“The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.” (COSO Principle 12 – Deploys Control Activities through P&P COSO Framework) is the last of the three principles relating to the Control Activities component of internal control.  The key phrase here is “establish what is expected” meaning defining the expectations of an appropriately trained, authorized/empowered, and qualified individual (i.e., responsibility) with consideration of timeliness, effective monitoring and corrective actions when needed.  All very reasonable to compliance professionals who appropriately expect to assess the adequacy of and compliance with such P&P.  Unfortunately, we frequently find poorly developed, communicated, and/or understood P&P.

http://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-compliance/archive/2014/07/23/code-of-conduct-compliance-policies-and-procedures-part-i.aspx

COSO Principle 12 – Deploys Control Activities through P&P

Internal control activities, while not policies or procedures themselves, must stem directly from P&P.  A control activity that does not directly relate to one, or perhaps more than one, P&P cannot, and should not, exist within an enterprise.  Per the COSO Framework this must be the case because principle 12 states, “policies…establish what is expected” and certainly internal control act ivies are an off-shoot of what is expected.

P&P do not have to be codified in writing to be effective but in a world of co-sourcing, downsizing, distributed workforces, and fluid labor markets P&P are more critical to the ongoing success of an entity.  Unwritten policies can be easier to circumvent or, at minimum, provide the gray area for those looking to avoid responsibility to get a “pass” if they do not fully perform what is expected.  Today’s work environment benefits from effectively written P&Ps that not only drive accountability by eliminating the “gray area” but more importantly support flexibility in the timing, location and method of procedure execution.

Fortunately, current technology provides solutions to effectively codify, communicate, assign and monitor the execution of P&P within a framework that also supports the ongoing or separate evaluations necessary for effective monitoring controls.  Indeed, P&P establish a benchmark for external parties (e.g., internal or external auditors) to measure compliance with management’s expectations, provide their professional skepticism to effectively evaluate the P&P (i.e., the control design), and perform such reviews in a much more efficient way.  Codification and referencing of P&P to control activities drives independent assessment efficiency because the auditors will easily understand the CONTEXT of the documentation supporting control activities that they have been supplied.  All aspects of the development, communication, execution and assessment of P&P and controls are achievable in GRC database tools available on the market.

How many of us have been given an account reconciliation for supervisory review or to audit without the written procedure from which that account reconciliation was performed?  The first 10-15 minutes are spent just understanding what the reconciliation is trying to accomplish and then considering if this achieves the goal (i.e., effective control design).  Whereas, if given the accounting procedure along with the reconciliation the reviewer or auditor can first understand the procedure and evaluate the proper design of the procedure to achieve the desired control objective.  Next they review/audit the reconciliation to ensure it achieves everything codified in the procedure.  This not only supports a more effective review/audit, it also supports a more efficient review/audit because all of the uncertainty and time spent trying to understand what the reconciliation is trying to achieve is eliminated.  This approach also separates the evaluation of the accounting procedure, the control/procedure design codified by management, from the execution of the control in accordance with the procedure by the responsible individual.  While the individual responsible for executing the control needs to have the knowledge and authority to effectively perform the procedure, they do not need to have the level of knowledge necessary to design the effective control procedures.  The individual reviewing the execution of the procedure typically has this knowledge and experience, but this also is not required as long as they have the skills necessary to effectively review the work and ensure it complies with all aspects of the procedure.  Clearly segregating the design of the control/procedure from the execution leads to both continuous improvement and appropriate accountability.  Continuous improvement via assessment of and clarification/improvement to the procedure.  Accountability by segregating the responsibility of those designing the procedure from those executing the procedure.  Appropriate codification and referencing of P&P to control activities (and thereby objectives) is a critical way to leverage compliance for ongoing organizational success.

About the Author

Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog.  Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/