“The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” (COSO Principle 10 – Selects & Develops Control Activities COSO Framework) is the first of the three principles relating to the Control Activities component of internal control. The COSO authors go on to say, “Control activities serve as mechanisms for managing the achievement of an entity’s objectives and are very much a part of the processes by which an entity strives to achieve those objectives. They do not exist…because having them is the right or proper thing to do.” (COSO Framework p. 88). Why did the COSO authors feel the need to include the last sentence in their introductory paragraph to the control activities component? I believe they recognize that the leadership of many organizations view control activities as “necessary evils” rather than what they truly are, effective ways to make sure the objectives set by these same managers are achieved or, at the very least, provide an early warning that certain objectives will not be achieved to allow managers to “pivot” accordingly.
Selecting and developing effective control activities happens at two levels. The high-level establishment of an appropriate organizational structure, an ethical culture, the setting of objectives, and identification/assessment of risk that largely relates to COSO Principles One through Nine and related identification and development of control activities as a mechanism to satisfy these principles is led by the senior management with oversight of the board. The process level establishment of policy and actuating procedures along with appropriate segregation of duties where possible and related identification and development of control activities as a mechanism through these procedures is led by business process leaders. Compliance professionals assist both groups with documenting, analyzing and improving their process, identifying the risks to the achievement of the objectives within the process, and ensuring control procedures are adequate to mitigate the risk to desired levels. For process controls, a two-tiered approach comprising process controls that are preventative in nature and ideally automated in conjunction with oversight controls that are generally detective in nature and supported by reporting is recommended. Process controls are typically transactional in nature whereas oversight controls are typically analytic. A triple match (purchase order à receiving document à vendor invoice) is a transactional control whereas a quarterly analysis of spending by vendor with comparison to prior history with notations/follow-up on outliers is an analytic control. Both of these control procedures are associated with the procurement/accounts payable process.
What explains the resistance of many organizations to embrace control activities as the best means to ensure execution of the plans they set? “Research shows that a strong commitment to internal control is a matter of company priority, not a matter of resources.” (Journal of Accountancy 03/07) I’ve worked for medium-sized entities with an alarming lack of sophistication in planning, forecasting and budgeting. As these activities are a precursor for setting many of the objectives for the enterprise, the lack of sophistication of the internal controls process is no surprise. Perhaps more precisely, the lack of a commitment led to an attitude of leaving the internal controls to the “compliance teams”, which gets right to the point COSO makes to not view control activities as just “the right thing to do”. “Accountability” may be another factor. A well-designed internal control process drives accountability. The best employees welcome and thrive in such an environment but unfortunately there are many employees who seek the “grey areas” that allow them to avoid accountability. Could this be the reason many organizations do a poor job of developing and implementing formal policy and procedures? How many of us have been in a meeting with an executive or process manager and saw their eyes glaze over when we discussed needed improvements to policy and procedure. As if this was a complete waste of time! How can an enterprise possibly “manage the risks to the achievement of objectives to acceptable levels” without controls procedures informed by mature policy and procedures? It seems the COSO authors are well aware that this unfortunate lack of commitment to internal control exists at many organizations. Hopefully, a renewed focus on control procedures in light of the COSO principles will make a strong commitment to internal control the priority needed for organizations to leverage compliance to achieve their objectives.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/