Wednesday, March 14, 2012
COSO 2011 DRAFT- COMMENTS and RECOMMENDATIONS
COSO 2011 DRAFT- COMMENTS and RECOMMENDATIONS
by John Kyriazoglou*
Submitted on date: 14 March 2012
This document contains the details comments and recommendations of John Kyriazoglou (credentials at the end of this document) as the result of reviewing the 2011 COSO Draft Exposure, available at: http://www.ic.coso.org/provide-feedback.aspx
These relate to a variety of issues, such as: Comparison of new COSO (2011 version) to COSO 1992 Model, Using and applying new COSO framework, Strategy, Importance of strategy, Strategic and operational control, Objectives, Objective setting and internal control, General business goals, Business objectives, Principles, Internal Control Activities, Preventive and Detective controls, The role of the board in strategy, Lines of Defense, Performance Measures, Performance and risks, Role of board and management in performance, Role of board and management in accountability for internal control, Role of data privacy officer, Technology general controls, General IT Controls, Application Systems Controls, Safeguarding of assets, Audit trail, Compliance measurement, Business process control activities and Glossary.
A. GENERAL COMMENTS
Comparison of new COSO (2011 version) to COSO 1992 Model
1. The new COSO (2011 version) is definitely an improvement over the old COSO (1992 version).
2. The principles approach is good guidance. It provides a foundation upon which to build your own control model.
3. The description and use of objectives, risk and compliance are also very good.
Using and applying new COSO framework
4. The new COSO framework may be directly applicable to business or commercial or financial transaction-oriented organizations like most private companies, where there is an exchange of assets (information, goods/products, services, etc.) for payments. It may not be applicable to organizations that provide services without generating business or financial transactions, like public ministries, etc., which exchange information, goods/products or services and which also do not charge for their services. Also some real-life examples and case studies on applying the new COSO would make this new framework more helpful.
5. Several conceptual issues, however, must be cleared and dealt with. See my detail comments next.
B. DETAIL COMMENTS
6.1. Strategy in COSO: In the new COSO document, this strategic aspect of organizations does not exist in its proper status. Strategy, in one small reference, is conceptualized as being subservient to operations! It should be the other way around. Strategic objectives are contained in the 2004 Enterprise Risk Management- Integrated Framework. Why are they not included in this framework?
6.2. Importance of strategy: I conceptualize organizations as living organisms. They envision where they should be going to by formulating a vision, mission and values. These drive, enable and lead management to craft and implement a strategy. The specific corporate strategy is effected by operational transactions with the production and delivery of products, services, results and outcomes (the strategic and operational control process). All of these aim to benefit its stakeholders and society.
6.3. Strategic and operational control: Strategic and operational control is the process by which managers monitor the ongoing activities of an organization and its members to evaluate whether activities are being performed efficiently and effectively and to take corrective action to improve performance if they are not. First, strategic and operational managers choose the organizational strategy and structure they hope will allow the organization to use its resources most effectively to create value for its customers. Second, strategic and operational managers create control systems to monitor and evaluate whether, in fact, their organization’s strategy and structure are working as the managers intended, how they could be improved, and how they should be changed if they are not working. Strategic and operational control does not just mean reacting to events after they have occurred; it also means keeping an organization on track, anticipating events that might occur, and responding swiftly to new opportunities that present themselves. Thus strategic and operational control is not just about monitoring how well an organization and its members are achieving current goals or about how well the firm is utilizing its existing resources. It is also about keeping employees motivated, focused on the important problems confronting an organization now and in the future, and working together to find solutions that can help an organization perform better over time
7.1. Conceptual clarity: Categories of objectives (operations, reporting, compliance) are fine. I think that strategy is missing (see my point 6 for explanatory details). Also these objectives are not well connected, conceptually, at least. Objectives should follow the chain that would link them and bond them together in the following sequence:
7.1.1. Vision, mission and values statements are promulgated and communicated.
7.1.2. These enable, facilitate and develop corporate and operational strategy and business goals. 7.1.3. Business goals become more specific as objectives by senior and middle-level management.
7.1.4. The achievement of objectives are to be compared if achieved to performance targets.
7.1.5. All of these are to be managed by a performance management system. No such clear link is represented in the new COSO framework.
7.2. Objective setting and internal control: The statement made in the new COSO that ‘objective-setting is not part of internal control’, is, I think, quite wrong: see reasons noted in points 7.1 and 6 before.
7.3. Business goals and objectives: The term ‘objective’ in the new COSO needs a better definition. For example ‘avoid waste and rework, reduce cost, etc., are described as objectives. But these are goals more than objectives. Goals are more general while objectives are more specific, measurable, attainable, realistic, and relate both to a performance target and a time-frame. See examples next.
7.3.1. General business goals: 1. Increase market share in each of our markets, 2. Improve customer satisfaction, 3. Improve company profitability, 4. Increase company sales in products ‘x’, ‘y’ and ‘z’, 5. Create better products and services, etc.
7.3.2. Business objectives: 1. Increase customer base by 3% in each year for the next 4 years, 2. Decrease of production costs by 5% in each of the next 4 years, 3. Increase revenues by 5% in each of the next 4 years.
8. Term ‘Other personnel’
This term is too general and does no justice to all involved and impacted participants in today’s business environment. It should be expanded to include employees, external service providers, joint-project staff, stakeholders, shareholders, regulators, community members.
The proposed 17 principles of the new COSO are a good base. I think 3 more principles should be added, as described below, and therefore the total should become: 20.
9.1. Control Environment (5 principles) : Principle 1 of the new COSO ‘integrity, ethical values’ should be expanded to include the following set of human factors, defined as ‘soft controls’, which include: tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, empowerment, corporate attitudes, competences, leadership, employee motivation, expectations, openness and shared values, information flow throughout the organization, and emotional contracting.
9.1.1. Tone at the top: Tone at the top refers to how an organization's leadership creates the tone at the top - an ethical (or unethical) atmosphere in the workplace. Management's tone has a trickle-down effect on employees. If top managers uphold ethics and integrity so will employees. But if upper management appears unconcerned with ethics and focuses solely on the bottom line, employees will be more prone to commit fraud and feel that ethical conduct isn't a priority. In short, employees will follow the examples of their bosses.
9.1.2. Understanding of the organization by the board: The board needs to fully understand the organization they supervise and control so that they are as effective as possible in discharging their duties. This understanding involves both the internal (size, form, strategy, structure, people, policies, procedures, operating style, culture, beliefs, etc.) and external (industry, rules, regulations, market, geopolitical locations, etc.) aspects of the organization
9.1.3. Structure of reporting relationships: The structure of reporting relationships is usually depicted in an organizational chart. This chart can provide a great deal of information and may help organizational members understand the overall structure of the organization and its strategy.
9.1.4. Culture: Culture is the environment that surrounds you at work all of the time. Culture is made up of the values, beliefs, underlying assumptions, attitudes, and behaviors shared by a group of people. Culture is the behavior that results when a group arrives at a set of - generally unspoken and unwritten - rules for working together. An organization’s culture is made up of all of the life experiences each employee brings to the organization. Culture is especially influenced by the organization’s founder, board of directors, executives, and other managerial staff because of their role in decision making and strategic direction.
9.1.5. Morale: Morale is "moral principles or practice". In corporate terms it describes the capacity of employees to maintain belief in the organization they work for, or a goal set by their superiors. It refers to the level of faith of individual employees in the collective benefit gained by such performance. Managers must pay special attention in improving morale for their employees.
9.1.6. Integrity and ethical values: Integrity is the inner sense of "wholeness" deriving from qualities such as honesty, truthfulness and consistency of personal character. In a corporate environment, integrity and ethical values mean that both employees and their managers must interact with each other, in all their business activities, on the basis of integrity, honesty, truthfulness and consistency in the actions they execute, methods and measures they use to monitor performance, principles they activate, and expectations, results and outcomes they manage. Also in this regard, managers must lead by example, so that their employees follow.
9.1.7. Operational philosophy: Operational philosophy is an explicit (written) or implicit (unwritten) declaration of how a person, group or organization operates. In corporate terms, it represents how business is conducted by all levels of management in various areas, such as: investments, funding, managing employee relationships, customer transactions, regulatory authorities, risk-taking, quality, profits, ethical standards, environment, etc.
9.1.8. Trust: Trust means ‘reliance to another person or entity’. Aristotle believed that trust of a speaker by the listener, was based on the listener's perception of three characteristics of the speaker: the intelligence of the speaker (correctness of opinions, or competence), the character of the speaker (reliability - a competence factor, and honesty - a measure of intentions), and the goodwill of the speaker (favorable intentions towards the listener). In corporate terms, trust forms the foundation for effective communication, employee retention, and employee motivation and is a major contributor of the extra effort and energy that people voluntarily invest in work.
9.1.9. Ethical climate: The ethical climate of an organization is the shared set of understandings about what is the correct behavior and how all ethical issues will be handled. This climate sets the tone for decision making at all levels of the organization and in all circumstances, activities and dealings of all participants in the affairs of the company. Managers must pay special attention to ensure that they always maintain a positive and ethical climate in managing and interacting with their employees, their superiors and their customers. They may need to leave aside and amend, a little, their personal self-interest, company profit, operating efficiency, rules, procedures, etc., in order to preserve and improve this ethical climate.
9.1.10. Empowerment: Empowerment refers to increasing the spiritual, political, social, racial, educational, economic or other strength of individuals and communities. Empowerment in corporate environments for employees means three things: (1) Enabling employees to make more, better and larger-scope decisions without having to refer to someone more senior, (2) Involving employees in assuming responsibility for improving the way that things are done in their daily work activities and (3) Encouraging employees to assume a more energetic and effective role in their work. Empowering employees is carried out by senior management of organizations by giving the authority and the responsibility to employees of carrying out specific actions to achieve corporate goals and monitoring these results to ensure that these are properly done.
9.1.11. Corporate attitudes: The concept of attitude represents an individual's degree of like or dislike for something (person, place, thing, or event). In a corporate work-place attitudes play a great role in employees executing corporate tasks and achieving strategic and operational goals predetermined by senior managers. If they like the organization or their manager or the task they will perform better, in most cases. If they dislike the organization or their manager or their task they are bound to perform at a lesser degree.
9.1.12. Competences: Competence means "sufficiency to deal with what is at hand". Competence in a corporate environment is the ability, the will, the commitment, the knowledge, the skills and the dexterities of an individual to perform a job or task properly. Managers must manage and improve the competences of themselves and their employees through education, training, coaching, mentoring, etc.
9.1.13. Leadership: Leadership is "organizing a group of people to achieve a common goal". Leadership in a corporate environment is manifested in managers exhibiting traits, such as: intelligence, personal effectiveness and efficiency, high level of creativity in resolving issues and problems, adjustment, extraversion, conscientiousness, and motivation, which are used for accomplishing goals for the given corporate entity.
9.1.14. Employee motivation: Motivation is "inner or social stimulus for an action" for human beings. In a corporate environment, managers need to motivate employees to do a better job. This is achieved, according to various thinkers (Maslow, Argyris, McClelland, etc.) by using various strategies, such as: positive reinforcement, effective discipline and punishment, treating people fairly, satisfying employee needs, setting achievable work-related goals, restructuring jobs/tasks and rewarding people on job performance.
9.1.15. Expectations: Expectations is the act or process of knowing what is anticipated in a given work situation. This means that managers must consider the issue of expectations in dealing with their employees. This may be achieved by meeting with employees on a regular basis to discuss problems, issues, goals and progress. This will help employees understand the employer's expectations. Learning what interests and engages employees can help managers to distribute work in a way that promotes enthusiasm for completing tasks. Expressing confidence in each employee's ability and reinforcing past achievement is the primary key to maintaining employee motivation.
9.1.16. Openness and shared values: Openness is the quality of being open. Values represent what a person believes in. In corporate terms openness and shared values characterize an environment in which decisions are made and communicated by appreciating the opinions, skills and knowledge of all employees and by the tendency to re-examine traditional standards in order to achieve better and more beneficial results.
9.1.17. Information flow throughout the organization: Information flow throughout the organization is usually attained by both informal and formal communication systems. Formal communication is used to distribute and implement rules, policies and procedures. Managers, however, must pay attention also to informal communication as this type of communication may hinder or ensure the effective conduct of work in modern organizations.
9.1.18. Emotional contracting: All of these types of soft controls (tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, empowerment, etc.), refer to the emotional contracting issue, also referred to as 'the psychological contract'. This is the crucial and powerful link between the organizational performance intent, and the motivations, values and aspirations of the people. This emotional contracting element is sometimes overlooked by organizations and managers, and that is the reason that may explain why the people have failed to do what the organization expected and asked them to do. In management and organizational theory many employee attitudes such as trust, faith, commitment, enthusiasm, and satisfaction depend heavily on a fair and balanced Psychological Contract.
9.1.19. Social accountability: Also the principle of ‘social accountability’ should be added. See standard ‘SA8000’ for more details.
9.2. Risk Assessment (4 principles): There is a major discrepancy here between the 2004 Enterprise Risk Management-Integrated Framework and the new COSO 2011 Framework. Which risk analysis model should one use? Also I think that the new principle of ‘business and IT continuity’ should be added to the new COSO. Business and IT continuity are part of Business Continuity Management (BCM) Process. This is a corporate process that identifies potential impacts that threaten an organization and its critical business functions and critical IT systems and infrastructure, and provides a framework for building resilience and the capability for an effective response and recovery which protects the interests of its key stake holders, corporate reputation and brand name and value creating activities
9.3. Control Activities (3 principles): Principle 12 of the new COSO ‘policies are effected by procedures’ needs restating. Policies define what is to be done, while procedures define how what is described in policies is to be done. But the actual effect of policies and procedures is attained by a set of human factors, defined a ‘soft controls’. See my point 9.1.
9.4. Information and Communication (3 principles): I am recommending the following additions:
9.4.1. Data governance: I am suggesting that the new principle of ‘data governance’ should be added to the new COSO. Data governance relates to developing specific procedures and controls to manage and protect corporate business files, records and data. These controls include procedures and actions for: (1) Business Record Keeping Systems, (2) Files, Documents and Records (FDR) Management Procedures, (3) Business Data Register, (4) Business Data Librarian, (5) Data Quality Monitoring Procedure, (6) Data Cleansing Controls, (7) Data Mart and Data Warehouse Controls, etc.
9.4.2. Data classification: The control of ‘data classification policy’ to categorize data according to various data privacy rules (e.g., public, confidential, sensitive and very sensitive, etc.) should also be added. The aim of this policy is to help management and staff of a corporate entity in determining what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of the specific organization without proper authorization.
9.5. Monitoring activities (2 principles): I am suggesting that Principle 17 of the new COSO ‘evaluate and communicate control deficiencies’ should be expanded to include improving controls as a separate set of activities. Also the new COSO statement ‘performance evaluation against management criteria’ should include ‘as well as industry and professional well-accepted practices and standards’.
10. Internal Control Activities
10.1. Preventive and Detective controls: The new COSO describes 2 control activities: Preventive controls and Detective controls. I think the following 3 should be added: Directive controls (vision and mission statements, policies and procedures, etc.), Compensating Controls (review, checking, auditing and monitoring actions in the absence of segregation of duties, etc.) and Corrective controls (disciplinary actions, backing up and recovering data and systems, correcting data in systems, using quality inspection techniques, etc.).
10.2. The role of the board in strategy: The new COSO states that ‘not every decision or action of management, however, is part of internal control. For example, board deciding on or approving a strategic plan is not part of internal control’. I find this statement quite problematic. Without board’s approval you are bound to have a chaotic situation, to say the least. Management should not be left alone to do as they may well please. See also my detail comments (point 6 above) why strategy, as a major issue, is important to internal control.
11. Lines of Defense
The new COSO states 3 lines of defense: Management, Business functions and Internal Audit.
I think the full lines of defense should be 5 as noted next:
11.1. First Level (Organize): 1. Board, management and committee roles, structure and responsibilities, 2. Business functions and resources, 3. Standards, policies and procedures.
11.2. Second Level (Envision): 1. Corporate culture, vision, mission and values, 2. Strategy, goals, objectives and targets, 3. Performance framework.
11.3. Third Level (Govern): 1. Strategy, 2. GRC (Governance, Risk and Compliance) controls, 3. Operational controls (purchasing, finance, IT, data, security, fraud, etc.), 4. Segregation of duties, 5. Management & compliance reporting, 6. Community involvement.
11.4. Fourth Level (Audit): 1. Monitoring controls 2. Internal audits, 3. Self-assessments, 4. External audits, 4. Regulatory audits.
11.5. Fifth Level (Augment): 1. Comparative benchmark studies by external experts, 2. Certify personnel, 3. Certify organizational components (structure, service quality, policies and procedures).
12. Performance Measures
The new COSO describes measures, rewards and incentives only. This is fine. But also I think that performance measures are only relevant when they are compared against pre-determined performance targets, while the whole process should be managed by a performance management system, which includes all of the above in an integrated and holistic way.
13. Performance and risks
The new COSO states that performance is measured in relation to objectives and the ability to manage within risks, historical (retrospective) or forward-looking (prospective). I would also add performance targets (see 12.1. above).
14. Role of board and management in performance
The new COSO states that board and management evaluate performance of individuals in relation to defined performance measures. This is fine. But also I think that performance of individuals is only relevant when it is compared against pre-determined performance targets.
15. Role of board and management in accountability for internal control
15.1. Role of board: The new COSO states that the board holds management responsible for internal control issues. This is fine. But also I think that the board itself should be held responsible to the company’s shareholders, stakeholders and regulators for their errors and omissions in all aspects of internal controls.
15.2. Role of data privacy officer: The role of a data privacy officer should also be described in the new COSO. For example, the responsibilities of a data privacy officer include the following activities: (1) Develop, initiate, maintain, and revise policies and procedures for the general operation of the Data Privacy Program and its related activities, including educating, training and coaching all participants of the organization to prevent illegal, unethical, or improper data privacy breaches, (2) Run and manage the day-to-day operation of the Program, and (3) Develop and periodically review and update Standards of Conduct to ensure continuing currency and relevance in providing guidance to management and employees on Data Privacy issues, according to the current national and local data privacy laws and practices).
16. Technology general controls
16.1. Concept of technology: The new COSO relates ‘technology general controls’ to include ‘Information Technology (IT) controls’ and ‘operational controls’. I think ‘research and development’ controls should be included in this new COSO definition. The term ‘technology’ refers to anything fabricated by humans by the use of various methods, techniques and procedures (such as: products of medicine, plant machines, air-planes, guns, toys, office machines, computers, software, development of new products, quality inspection methods, etc. It comes from Greek, technologia meaning ‘systematic treatment of an art, craft, or technique’), which includes any technology used by organizations (not only IT and operational) to survive, operate and provide new and improved services and products.
16.2. IT controls: The new COSO (see note 20) defines ‘technology general controls’ as another term for ‘general computer controls’, or ‘general controls, or ‘information technology controls’.
This is most confusing. ‘Information Technology (IT) controls’, in the IT profession, are usually are made up of two sub-types: General IT Controls, and Application Systems Controls.
16.2.1. General IT Controls relate to: IT organization, IT procurement, IT personnel management, systems development and maintenance, computerized applications operation, IT standards, IT security, IT disaster recovery planning, computer insurance, physical protection policies and procedures, access policies and procedures (data, software, files, forms, reports, facilities, firewalls, encryption, electronic mail, etc.), Data center operational controls, Health and safety policies and procedures, Data privacy controls, systems software controls, IT compliance controls, Security and Safety Controls for Personal Computers and Audit tools and methods. Most of these are covered, in some way, in the new COSO document. Data center, data privacy, systems software and personal computer controls are not covered.
16.2.2. Application Systems Controls relate to: Protection of specific application systems with embedded software code, Input Controls (Accuracy of data, Completeness of input, etc.), Processing Controls (Reasonableness checks, Functional checks, Rounding off checks, Parity checks, Sequence checks, etc.), Output Controls (Schedule checks, Distribution checks, Balancing checks, Report quality checks, Output log), Database Controls (File updated report, Critical transactions report, Application-specific access authorization, Data base health checks, etc.), Change Controls, and Testing Controls (Test Methodology, Test Plan, etc.). These are not covered, except for ‘edit’ and ‘completeness’ checks, in the new COSO document.
17. Safeguarding of assets
Information systems and corporate data should be added as assets to be protected in the new COSO.
18. Audit trail
Audit trail as a control concept is not mentioned at all in the new COSO. Audit trail is a necessary control for fraud investigation, information systems recovery and other related forensic activities.
19. Compliance measurement
The new COSO does not define how compliance may be measured and monitored. I think that adding compliance indicators may do the job.
20. Business process control activities
The new COSO equates transactions to activities. I think this is wrong. Controls on transactions and activities are, and should be, different, by definition. Controls on both transactions and activities are most important for performance, fraud, abuse and reporting aspects. Lumping them together and naming them ‘transaction controls’ distorts the picture.
20.1. Transactions: Transactions relate to products/services obtained or provided and have a direct impact on the company’s financial and performance results, and I agree on the controls suggested by COSO (verifications, reconciliations, authorizations, approvals, physical controls, controls over standing data, and supervisory controls), while I would like to add: (1) data governance controls like ‘data cleansing procedures’ should be added to ‘controls over standing data’, (2) recordkeeping controls should be added to ensure the longevity of business records and the privacy aspects of the data contained in them.
20.2. Activities: Activities may support transactions and/or relate to governance, administration, security, and personnel management issues (e.g., hiring, dismissal, review, etc.). I would like to suggest that the new COSO refer to controls on activities separately. The controls on activities may include Segregation of duties (described in the new COSO document) and the following, which are not noted in the new COSO, and I am recommending: Compensating controls, Visitors log (recording visitors on a daily basis), Daily work activities log (recording transactions processed, inquiries served, customers served, units produced, etc.), Problem logs (recording problems solved by date, description of problem, description of solution, who solved the problem, who tested the solution of the problem, etc.), Production jobs logs, Quality inspection logs, Computer runs logs (recording jobs executed per day of operation, etc.), Project progress reports, Activity monitor software, Exception reports, Vulnerability Automated Tools, Review of System Logs, etc. Reviewing and monitoring the activities prescribed by these control mechanisms will enable and facilitate management in controlling their organization and the board in their role and oversight duties.
21.1. Terms not defined: Asset, objective, system.
21.2. Compliance: The new COSO defines it as ‘having to do with conforming with laws and regulations applicable to an entity’. This applies to external compliance only. A better definition would also include the actions required to comply with internal compliance as well.
21.3. Procedure: The new COSO defines it as ‘an action that implements a policy’. A better definition would be ‘A set of actions that implement a policy’.
21.4. Risk response: The new COSO defines it as ‘the decision to accept, avoid, reduce or share a risk’. A better definition would be ‘the decision to accept, avoid, remove, prevent, exploit, defer, transfer or mitigate a risk’.
21.5. Technology: The new COSO defines it as ‘software applications running on a computer, manufacturing control systems, etc’. This term should be restated. The term ‘technology’ refers to anything fabricated by humans by the use of various methods, techniques and procedures (such as: products of medicine, plant machines, air-planes, guns, toys, office machines, computers, software, development of new products, quality inspection methods, etc. It comes from Greek, technologia meaning ‘systematic treatment of an art, craft, or technique’, according to current English etymological definitions), which includes any technology used by organizations (not only IT and operational) to survive, operate and provide new and improved services and products.
John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ (published in 3/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.
Blogs:Articles, Opinions, etc.: http://businessmanagementcontrols.blogspot.com/