Leveraging the COSO Internal Control Update for Advantage
PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.
PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.
Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).
Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.
PwC shares their approach, which I don’t think is correct as it is not risk-based.
Here is mine:
- Do you understand the risks to your mission-critical objectives?
- Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
- Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
- As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?
I welcome your views.