Comments on COSO revised Internal Control – Integrated Framework

COSO released the draft exposure of “Internal Controls – Integrated Framework” in December 2011 for public comments. The new framework still focuses on the five components of control described in the previous 1992 framework. The major change in the new framework is the explicit description of 17 principles. These describe the fundamental concepts related to the five controls.

The good aspect of the revised framework is that it has incorporated changes in business environment due to globalization, technology and governance regulations. It is more detailed than the original, hence gives a better understanding on a broad level. However, I still felt that some of my pet peeves with the previous framework remain unaddressed. Secondly, there are a couple of concerns regarding the practical application of the principles. I am covering some of my concerns below. Share your opinion with me, whether you agree or disagree and what changes would you suggest?

1. Definition of Internal Control

This is an old grouse, I am not in complete agreement with Internal Control definition given by COSO. In the current version I was hoping some changes would be made, but the definition remains the same. COSO defines internal control as

Internal control is a process, effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following areas:

  • effectiveness and efficiency of operations
  • reliability of reporting
  • compliance with various laws and regulations
My concern is about the first bullet “effectiveness and efficiency of operations”. Before I give my view, let me further share the COSO definition of operations objectives.

Operations Objectives – These pertain to effectiveness and efficiency  of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss.

This according to me excludes the major portion of management issues. In an organization, the flow in linear form is as follows:

Top Management > Strategy > Culture (People) > Finance > Process > Technology.

Most business failures and large-scale frauds occurred – Enron, Swiss Air, Olympus, Satyam – due to failure of top management, incorrect strategies or deviant/ aggressive cultures. In rare cases only, a major fraud occurred solely due to process or technology failure.

Additionally the framework states in Risk Assessment section “However, identifying and assessing potential opportunities is not part of internal control.” Hence, the upside risks are excluded from the assessment. In present day organizations, processes established for strategy, innovation, research and creativity give them competitive advantage. Without these organizations cannot be said to be operating effectively as they are leaving a lot of cash on the table. Hence, isn’t it misleading to give an assurance of effectiveness and efficiency of operations based just on assessing coverage of downside risks in finance, business and technology processes. Would it be more appropriate to replace “effectiveness and efficiency of operations”  with “adherence to established operation processes”?

2. Impact of Organization Culture

The COSO framework mentions the focus on internal control culture under “control environment.” It states:

“Control environment is sometimes seen as synonymous to internal control culture, in that  elements that make one strong, such as integrity and ethical values, oversight, accountability,  and performance evaluation, make the other strong as well.”

My concern is that internal control culture cannot be considered in isolation of organization culture. Aggressive, passive-aggressive, consultative, etc. organization cultures have an impact on internal control environment. For example, in a deviant organization culture management override is significant. Hence, an internal auditor or a risk manager cannot assess the risks without understanding the overall organization behavior and attitudes.

Therefore, in my view, the framework should cover on a broad level the types of organization culture, the risks associated with it and the methods to assess it. Though, this may come under organization behavioral psychology, a high-level understanding is required to conduct a proper assessment of internal control environment.

3. Strategic Risks

The COSO framework is focused on risks that threaten operations and regulatory requirements. It does not cover strategic risks unlike the ERM framework. Moreover, it does not even cover the process of strategy formation. As I had mentioned in earlier posts on strategic risks, strategies frequently fail due to the organization having inadequate strategy formation processes.

The issue becomes debatable more so, considering the following statements given in the framework

Objectives – how management will create, preserve and realize value for its stakeholders”

“Setting objectives is a key part of management and a perquisite to strategic planning

“Operations objectives relate to achievement of entity’s basic mission – the fundamental reason for its existence”

A good strategy basically protects the capital and generates earnings. Hence, evaluating internal controls on strategic planning process is critical to ensure management is maximizing value for its stakeholders. The fundamental question to ask is – without a strategy, can management do so?

The framework further mentions –

Internal control cannot prevent bad decisions or judgments being made. It can only ensure management is aware of the direction entity is following.”

Hence, to me this sounds more like an assurance being given that “nothing is majorly wrong” instead of “everything is working properly”. To highlight my concern, let me give an example of Infosys. The company has recently entered into an agreement with an Australian company Portland Group Pty to acquire it for Rs 180 crore (USD 34 million ). However, investors have complained previously that Infosys management is extremely conservative on acquisition and mergers as it has cash reserves of Rs 18,601 crore (USD 3509 million ) as on 30 Sep 2011. In this scenario, can one say that Infosys is efficiently using its cash resources and maximizing shareholder value? May be a broader outlook is required for business management.

4. Miscellaneous

Some other aspects that I felt the framework needs to focus on are:

1. Linkages and relationship with Internal Control and Enterprise Risk Management Framework

2. Linkages and relationship with the technology controls mentioned in COSO framework with COBIT framework.

3.  Though now there is some coverage on calculating benefits of internal control and conducting a cost-benefit analysis, more details on benefits would be useful.

4. A chapter on the process to be followed for designing and implementing internal controls would be helpful. Presently, the major focus is on evaluating and assessing internal controls.

5. Principle 4 of control environment – Demonstrates commitment to competence, may be difficult to evaluate for an internal auditor. Can an internal auditor really evaluate competence of senior managers and be taken seriously when CAE’s don’t even get a seat on the board? Hence, though it sounds good on paper, it may not be practical.

Closing thoughts

The framework is a step in the right direction and definitely an improvement over the previous one as it addresses the existing business environment risks. However, as the revision has come in after twenty years one would expect to be more progressive by projecting the trends in the business environment, and guiding on internal controls issues envisaged in future. My question is – do you think with the changing business environment this framework will be relevant five years down the line?


  1. Internal Controls – Integrated Framework
  2. Infosys News

2 comments on “Comments on COSO revised Internal Control – Integrated Framework

  1. Sonja, as usual your logic is sound and I would support most of what you have said. I’d however like to point out that there may be differences in interpretation that may result in others not seeing it exactly the way you do (as you’d naturally expect). Two examples come to mind. The first relates to your issue about strategic risk not being highlighted, and you use certain definitions from the framework to support your argument. My view is that strategy is adequately addressed, as the premise from which the authors operate is the mission of the organisation. That in itself tells me that strategy is a fundamental consideration in the framework, but I do agree that it’s open to interpretation. The second area I would question is your analysis of the Infosys cash management policies. Although you don’t say so, you seem to imply (at least that’s my interpretation) that you don’t agree that the levels of reserves they maintain could be maximising shareholder value. I guess it all depends on what their risk appetite is, and given the exposures certain companies left themselves with during the financial crisis it may well be a very sound, albeit prudent, strategy.

    • Fred,

      Thanks for sharing your views. Yes, I agree that others may not share my views, and they are debatable. Addressing you first question, strategy as you are saying is fundamental to the framework. As I understand, you are deriving this viewpoint because the framework states that objectives have to be created from business strategy. That line is correct.

      However, the framework nowhere states that reviewing strategy planning process is under scope of internal control. That is my contention. Secondly, it doesn’t state that in the objectives that strategic risks are to be covered. It basically mentions that evaluating strategy or relevant decisions are not part of internal control. That is the point I am making.

      Second, as you mentioned about Infosys, that risk appetite maybe low. The framework says that deciding on risk appetite is part of ERM and not internal control. Moreover, I said the investors are complaining about huge cash reserves, it is not a personal or professional viewpoint. I am giving that example from the perspective of maximizing shareholder value and assessing operating efficiency. It definitely is company’s prerogative to invest or not. However, considering this factor, how can we judge, evaluate or give assurance that organization is using all assets efficiently? I would say, that it is a highly complex and debatable issue. Then in this light, would you consider an assurance certificate or report foolproof, misleading or subject to misinterpretation? Would you say that the report gives the full picture or partial viewpoint?


Comments are closed.