Leveraging the COSO Internal Control Update for Advantage
PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.
PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.
Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).
Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.
PwC shares their approach, which I don’t think is correct as it is not risk-based.
Here is mine:
- Do you understand the risks to your mission-critical objectives?
- Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
- Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
- As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?
I welcome your views.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I see PwC published this document more than 18 months ago. I wonder if perhaps they will agree with some of your statements if they were to revisit their May 2013 findings, today.
“to any and all objectives, including internal financial reporting and all forms of non-financial reporting” – from my limited experience in internal audit, I know that my previous CAE also thought the same way.
I cannot agree more to your assessment of the approach some people believe COSO should be used.
The thing I’ll never understand in some of those concepts is that risks are somehow “created” or “introduced” when you change the way of dealing with them (e.g. changes in processes or the catastrophic event of implementing more IT).
Would you agree with me that every form of organization is in itself a sort of “control” – in comparison to basically chaotic ad-hoc transaction handling?
Maybe for just some people you need to amend your aforementioned listing with a
0. Do you understand your business including products, markets, politics, regulations, etc.?
It should be obvious, sure, but that is – as I see it – the area where the risks come from; everything else is either “not applicable” or “lack of control”.
Let’s see.
Kind regards.
Michael, if you say that you structure the organization, or a part of it, to adress a risk, then yes – that could be considered a control.