COSO Principle 8 – Consider Potential for Fraud

With President Obama weighing in with his thoughts last Friday (2/13/15) at the White House Summit on Cybersecurity and Consumer Protection (http://bit.ly/1ySH8B3 ), it is time for board-level conversations related to fraud risks threatening their organizations, if these conversation were not yet occurring. An integrated risk assessment process inclusive of fraud risk that occurs at both the entity and business process levels allows all of our organizations to leverage compliance for business excellence and protection of assets.

Continue Reading »

COSO Principle 6 – Specifies Clear Objectives

The auditors, accounting and compliance teams understand how the Framework will keep the organization on track and lead to successful operations, financial, compliance (and strategic) objectives. Such success requires that organizations fully adopt the Framework for all of their objectives, communicate these benefits and lead training of the non-compliance functions that have been left out of this discussion at many organizations in the past.

Continue Reading »

COSO Principle 5 – Enforces Accountability

“The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” (Revised COSO Principle 5 – http://www.coso.org/IC.htm) is the final of the five principles relating to the Control Environment component of internal control. The first four principles require a culture of compliance and a structure to enable competent employees to exercise internal control responsibilities in the achievement of objectives. This fifth principle demands consistent and fair monitoring of the activities including taking corrective actions to reinforce a culture of compliance from all stakeholders (board members, employees, partners, vendors, etc.).

Continue Reading »

COSO Principle 4 – Commitment to Competence

Competent implies not only intelligent but also appropriate. Appropriate in the sense of having the knowledge, qualifications and experience to accomplish the objectives, especially if the activities are highly specialized (e.g., accounting for income taxes, negotiating contracts). For the organization to define the appropriate skills requires specific identification of objectives and then relating policies, practices and expectations to these objectives at every level of the organization.

Continue Reading »

COSO Principle 3 – Establish Structures, Reporting Lines, Authorities & Responsibilities

Creating an appropriate structure with reporting lines and the assignment of appropriate authority and responsibility is a challenging prerequisite for appropriate internal control. There is no template or one right answer for organizational structure because the structure must support the unique objectives, geography, business lines, and culture of the entity.

Continue Reading »

COSO Principle 2 – BOD Independence & Oversight

The BOD oversight requirements extend to all five internal control components (control environment, risk assessment, control activities, information and communication, and monitoring) as well as activities that inform but are not part of the internal control system, such as setting strategic objectives for the business.

Continue Reading »

COSO Principle 1 – Commitment to Integrity and Ethical Values

  “The organization demonstrates a commitment to integrity and ethical values” (COSO Principle 1 – Commitment to Integrity and Ethical Values http://www.coso.org/IC.htm) is the first of five principles relating to the Control Environment component of internal control.  The most important word in this principle is “demonstrates”.  For the leaders of the organization to have an effective […]

Continue Reading »

5 Myths About Compliance Programs (Myth #5)

The final myth in our series is the myth that compliance programs can be outsourced. While it is very true that a significant portion of compliance activities can and in many instances should be outsourced, the core leadership and direction of the program cannot. The ultimate responsibility for compliance lies with the executive management and, to a certain extent, the Board of Directors. The quarterly certification related to internal controls over financial reporting required by Section 302 of the Sarbanes-Oxley law is one of many explicit reminders that responsibility for the effectiveness of the compliance program cannot be outsourced. The recent trend of regulators like the SEC requiring that companies admit wrong-doing as well as pay fines (versus just paying fines in the past) is another indication that regulators, and indeed the public, are demanding more accountability. The recent NHTSA maximum fine levied against General Motors with likely criminal charges to follow is an example of such accountability demanded related to compliance requirements outside of those of financial reporting.

Continue Reading »

5 Myths About Compliance Programs (Myth #4)

Those of us who have spent time in internal audit have a love/hate relationship with the Sarbanes-Oxley Law (SOX). On the one hand, managers were agreeable to implement internal controls that we felt were important all along because these now “had to be done for SOX”. On the other hand, many internal control procedures that are important but not related to financial reporting suddenly were unimportant because they were “not related to SOX”.

Continue Reading »