New businesses or fast-growing companies may be unaware that the recent COSO changes raise the expectations of corporate behavior for all entities. As the world has changed, and business and operating environments have been impacted, the bar has been raised on internal controls and reporting objectives.
As the financial markets continue to evolve and information becomes instantaneously available around the globe, stakeholders are demanding transparency, predictability and accountability from all the organizations with which they are engaged. Unlike the days before the fall of Enron, before the economic recession of the late 2000s, and before the millennial generation, expectations are now higher with regards to how organizations behave and how information is shared.
In 2013, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued a revised internal control framework that provided further guidance for large and small companies to improve the means by which management establishes and monitors the ongoing efficiency and effectiveness of their internal control processes. While many of the tenets of the original COSO Framework (issued by the Treadway Commission in 1992) remain largely intact, the revised framework adds seventeen principles which better define the components and broaden their applicability to a variety of organizational types and sizes, as well as the underlying processes which support their strategic goals and objectives.
The newly-added principles specifically focus on governance responsibilities, information technology, and risk assessment, setting out a clear point of focus for organizations to consider during an evaluation of their internal control processes. This includes a mandate for organizations to demonstrate their commitment to integrity and ethical values, to ensure directors are independent from management, and that those directors exercise appropriate oversight. The principles expect organizations to hold persons within the organization accountable for their actions, while aiming to attract and retain competent personnel who can work to achieve organizational objectives.
The information technology additions cross over certain components, but generally suggest that organizations need to establish sufficient general and application controls over technology to support the achievement of its strategic objectives. These controls should then be used to ensure that the data generated from its technology systems is accurate, relevant, timely and useful in the decision making process. Further, the same requirements extend to data that is released outside of the organization to assist regulators, investors and other decision makers in their decision making processes.
Finally, risk assessment-related principles provide guidance relating to the organization’s performance of its own risk assessment. The principals suggest that the organization consider all significant and relevant internal and external threats including, but not limited to, fraud.
In today’s technology-driven world, all organizations must evaluate their technology risks and assess potential impacts. Cyber-attacks are a risk facing most, if not all organizations, large and small, domestic and international. As these attacks become increasingly pervasive, the need for more robust risk assessment processes becomes essential, using tools like vulnerability and penetration testing to determine the extent of potential negative exposure.
One frequently raised concern is the cost in both dollars and intellectual capital of developing and implementing a truly efficient and effective internal control regime. In order to reduce these costs, some organizations choose to outsource certain technology and/or monitoring functions. Others rely on the expertise of owners and tenured employees to contribute to the monitoring controls.
Smaller organizations are particularly sensitive to such costs and might also struggle with retaining competent professionals or independent directors. Solutions such as offering alternative work schedules and unique compensation packages can assist in this regard.
It is proven that utilization of the COSO Frameworks can help organizations achieve their strategic goals and objectives, while simultaneously enabling stakeholders to make informed and accurate decisions. Global financial markets depend on transparency to maintain their stability and growth. The global marketplace will continue to evolve as will the organizations that comprise it and the regulation that guides it. Who knows, maybe we will see a COSO 2020.