The updated COSO Framework provides a leadership opportunity for internal auditors to assess the cost effectiveness of internal controls.
“Internal control is not simply a compliance cost.”
Richard Chambers, president and CEO of The Institute of Internal Auditors (The IIA), typed that to me last week while responding to questions about the new COSO framework. I immediately thought of his point when I read New Yorker business columnist James Surowiecki’s analysis (subscription required) of the Rana Plaza factor collapse in Bangladesh: “[S]uppliers are adept at gaming the system, turning the typical audit [of a factory’s working conditions] into what [MIT Professor Richard] Locke calls a ‘ritual of compliance.’”
In the column, Locke, who has conducted loads of research on labor risks in global supply chains, also indicates that the codes of conduct (centered on safe working conditions) retailers furnish their suppliers “accomplish only a limited amount.” Surowiecki goes on to argue that the best way to prevent future Rana Plazas is via a three-pronged approach: retailers working closely with their manufacturing suppliers to improve performance and working conditions; smart regulations; and international pressure.
COSO’s updated Internal Control–Integrated Framework (Framework) falls somewhere between regulation and guidance. It’s guidance, but many companies will be required to adhere to it. Based on the initial feedback I’ve gleaned from risk management professionals, it seems safe to say that the update qualifies as a smart one.
To reflect the sweeping changes the world and its business entities have undergone in the past two decades, the updated Framework addresses increasingly complex organizational relationships, significant changes in technology, and an increased focus on governance and accountability, Chamber reports. “The updated framework emphasizes the need to tailor internal control to organizational objectives and risks across the enterprise,” he continues, emphasizing that internal control starts with objectives.
For finance, risk, compliance, internal audit and other GRC professionals, one of those objectives should be recognizing that even the most well-intentioned and expertly crafted risk and compliance program can fall victim to ritualization. When colleagues coast through GRC processes and activities in something less than an alert and mindful state, the program suffers – and, like Rana Plaza, the program can ultimately crumble.
While the trap of ritualization marks an evolutionary improvement over the “check the box” compliance trap (which we happily do not hear much about these days), it may be more difficult to overcome. After all, doing so requires devising ways to ensure that everyone remains sufficiently mindful and alert in their risk and compliance activities.
On this note, the COSO update may prove helpful. It’s a lot to digest (but not too much), and it can be leveraged to deliver a jolt of self-examination throughout risk and compliance programs.
To understand the updated Framework, Chambers suggests starting with the document’s executive summary before taking a “deep dive into the Framework, and gaining a solid understanding of the 17 principles that underpin a strong control system.” COSO is clear in its guidance that each of these principles must be present and working in concert throughout the organization.
“The updated Framework provides a leadership opportunity for internal auditors to not only assess existing internal controls, but to assess the cost effectiveness of internal controls,” Chambers explains. “Furthermore, the expanded coverage of compliance and operations provides the basis for more operational audits.”
These audits also may help drive home that, according to Chambers, “the underlying value of internal control is to assist the organization in achieving success.”