“The organization identifies and assesses changes that could significantly impact the system of internal control.” (COSO Principle 9 – Identify & Assess Significant Changes COSO Framework) is the last of the four principles relating to the Risk Assessment component of internal control. Principle 9 requires active monitoring or other controls to identify and bubble up change that may impact the system of internal control. Many organizations today do not have a formal process to identify and adjust to change. According to the 2015 Report on the Current State of Enterprise Risk Management: Update on Trends and Opportunities, “About a third of the organizations update their understanding of risks annually while an additional 24% update that understanding semi-annually or quarterly. More importantly, almost half of the organizations have no formal updating process. Given the nature of the ever-changing business environment, key stakeholders may wonder if the frequency of risk updates is sufficient.” 2015 Report on the Current State of ERM
We compliance professionals know the frustration of working at organizations that overlook a formal process to identify change, report the impact and take timely actions. It is at the core of what we do to help organizations implement protective safeguards and yet the data indicates that the majority of organizations are not effectively monitoring and managing change. The news is replete with stories of organizations unprepared for change from the impact that technological change (fracking) has brought to US energy costs to the recent slowdown and work stoppages at many US ports. The prepared entities exploit change at the cost of the unprepared. Hopefully, COSO enumerating the identification and assessment of change as a principle that all organizations must have in place for effective internal controls provides the traction to drive improvement.
Every day issues are a distraction which may cause changes to be overlooked. Therefore an active process and controls to specifically identify changes to assumptions, conditions, personnel, plans, technology, the external environment and other factors must be in place and functioning. These responsibilities must be assigned to appropriate individuals (internal, co-sourced, or through service arrangements) with defined monitoring or periodic reporting enumerated in formal internal control procedures which are subject to independent assessment. An example of integrating outside experts in these controls is highlighted in a quote from the article I wrote for the October 2014 Strategic Finance magazine, “This is affirmed by Carlton Adams, senior vice president of Global Supply Chain Management at Peabody Energy: “At Peabody Energy, a vital part of our category strategies is risk management, whether in commodities or equipment. We leverage third-party subject matter experts in this space as their data is always current and farther-reaching than our own.”” Similarly, the legal and accounting functions must use experts or actively use services to effectively identify changes facing the entity in a timely manner. Publicly-held companies can no longer rely on their external auditors for this information, especially now that internal controls assessments (SOX 302 & 404) will take place using the COSO Framework inclusive of these principles.
I’ve worked at several organizations that implemented a reduction in force (RIF). Internal audit was not consulted during the planning stage of the RIF even though many persons with internal control responsibilities were eliminated. Only after the announcement and after these individuals were already severed from the organization were we able to assess the impact. I cannot imagine this happening in the future without the organization being found deficient with respect to controls to satisfy principle nine. We must bear in mind as we assess the design of controls to satisfy principle four (Commitment to Competence), principle five (Enforces Accountability) and this principle that management must assess the impact of staffing changes, especially large-scale ones associated with a RIF, and implement mitigating actions to ensure ongoing effective internal controls prior to taking such actions. Ensuring our organizations have appropriate controls and procedures to identify and assess significant change leads our organizations to leverage compliance to exploit such change.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/