“The organization communicates with external parties regarding matters affecting the functioning of internal control.” (COSO Principle 15 – Communicates Externally COSO Framework) is the last of the three principles relating to the Information & Communication component of internal control.  Technology has greatly expanded not only the methods of communication but also enabled the integration of external parties into more and more critical activities of the organization.  A thoughtful approach with effective monitoring can leverage technology to improve operations, predictability and reduce risk, however, leveraging the technology without an effective approach can greatly expand the risks facing the organization.


COSO Principle 15 – Communicates Externally

Implementing an effective and comprehensive communication methodology to acquire and disseminate information to the right internal parties in a timely manner is critical to achieving objectives.  Vendors and customer communications can identify new market opportunities, product/service defects, operating issues, errors and fraud.  They understand that your success may expand opportunities for their success.  Acquiring all the relevant information is a challenge.  Getting this information in the hands of the proper internal parties to interpret and take action is a far greater challenge.  A challenge many organizations do not face effectively.  Gathering information and then not taking appropriate action can be worse than not gathering the information at all, especially if a scandal arises along with the perception that somebody should have known because the information was available.

Consider the recent Volkswagen scandal.  Per John German, one of the WVU researchers that identified the problem, “One aspect that’s really interesting is that we turned data and report over to CARB and the EPA back in May 2014 and they discussed the problems with Volkswagen. Then in December 2014, Volkswagen issued a field fix, and they re-flashed the computers in the cars to install the field fix. A few months later they assessed, and found the defeat device was still in the field fix.”  This week, Volkswagen announced they reserved $7.3 billion to address the issue, but experts predict the cost to be in tens of billions with fines.  In the 15-16 months from the WVU report until the scandal broke in September 2015, Volkswagen failed to get this critical external information into the hands of those that could truly address the problem.  Indeed, they continued to manufacture cars with this flaw.  Cars that are not sitting at dealerships unsellable until the problem is fixed.  Volkswagen needs to fix their cars, their culture and their communication infrastructure.

Integrating outsourced service providers is a current and growing trend.  They are integral to organizational success but could place the organization at risk by their actions.  Data governance is the management of data assets captured or created by the organization.  Such data ranges from trade secrets to personally identifiable information of employees/customers, to financial results, and even informal internal communication.  Recall the impact on the relationship of Universal Pictures with some of the actors starring in their films resulting from the Sony breach and related leak of e-mails and compensation information.  This leak was disastrous for Universal Pictures, however, the nature of the information leaked would not top our list of the most important information to protect.  The risk assessment related to data governance must consider the business consequences of a leak as much as the regulatory consequences.  Outsourcing extends the risk assessment to external organizations who have your information on their systems.  Finding effective methods to communicate with these external parties while protecting your data is essential.

Technology can help define and control the parameters of these external relationships and help ensure information gets to people who will assess and take appropriate actions, if needed.  Appropriate communication/collaboration/tasking technology ensures the 100% capture of desired data, the restriction of access to authorized individuals, the tracking of issues, notifications via e-mail or dashboards with escalation in case someone is not available, and the secure storage and back-up of the information.  If your organization defines/implements the technology, then you get to define the rules and thereby ensure that all the appropriate risks to your organization are addressed.  Implementation of communication/collaboration systems in the Cloud is ideal to foster ease of communication and appropriate security.  “Tony Scott, U.S. federal government CIO, says big cloud providers are just as secure as today’s largest financial institutions and advises his fellow IT leaders to  embrace the cloud sooner than later.”  It is rarely the case where the most appropriate platform is also the most secure.  The cloud makes it easy to extend these systems to capture information from any source and thereby to also support whistleblower hotlines, warranty inquiries and customer complaints and handle all appropriately.  The opportunity to handle as much of the communication in a consistent manner within one database is a powerful way to ensure all communications are evaluated, addressed, secured and stored.

External communication in 2015 must include some level of engagement with social media.  This includes explicit engagement by the organization as well as training and policy related to acceptable stakeholder engagement in social media.  The possibility of unintentional or intentional leakage of proprietary information is heighted by the growth of social media.  As it relates to social media, Principle 15 requires internal controls that ensure only accurate and appropriate information is shared via social media.  Further, that such sharing occurs in a planned and authorized manner with monitoring of the responses to postings.  Follow-up controlled responses should be made to clarify the initial communication for the benefit of external stakeholders.

Information and communication enables the achievement of objectives.  Human assets are the most costly and the most critical to achieving organization objectives.  Information and communication gives them the “why”.  Why do we do what we do?  Why is my role important to the overall goal (recall the janitor mentioned for Principle 14)?  Why are policies related to access, sharing and posting of organizational information so important?  The effective deployment of the COSO internal control framework in your organization should address the “why” and thereby empower your team to leverage compliance.

About the Author

Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog.  Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/