these domains there are a further 34 high level control processes:
- planning and organization;
- acquisition and implementation;
- delivery and support;
Basle Committee On Banking Supervision [BCOBS]
This committee reflects the work on internal controls for banking organizations developed by the Basle committee on Banking Supervision which is a committee of banking supervisory authorities established by the central bank governors of the group of ten countries in 1975. It consists of senior representatives of bank supervisory authorities and central banks from: Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States. It usually meets at the Bank for International Settlements in Basle, where its permanent secretariat is located. The committee has spent some time developing principles of internal control that relate to the banking environment and they developed a Framework for Internal Control Systems in Banking Organizations in September 1998.
The work on internal control provided a good platform for their guidance on operational risk management in February 2003, based on ten key principles:
- Principle 1: The board of directors should be aware of the major aspects of the bank’s operational risks as a distinct risk category that should be managed, and it should approve and periodically review the bank’s operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.
- Principle 2: The board of directors should ensure that the bank’s operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management.
- Principle 3: Senior management should have responsibility for implementing the operational risk management framework approved by the board of directors. The framework should be consistently implemented throughout the whole banking organization, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank’s material products, activities, processes and systems.
- Principle 4: Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.
- Principle 5: Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.
- Principle 6: Banks should have policies, processes and procedures to control and/or mitigate material operational risks. Banks should periodically review their risk limitation and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile.
- Principle 7: Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.
- Principle 8: Banking supervisors should require that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control/mitigate material operational risks as part of an overall approach to risk management.
- Principle 9: Supervisors should conduct, directly or indirectly, regular independent evaluation of a bank’s policies, procedures and practices related to operational risks. Supervisors should ensure that there are appropriate mechanisms in place which allow them to remain apprised of developments at banks.
- Principle 10: Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.
What to Do About Internal Control?
In terms of all organizations across all public and private sectors, it is important that each decides what to do about its system of internal control. There are several options:
- Do nothing. On the basis that individual controls are in place and working and that this is good enough to satisfy stakeholders.
- Document the existing control arrangements and develop them further to reflect an agreed corporate internal control framework.
- Invent a model. Each organization may develop a unique perception of its controls and have this as its corporate internal control framework.
- Adopt an existing published framework. Here the organization will simply state that it has adopted COSO, or CoCo or some version that the regulators promote.
- Adapt an existing framework to suit the context and nuances of the organization in question. An international control framework may then be used as a benchmark to develop a tailored framework that fits the organization in question.
- Selectively use all the available published material as criteria to develop a control framework that suits. Similar to 5 above but draws from all available sources of published guidance.
Whatever the chosen solution, each organization should publish a policy on internal control and in developing the policy it will become clear that decisions have to be made along the lines suggested by options 1 to 6.