COSO released the draft exposure of “Internal Controls – Integrated Framework” in December 2011 for public comments. The new framework still focuses on the five components of control described in the previous 1992 framework. The major change in the new framework is the explicit description of 17 principles. These describe the fundamental concepts related to the five controls.
The good aspect of the revised framework is that it has incorporated changes in business environment due to globalization, technology and governance regulations. It is more detailed than the original, hence gives a better understanding on a broad level. However, I still felt that some of my pet peeves with the previous framework remain unaddressed. Secondly, there are a couple of concerns regarding the practical application of the principles. I am covering some of my concerns below. Share your opinion with me, whether you agree or disagree and what changes would you suggest?
1. Definition of Internal Control
This is an old grouse, I am not in complete agreement with Internal Control definition given by COSO. In the current version I was hoping some changes would be made, but the definition remains the same. COSO defines internal control as
“Internal control is a process, effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following areas:
- effectiveness and efficiency of operations
- reliability of reporting
- compliance with various laws and regulations“
“Operations Objectives – These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss.“
This according to me excludes the major portion of management issues. In an organization, the flow in linear form is as follows:
Most business failures and large-scale frauds occurred – Enron, Swiss Air, Olympus, Satyam – due to failure of top management, incorrect strategies or deviant/ aggressive cultures. In rare cases only, a major fraud occurred solely due to process or technology failure.
Additionally the framework states in Risk Assessment section “However, identifying and assessing potential opportunities is not part of internal control.” Hence, the upside risks are excluded from the assessment. In present day organizations, processes established for strategy, innovation, research and creativity give them competitive advantage. Without these organizations cannot be said to be operating effectively as they are leaving a lot of cash on the table. Hence, isn’t it misleading to give an assurance of effectiveness and efficiency of operations based just on assessing coverage of downside risks in finance, business and technology processes. Would it be more appropriate to replace “effectiveness and efficiency of operations” with “adherence to established operation processes”?
2. Impact of Organization Culture
The COSO framework mentions the focus on internal control culture under “control environment.” It states:
“Control environment is sometimes seen as synonymous to internal control culture, in that elements that make one strong, such as integrity and ethical values, oversight, accountability, and performance evaluation, make the other strong as well.”
My concern is that internal control culture cannot be considered in isolation of organization culture. Aggressive, passive-aggressive, consultative, etc. organization cultures have an impact on internal control environment. For example, in a deviant organization culture management override is significant. Hence, an internal auditor or a risk manager cannot assess the risks without understanding the overall organization behavior and attitudes.
Therefore, in my view, the framework should cover on a broad level the types of organization culture, the risks associated with it and the methods to assess it. Though, this may come under organization behavioral psychology, a high-level understanding is required to conduct a proper assessment of internal control environment.
3. Strategic Risks
The COSO framework is focused on risks that threaten operations and regulatory requirements. It does not cover strategic risks unlike the ERM framework. Moreover, it does not even cover the process of strategy formation. As I had mentioned in earlier posts on strategic risks, strategies frequently fail due to the organization having inadequate strategy formation processes.
The issue becomes debatable more so, considering the following statements given in the framework
“Objectives - how management will create, preserve and realize value for its stakeholders”
“Setting objectives is a key part of management and a perquisite to strategic planning“
“Operations objectives relate to achievement of entity’s basic mission – the fundamental reason for its existence”
A good strategy basically protects the capital and generates earnings. Hence, evaluating internal controls on strategic planning process is critical to ensure management is maximizing value for its stakeholders. The fundamental question to ask is – without a strategy, can management do so?
The framework further mentions -
“Internal control cannot prevent bad decisions or judgments being made. It can only ensure management is aware of the direction entity is following.”
Hence, to me this sounds more like an assurance being given that “nothing is majorly wrong” instead of “everything is working properly”. To highlight my concern, let me give an example of Infosys. The company has recently entered into an agreement with an Australian company Portland Group Pty to acquire it for Rs 180 crore (USD 34 million ). However, investors have complained previously that Infosys management is extremely conservative on acquisition and mergers as it has cash reserves of Rs 18,601 crore (USD 3509 million ) as on 30 Sep 2011. In this scenario, can one say that Infosys is efficiently using its cash resources and maximizing shareholder value? May be a broader outlook is required for business management.
Some other aspects that I felt the framework needs to focus on are:
1. Linkages and relationship with Internal Control and Enterprise Risk Management Framework
2. Linkages and relationship with the technology controls mentioned in COSO framework with COBIT framework.
3. Though now there is some coverage on calculating benefits of internal control and conducting a cost-benefit analysis, more details on benefits would be useful.
4. A chapter on the process to be followed for designing and implementing internal controls would be helpful. Presently, the major focus is on evaluating and assessing internal controls.
5. Principle 4 of control environment – Demonstrates commitment to competence, may be difficult to evaluate for an internal auditor. Can an internal auditor really evaluate competence of senior managers and be taken seriously when CAE’s don’t even get a seat on the board? Hence, though it sounds good on paper, it may not be practical.
The framework is a step in the right direction and definitely an improvement over the previous one as it addresses the existing business environment risks. However, as the revision has come in after twenty years one would expect to be more progressive by projecting the trends in the business environment, and guiding on internal controls issues envisaged in future. My question is – do you think with the changing business environment this framework will be relevant five years down the line?