“The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” (COSO Principle 17 – Evaluates and Communicates Deficiencies COSO Framework) is the last of the two principles relating to the Monitoring Component of internal control.  The main function of internal controls is ensuring the organization achieves its objectives.  Addressing deficiencies timely increases the possibility of achieving objectives.  As such, one would think that all organizations have excellent communication and resolution procedures for deficiencies on par with other tactical activities.  My experience is that rather than simply addressing deficiencies as quickly as possible to the benefit the organization, the communication and resolution process becomes politicized and delayed.

COSO Principle 17 ,https://www.youtube.com/watch?v=AMHjSYuVlS4

Control Deficiencies

A strong internal control system is designed to ensure achievement of objectives, or timely notification that objectives will not be achieved which supports management reassessment.  The procedures implemented to actuate internal controls are the “blocking and tackling” activities required to achieve objectives.  Many procedures are mundane when looked at separately but each is a necessary part of the whole internal control system.  As such, there are few activities as important to achieving objectives as evaluating, communicating and addressing deficiencies.

Developing a nomenclature to categorize issues such as Critical (could lead to material weakness), Very Important (could lead to a material weakness in combination w/ other deficiencies), Important (could lead to errors remaining undetected) or Efficiency/Cost Improvement (will improve processes, reduce costs or increase revenues).  Implementing a formal communication plan that identifies the parties to communicate deficiencies that is based on the category and the business process in which the deficiency was found is an important factor for success.  Those in charge of the internal control assessment should receive communication for all deficiencies.  Management should assign a timetable to all issues and track issues to resolution.

Illegal or improper acts are a separate category of reportable deficiency that require special handling.  For example, Compliance Week reported, ”pharmaceutical-company AstraZeneca this week reached a $5.5 million settlement with the Securities and Exchange Commission to settle claims that it violated the Foreign Corrupt Practices Act by making improper payments to state-controlled health care providers in China and Russia.  According to the SEC’s Order,  the proceeding arose out of violations of the internal controls and record-keeping provisions of the FCPA by AstraZeneca and its wholly-owned subsidiaries in China and Russia.”  Compliance professionals know that the risk of bribery is high in China and Russia.  It appears the practice was so widespread at these AstraZeneca divisions that bribery was essentially “business as usual”.  Given these known risks, the training and controls related to bribery at these divisions should have been much more extensive.  The number of separate/independent reviews applied to these divisions should have been very high relative to less risky locations.  It is always an indication of a significant failure of the internal control system when a regulator identifies your internal control deficiencies.  The important aspect of this story as it pertains to principle 17 is that organizations need a predetermined communication plan for deficiencies that allow illegal or improper acts to go undetected.  This communication plan should include reporting to the deficiency to regulators and reporting the prior period financial impact to investors.

Reporting deficiencies noted in “ongoing evaluations”, typically normal supervisory review procedures applied to controls, is an important aspect of a healthy internal control process.  This does not apply to a routine mistake but rather a weakness noted in controls design upon review.  We typically think of reportable deficiencies as arising from separate evaluations performed by internal/external auditors. Deficiencies identified by ongoing evaluations should not be swept under the rug but formally logged, reported and remediated.  Reporting level depends on the severity of the issues as dictated by guidelines discussed above.  Demonstrating your internal control process identifies and corrects deficiencies is a sign of a strong and healthy process that management supports in an open and transparent way.  An organization that reports no deficiencies arising from ongoing or separate reviews is suspect to either not have a robust process or to not be transparent in reporting deficiencies when they arise.  Auditors, especially external auditors, gain comfort that principle 17 is an inherent part of your process if they see evidence of the identification and remediation of deficiencies or other issues.

Report and track deficiencies as soon as identified by ongoing or separate evaluations.  Do not wait for a project to finish or a report to be drafted/issued.  Deficiency remediation timeliness is important.  Set a realistic timeframe for remediation and then stick to it or otherwise document the unplanned factors causing delay.  A list of deficiencies that are past due and/or have no timetable reflects poorly on your internal control process.  On-line reporting and tracking of deficiencies helps by fostering transparency and ongoing awareness of open deficiencies.  Linking on-line task assignments/responsibility to the deficiency further improves the probability that remediation within the timetable is achieved.

Keep in mind that deficiencies may arise that cannot be addressed due to limitation in IT system capabilities or staffing.  Implement additional, typically detective, controls to address the deficiency.  It may be proper to clearly define the limitation as a risk and map the detective controls as the mitigating activities.  In this way, if the limitation is addressed in the future, the related controls from the new process will map to this risk and it will become obvious that the detective control is no longer necessary.

As with any critical process at your organization, develop a feedback loop and methods for continuous improvement for your internal control process.  Communicate and resolve deficiencies with a plan ensuring all future performance of the activity utilizes the improved process.  Implement technology-based reporting and tasking tools to ensure consist and transparent execution of the control procedures.  Reap as much value as possible from your internal control process thereby leveraging compliance for business improvement.


About the Author

Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting LLC, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications, and the “Leverage Compliance” blog.  Glenn provides licensee compliance audits in conjunction with Licensing Compliance Group and Penetration Tests/SOC for Cyber/SOC 2/3 Assessments in conjunction with Ra Security Systems.  Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/, follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/