The most important sentence in COSO
In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.
That sentence is:
An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.
The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.
To me, this means that:
- Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
- You need to know the risk to those objectives
- You need to know what is an acceptable level of risk for each objective, and
- You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels
You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.
In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.
This is how that section starts:
An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:
- Each of the five components of internal control and relevant principles are present and functioning
- The five components are operating together in an integrated manner
There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.
In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.
Let’s have a look at the very next paragraph in the section:
When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.
When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.
How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.
An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.
Let’s translate this as well:
- If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
- If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
- When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
- That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.
So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.
Do you see what I mean?
Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!
Why are so many blind to this most important sentence?
I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)
Do you have a better theory?
Can you explain the blindness of so many to the most important sentence in the entire Framework?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Ita a fantastic piece of article…..an eye opener…..Thanks a lot Mr. Norman Marks
.
Yes, a real eye opener, Norman. And a heartening one – at last we have confirmation that the COSO framework (contrary to first impressions) is not totally blind to the core requirement of everything to be filtered through the lens of robust risk management.
The sentence you say is “the most important sentence in COSO” is:
“An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.”
From that you conclude that “The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.”
But the paragraph you took the sentence out of and the sentence itself, both talk about Internal control, not of controls. It is not an exposition of “the purpose of controls”.
The paragraph goes on to say (about internal control, not controls),
“It requires that:
Each of the five components of internal control and relevant principles are present and functioning
The five components are operating together in an integrated manner.”
The lamentation that, “when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components”, is all the more surprising and in my opinion, reckless.
The discussion of “deficiency” puts, in a nutshell, all that is wrong with current thinking on risk management. When is a deficiency not a deficiency? When it is not a major deficiency?
Are organisations to believe that “… if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.”
It does not matter for what purposes that view of deficiency is. The strictest criteria, even if internal, applicable to an organisation are the ones to work to. When controls address insignificant risks, internal control is inadequate.
As for the purpose of internal control? Its definition, shortened for clarity, says, “Internal control is a process, … designed to provide reasonable assurance regarding the achievement of objectives….”
Similarly, “Enterprise risk management is a process, … designed … to provide reasonable assurance regarding the achievement of entity objectives.”
It is wrong, therefore, to say “Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!”
Objectives are! And “understanding what is an acceptable level of risk to objectives” is just one of the things to understand about, I dare say, ANY risk management framework.
Can you explain the blindness of so many to the most important sentence in the entire Framework?
The only reason I can give is that the principles and attributes seem to have been plucked out of mid-air. I would have thought that COSO should have decided on the objectives of the framework (Control Environment, Risk Assessment etc) and then considered the risks threatening the achievement of those objectives. The controls managing these risks would then become the principles. These high-level controls also have risks to their achievement, the attributes being the low-level controls. I know this is a bit convoluted but it would drive home the connection between objectives, risks and controls. I do get the impression that COSO don’t really understand the objective/risk/control connection. Why else would they have a risk framework separate to an internal control framework?
Great analisys and thoughts Norman, Thanks for sharing!
Norman – Listening to your Resolver “Is it Time to Change Your SOX” webinar earlier this week and comments from Neil and Phil that their transition to COSO 2013 was a non-event and led to very little change, I was left to wonder and I have to ask: was the time and effort spent by COSO folks to update the framework worthwhile, and is it a good use of a company’s limited resources to go through the effort of transitioning to COSO 2013 (assuming the company already has a well-designed SOX program aligned with the 92 Framework and AS5)? My experience helping my company transition to COSO 2013 was the same as Neil and Phil’s and the same as other practitioners with whom I’ve spoken – a non-event with little resulting change. I agree with Bob and the COSO folks that it is not a revolution, but can we even rightly call it an evolution? Evolved in what way? To be frank, knowing what I know now, if I was presented with the option of using my IA team’s precious limited resources to either transition to COSO 2013 or perform a standard audit/review (e.g., an infosec review, project assurance over a system implementation), I’d choose the latter. Was the 2013 Update anything more than just an opportunity to remind folks about the importance of controls or (I hope not) a self-serving occasion to bring the COSO name forefront again for another 15-minute stint in the spotlight? I think these are important questions because if we keep alerting our audit committees / bosses to more upcoming changes in frameworks/standards/guidance and subsequently can only point to “a pizza cut up into more slices” without any substantive change/benefit, we’re going to lose credibility as standard setters and practitioners. And it makes me question whether I should even bother to look at future roll-outs (e.g., the COSO ERM update). (Again, this is all assuming we were already doing what we were supposed to do with a top-down risk-based SOX program). Am I being too harsh? Did I miss out on some benefit of the 2013 Update? I’d appreciate your thoughts. And even better if you’re able to bring Neil, Phil and Bob into the conversation.
Dan, I have feedback from Bob Hirth of COSO for you. What’s your email?
Norman – My email address is: dmiller048@yahoo.com.
Thanks for bringing the others into the discussion. Much appreciated. On your and Neil’s advice, I’m going to re-read the Monitoring section as well as think more deeply about how I might apply the Updated Framework outside of SOX.
The webinar was good specifically because you had top-notch folks in our profession candidly sharing real experiences. I’ll be tuning in to the next webinar. Keep up the good work!
Dan – great challenge and thanks for asking the question. I have shared it with Phil, Neil, and Bob.
My thoughts:
1. The SEC insists that we make the transition.
2. The external auditor will, rightly, ask how we have satisfied ourselves that the principles are present and functioning, at least to the extent that there are no material weaknesses.
3. We need evidence to support that belief.
4. Until we had 2013, the work that we needed to do on the Control Environment (especially) and (to a much lesser extent) the other components was very much a matter of judgment and was inconsistent. The Principles provide a level of granularity that enables us to design the scope of SOX work with more certainty that we are identifying what is important to the assessment of ICFR.
5. The discussion of Monitoring in the 2013 update is very good (and its time for COSO to discard the separate misguidance on Monitoring). There are other areas where the guidance is upgraded, but this, for me, is the most significant. I have encountered one company where almost all its key controls are Monitoring activities! Very effective!
6. I have a problem with the COSO ERM Framework, especially the way in which it is interpreted and applied to the reduction of risk instead of the taking of the right level of the right risk. I applaud the pending update – as long as the project team and COSO board listen to the risk practitioners who understand the modern practice of integrated risk management – integrated into the daily practice of management.
Does that help?
I hope you enjoyed the webinar and will join us for the next two in the series.
I think the blindness Norman points owes much to the way in which the COSO framework has been used (i.e.; primarily for SOX 404) and how most organizations approached SOX 404 (i.e.; rushing, along with their auditors, to identify, document, test and remediate control activities – without much thought about the framework at all).
One of the great but underappreciated values of the updated framework is that it created an opportunity / mandate for organizations to recognize, understand. and close the gaps in the other components of their systems of internal control. Another is the reiteration of the idea that controls are responses to risks – the need to understand which risks need to be mitigated is essential, but generally paid lip service, if not completely overlooked.
I note the comments above from Mr. Griffiths. While I do agree that the ERM framework is problematic, for many reasons, I do not agree that the principles articulated in COSO 2013 were plucked from the air at all. Almost all of the principles were previously put forward by COSO in 2006 as part of the ICOFR – Guidance for Smaller Public Companies – these principles were taken from key points in the text of the 1992 framework. I had the opportunity to serve as a member of the Advisory Council that supported PwC and the COSO board in drafting COSO 2013, and while I accept that a more robust research-based set of principles might be desirable, the set of principles COSO adopted have more than a small claim to legitimacy. Rooted in the 1992 Framework, articulated in the 2006 guidance, refined and updated and then circulated for comment by the COSO board in 2013, I think the principles effectively convey what COSO believes to be important to the design of effective systems of internal control (agreeing with Norman completely on the importance of the key sentence in that definition). I do not believe it is helpful to confuse principles with control activities.
Neil, thanks for joining the conversation and sharing your insights. Much appreciated.
I have no problem with the principles. I am not sure they are all-inclusive, but they are certainly appropriate for every organization to strive for – and deliver.
I also like the fact that the word “relevant” is inserted – when COSO 2013 talks about “relevant principles”. I think that as we grow in our use and experience with 2013, we will be able to identify more situations where the achievement of a principle has little effect on the risk to an objective. For example, it can be difficult to see how a failure of the members of the board to be independent of management affects the integrity of financial reporting, achievement of revenue targets, and so on. It is an important attribute of an effective board, but its affect is so distant from many if not most objectives, that it is difficult to see how it is relevant. In the first years of 2013 and SOX, I think we should assume it is relevant – and my hope is that, in time, we will be able to test each Principle for relevance to the objectives we are assessing.
Neil, have you looked at the standard PowerPoint deck provides on COSO 2013? The most important sentence is missing! I have tried, without success, to get it inserted – but the deck only talks about components and principles.
It’s great that you’re publicizing the COSO framework. It’s just as important for data security as it is for financial compliance. Small companies with limited IT budgets will have a few people wearing many data security hats. Mentoring these companies as they grow means showing them how to divide data responsibilities among the CTO, CISO, and Chief Data Officer (CDO). I saw different approaches to this solution back in 2014 at Data Connectors’ Tech Security Conference: http://alfidicapitalblog.blogspot.com/2014/12/alfidi-capital-at-data-connectors-san.html
Having read this I believed it was extremely enlightening. I appreciate you finding the time and effort to put this informative article together. I once again find myself spending a lot of time both reading and commenting. But so what, it was still worthwhile!|