Understanding the Updated COSO Framework, Part II
Part II of our series to better understand the COSO Framework will cover the first of five internal control components, the Control Environment. We will analyze the COSO Framework principles related to the Control Environment. These principles will aid in creating a well-rounded control environment in your entity.
Control Environment
There are five principles related to the control environment component of internal control. The first principle is: The entity demonstrates a commitment to integrity and ethical values.
This principle involves management and the board of directors setting the tone at the top with regard to the importance of positive, ethical behaviors. If employees see management and the board acting in this manner, the importance of these behaviors will be felt throughout the Organization. These behaviors are made known through day-to-day interactions with customers, suppliers, financing sources, external auditors, and attorneys. Additionally, these core ethical values and behavioral standards should be put in writing, possibly through a Code of Conduct. This code would emphasize and address integrity, ethics, conflicts of interest, illegal or improper payments, and anti-competitive practices.
It is also important to set and communicate clear penalties for violation of the Code of Conduct and policies, including both the individual participating in the violation, as well as any employees who may be aware of such wrongdoing and fail to report it. Depending on the size of the Organization, an internal audit department could verify that each employee has received and verified compliance with the Code of Conduct. The Organization could also provide an anonymous hotline, administered by a third party, to provide a mechanism for employees to report fraud or any other unethical activities.
The second principle is: The board of directors or audit committee demonstrates independence from management in exercising oversight of the development and performance of internal control over financial reporting.
This principle involves, first and foremost, having board members who are independent of both management and the Organization. For example, if board members are independent, they are less likely to be wrongly influenced by management, and more likely to present alternative ideas and take appropriate actions if illegal or unethical actions are found. Aside from independence, take into account a person’s background, experience within the industry, and reputation when selecting board members. An independent board could help provide a healthy level of skepticism that is necessary to provide the greatest benefit to the Organization.
Depending on the size of an Organization, board members could also set up different committees to help add additional oversight to various areas of the Organization. A common example of such is an audit committee to further provide insight by establishing an open line of communication with the middle management of an Organization to assist in identifying potential fraud occurring at the senior management level.
The third principle is: With board oversight, management establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of financial reporting objectives.
This principle involves senior management and the board of directors establishing processes and creating reporting relationships and protocols to help create a strong control environment, as well as allowing it to embrace new ideas and initiatives. When Organizations need to determine how to structure and delegate responsibilities, several factors need to be considered, such as whether to structure by business unit, product/service line, geographic market, or by legal entity. Additional considerations should include whether there is more risk involved in achieving the entity’s objectives internally or to outsource providers.
Lastly, the board and senior management need to determine the proper level of delegation of authority and responsibility for completion of tasks. For example, delegation of authority could expedite the speed of the decision-making process, and a management and employees should be held accountable as they are granted more authority. Keeping employee competence top of mind is of utmost importance for a strong control environment.
The fourth principle is: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting objectives.
This principle involves the necessity of having individuals on staff who possess the knowledge and skills necessary to complete their responsibilities. If this is not done, the overall effectiveness of internal controls will be impaired. This could be accomplished by defining job descriptions so individuals involved in the hiring process know exactly what skillset to look for. Next, annual performance reviews and feedback should be provided to employees. This allows for open communication between the employee and the employer regarding job responsibilities, accomplishments and areas for improvement. Perhaps, most importantly, is having a contingency plan in place for succession. Management and the board of directors should work together to develop a succession plan which addresses the transfer of assignment of internal control duties when the leadership of the entity changes.
The fifth principle is: The entity holds individuals accountable for their internal control responsibilities.
The last principle completes the control environment and ties the other principles of the control environment together. If individuals are not held accountable for their responsibilities, the first four principles of the control environment will not be effective. Employees should be held accountable for their actions and responsibilities, but management should ensure that responsibilities and goals are clearly defined and, and most importantly, reasonable. If performance goals are unreasonable, this may create unnecessary pressure on the employee and cause them to act unethically, thus negating the effectiveness of the control environment. Management should make sure that the goals of the organization, the methods of achieving the goals, and the rewards for achieving those goals are appropriately aligned and communicated.
Future KT newsletters will review the remaining four components of internal control and their corresponding COSO Framework principles. Please contact Traci Hanson, Shelley Goodrich, or Sandra Weaver with specific questions. The Framework can be purchased from COSO’s website at www.coso.org.