New Internal Control Framework
If it is not broken why fix it? – Is this practical or a myth?
We have all heard about the theory of “survival of the fittest”, which is applicable for humans, animals and businesses. This theory has stood the test of time and demonstrates that things do not remain static but are subject to change. Businesses like Nortel, Enron, WorldCom and Adelphia did not adapt to change, ultimately failed and became extinct.
In today’s rapidly changing world it is a prerequisite for companies to be able to react quickly to change otherwise they will fall behind their competitors, loose their competitive advantage and be susceptible to take overs and at worst face bankruptcy. Unfortunately there is often resistance to change although it is necessary for survival. As Dr. Dennis O’Grady stated: “Change has a bad reputation in our society. But it isn’t all bad — not by any means. In fact, change is necessary in life — to keep us moving … to keep us growing … to keep us interested. Imagine life without change. It would be static … boring … dull.”
The concept of businesses embracing change early to increase their life cycle is illustrated in the following graph:
This graph highlights that at some point in a company’s life cycle it will forced to make decisions that will impact its future. These decisions can result from changing competition, technology, changes in demand or legislation. Which road would you like to see your business go down – the healthy business curve, the slow death or crash and burn?
Unfortunately to keep on the healthy curve this requires the company to be proactive and make suitable investments to adapt to change. In these days of economic hardship there is likely to be a mindset of “if it is not broken why fix it” because this will almost inevitably have an associated cost which may not be particularly palatable, especially during the recession. How do you justify making changes when existing processes appear to have been working satisfactorily for years?
Many may think that the Committee of Sponsoring Organizations’ (“COSO”) – Internal Control Framework introduced in 1992 still meets the needs of organizations. However this approach can be somewhat foolhardy as it does not promote continual improvement within an organization and the opportunity to add value can be missed if organizations do not adopt the new COSO Framework (2013). In simple terms adopting current best practice is equivalent to making sure that you organization meets the requirements of staying on the “healthy business curve”.
The Updated COSO – Internal Control Framework – why change?
Much has happened in the business environment since the initial Internal Control Framework (1992) was introduced. Some of the drastic changes in the business environment since 1992 are:
- Increased expectations for governance;
- Risk and risk-based approaches have received more attention;
- Increased business complexity;
- Technology has evolved dramatically;
- Internal control breakdowns including the derivatives fiascos of the 1990’s;
- Increase of political, social and financial market volatilities.
While no framework can provide all of the answers to the above there was undoubtedly a case for updating the existing framework to meet the challenges of today’s business environment.
The new COSO Internal Control Framework (2013)
What has changed?
The new framework has a number of changes including but not limited to:
- Codifying 17 principles that support the 5 components of the original internal control framework (control environment, risk assessment, control activities, information & communication and monitoring activities)
- These 17 principles have been underpinned by 77 focus points that all companies should consider when adopting a control framework. It is all good an well having an understanding of the bigger picture (the 17 principles) but this will not achieve the company’s objectives if the detailed support structures are not put in place (the focus points).
- Recognizing the increased reliance on technology. Large stand-alone mainframe environments have move to highly sophisticated, decentralized, mobile applications involving multiple real time activities. Not many people acknowledge the fact that cybersecurity attacks happen on a daily basis.
- Enhanced discussion and guidance on governance concepts
- Enhanced consideration of anti-fraud expectations (which is particularly relevant in times of recession)
- Increases the focus and more guidance on non-financial activities
The most significant change
The most significant change is the codifying of 17 principles and 77 focus points, which represent important characteristics of each principle, and in turn support the 5 control components. This information facilitates a better assessment of whether the components of internal controls are functioning and operating effectively. There is a common saying that “you cannot see the forest because of the trees”. However, this approach allows companies to look at the detail as well as the bigger picture and hence they are able to see both the forest and the trees. It therefore helps senior management see the big picture while also giving more guidance to processes owners as how to implement improvements at a process level
Without going into the detail of each of the 17 principles and the 77 points of focus, the following two tables highlight COSO’s new framework using the control environment as an example:
- Step 1 – Develop Awareness, Expertise and Alignment
- Step 2 – Conduct Preliminary Impact Assessment
- Step 3 – Facilitate Broad Awareness, Training and Comprehensive Assessment
- Step 4 – Develop and Execute COSO Transition Plan
- Step 5 – Drive Continuous Improvement
The transition should be tailored to meet the needs the particular organisation. Start making the changes now as your company deserves to be the “Great” rather than “Good”.