COSO Principle 17 – Evaluates and Communicates Deficiencies

A strong internal control system is designed to ensure achievement of objectives, or timely notification that objectives will not be achieved which supports management reassessment. The procedures implemented to actuate internal controls are the “blocking and tackling” activities required to achieve objectives. Many procedures are mundane when looked at separately but each is a necessary part of the whole internal control system. As such, there are few activities as important to achieving objectives as evaluating, communicating and addressing deficiencies.

Continue Reading »

Delivering on Peter Drucker’s Call-to-Action

The key point is that technology can actuate procedures so they are not just pages in a binder, technology can directly relate the control execution and review procedures with all the evidence of performance and review, and technology enables moving the responsibilities to lower-level workers to deliver on the “knowledge worker” productivity Peter Drucker emphasized as critical to sustained success. Economist Robert Gordon argues in his new book, The Rise and Fall of American Growth, that America’s future economy will not be nearly as bright as its past mainly because the great improvements in productivity and living standards (e.g., electrical power, transportation, indoor plumbing) achieved in the 20th century have no such counterpart to improve productivity in the 21st century. Peter Drucker’s challenge to unleash the productivity of the “knowledge worker” presents an opportunity to achieve such productivity and lifestyle improvement gains. Executing financial, compliance, operational and strategic objectives in a consistent manner, with accountability, documentation and accessibility is one such “knowledge worker” productivity opportunity. The best productivity comes from good technology that support consistency, clear communication, and ease of tracking thereby supporting moving the work to lower skilled workers thereby increasing productivity per dollar spent. Let’s use technology to leverage compliance and deliver on Peter Drucker’s call-to-action.

Continue Reading »

COSO Principle 16 – Performs Ongoing and/or Separate Evaluations

Monitoring must go beyond just having information and dashboards available. This is not a control. Evidence that the monitoring was performed including conclusions that “all is well” or actions taken in response to issues is necessary for the monitoring to qualify as a control (i.e., that is can stand up to independent review/audit). Done effectively, monitoring controls can qualify as “key” controls for SOX, replace lower level controls and thereby reduce the amount of time spent for SOX compliance. This does not mean that the lower level controls can be discontinued, only that a monitoring control can effectively ensure multiple controls are executed and reviewed and these monitoring controls (many fewer) are the ones in scope for the SOX compliance audit.

Continue Reading »

COSO Principle 15 – Communicates Externally

Technology has greatly expanded not only the methods of communication but also enabled the integration of external parties into more and more critical activities of the organization. A thoughtful approach with effective monitoring can leverage technology to improve operations, predictability and reduce risk, however, leveraging the technology without an effective approach can greatly expand the risks facing the organization.

Continue Reading »

COSO Principle 14 – Communicates Internally

Technology to enable communication of objectives, expectations, roles, policy and procedures is available and essential to the modern organization. Technology to manage execution of internal controls should be viewed more broadly as technology to ensure execution against organizational objectives with effective internal controls as a consequence of execution. Cascading strategic objectives to operational and compliance objectives can be actuated in many available GRC solutions.

Continue Reading »

COSO Principle 13 – Obtain/Generate Information to Support Internal Control

Compliance teams should seek a role in developing new technology to automate and capture control-based information to improve processes and the functioning of internal control. As Paul Ford makes clear in the recent published Bloomberg Businessweek Code Issue , we must understand the technology to effectively utilize our hard-earned expertise to develop transformative solutions for our clients and/or organizations.

Continue Reading »

COSO Principle 11 – Selects & Develops GCCs

For many organizations, implementing effective technology general controls over financial reporting to satisfy the requirements of SOX was challenging. As the landscape has become more challenging due to PCI, HIPPA, Dodd-Frank, hacking/cybersecurity and other requirements it becomes clear that financial reporting is the tail that wags the dog. Beyond financial fraud threats, it appears some of the most significant IT threats are more likely to cause financial loss through theft, fines, and other compensation with this loss then presented in financial reports.

Continue Reading »

COSO Principle 10 – Selects & Develops Control Activities

“The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” (COSO Principle 10 – Selects & Develops Control Activities COSO Framework) is the first of the three principles relating to the Control Activities component of internal control.  The COSO authors go on to […]

Continue Reading »

COSO Principle 9 – Identify & Assess Significant Changes

We compliance professionals know the frustration of working at organizations that overlook a formal process to identify change, report the impact and take timely actions. It is at the core of what we do to help organizations implement protective safeguards and yet the data indicates that the majority of organizations are not effectively monitoring and managing change.

Continue Reading »