The most important sentence in COSO
In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.
That sentence is:
An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.
The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.
To me, this means that:
- Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
- You need to know the risk to those objectives
- You need to know what is an acceptable level of risk for each objective, and
- You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels
You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.
In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.
This is how that section starts:
An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:
- Each of the five components of internal control and relevant principles are present and functioning
- The five components are operating together in an integrated manner
There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.
In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.
Let’s have a look at the very next paragraph in the section:
When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.
When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.
How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.
An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.
Let’s translate this as well:
- If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
- If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
- When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
- That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.
So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.
Do you see what I mean?
Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!
Why are so many blind to this most important sentence?
I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)
Do you have a better theory?
Can you explain the blindness of so many to the most important sentence in the entire Framework?