To improve is to change; to be perfect is to change often.
If it is not broken why fix it? – Is this practical or a myth?
We have all heard about the theory of “survival of the fittest”, which is applicable for humans, animals and businesses. This theory has stood the test of time and demonstrates that things do not remain static but are subject to change. Businesses like Nortel, Enron, WorldCom and Adelphia did not adapt to change, ultimately failed and became extinct.
In today’s rapidly changing world it is a prerequisite for companies to be able to react quickly to change otherwise they will fall behind their competitors, loose their competitive advantage and be susceptible to take overs and at worst face bankruptcy. Unfortunately there is often resistance to change although it is necessary for survival. As Dr. Dennis O’Grady stated: “Change has a bad reputation in our society. But it isn’t all bad — not by any means. In fact, change is necessary in life — to keep us moving … to keep us growing … to keep us interested. Imagine life without change. It would be static … boring … dull.”
The concept of businesses embracing change early to increase their life cycle is illustrated in the following graph:
This graph highlights that at some point in a company’s life cycle it will forced to make decisions that will impact its future. These decisions can result from changing competition, technology, changes in demand or legislation. Which road would you like to see your business go down – the healthy business curve, the slow death or crash and burn?
Unfortunately to keep on the healthy curve this requires the company to be proactive and make suitable investments to adapt to change. In these days of economic hardship there is likely to be a mindset of “if it is not broken why fix it” because this will almost inevitably have an associated cost which may not be particularly palatable, especially during the recession. How do you justify making changes when existing processes appear to have been working satisfactorily for years?
Many may think that the Committee of Sponsoring Organizations’ (“COSO”) – Internal Control Framework introduced in 1992 still meets the needs of organizations. However this approach can be somewhat foolhardy as it does not promote continual improvement within an organization and the opportunity to add value can be missed if organizations do not adopt the new COSO Framework (2013). In simple terms adopting current best practice is equivalent to making sure that you organization meets the requirements of staying on the “healthy business curve”.
The Updated COSO – Internal Control Framework – why change?
Much has happened in the business environment since the initial Internal Control Framework (1992) was introduced. Some of the drastic changes in the business environment since 1992 are:
- Increased expectations for governance;
- Risk and risk-based approaches have received more attention;
- Increased business complexity;
- Technology has evolved dramatically;
- Internal control breakdowns including the derivatives fiascos of the 1990’s;
- Increase of political, social and financial market volatilities.
While no framework can provide all of the answers to the above there was undoubtedly a case for updating the existing framework to meet the challenges of today’s business environment.
The new COSO Internal Control Framework (2013)
What has changed?
The new framework has a number of changes including but not limited to:
- Codifying 17 principles that support the 5 components of the original internal control framework (control environment, risk assessment, control activities, information & communication and monitoring activities)
- These 17 principles have been underpinned by 77 focus points that all companies should consider when adopting a control framework. It is all good an well having an understanding of the bigger picture (the 17 principles) but this will not achieve the company’s objectives if the detailed support structures are not put in place (the focus points).
- Recognizing the increased reliance on technology. Large stand-alone mainframe environments have move to highly sophisticated, decentralized, mobile applications involving multiple real time activities. Not many people acknowledge the fact that cybersecurity attacks happen on a daily basis.
- Enhanced discussion and guidance on governance concepts
- Enhanced consideration of anti-fraud expectations (which is particularly relevant in times of recession)
- Increases the focus and more guidance on non-financial activities
The most significant change
The most significant change is the codifying of 17 principles and 77 focus points, which represent important characteristics of each principle, and in turn support the 5 control components. This information facilitates a better assessment of whether the components of internal controls are functioning and operating effectively. There is a common saying that “you cannot see the forest because of the trees”. However, this approach allows companies to look at the detail as well as the bigger picture and hence they are able to see both the forest and the trees. It therefore helps senior management see the big picture while also giving more guidance to processes owners as how to implement improvements at a process level
Without going into the detail of each of the 17 principles and the 77 points of focus, the following two tables highlight COSO’s new framework using the control environment as an example:
|KEY Control Components||# of Principles||# of Focus Points|
|Information and Communication||3||14|
|Principles||Points of Focus|
|1||The organization demonstrates a commitment to integrity and ethical values||1||Sets the tone at the top|
|2||Establishes standards of conduct|
|3||Evaluates adherence to standards of conduct|
|4||Addresses deviations in a timely manner|
|2||The Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control||5||Establishes oversight responsibilities|
|6||Applies relevant expertise|
|8||Provides oversight on Control environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities|
|3||Management establishes with the board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuant to its objectives||9||Considers all structures of the entity|
|10||Establishes reporting lines|
|11||Defines, assigns, and limits authorities and responsibilities|
|4||The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives||12||Establishes policies and practices|
|13||Evaluates competence and addresses shortcomings|
|14||Attracts, develops and retains individuals|
|15||Plans and prepares for succession|
|5||The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives||16||Enforces accountability through structures, authorities and responsibilities|
|17||Establishes performance measures, incentives and rewards for ongoing relevance|
|18||Evaluates performance measures, incentives and rewards for ongoing relevance|
|19||Considers excessive pressures|
|20||Evaluates performance and rewards or disciplines individuals|
The new COSO framework thus allows senior management a sound understanding of the principles while also providing guidance to the process owners as to points of focus that they should not omit from their assessment of their processes.
Implementation of the new framework
Many companies may not have transitioned yet to the new framework but they are missing out on its advantages as it provides fuller details and guidance while it also has kept abreast with the changes that have occurred in the business environment over the last 20 year. Ultimately it is now best practice and will help your company stay on the “healthy path” or in plain business terms make your company “Great” not just ”Good”.
Companies that currently utilize the initial framework should not find the transition a significant undertaking. However in the spirit of continual improvement this should be undertaken by all organizations as soon as practicable. Below is a table that outlines the transitioning process to the new framework:
- Step 1 – Develop Awareness, Expertise and Alignment
- Step 2 – Conduct Preliminary Impact Assessment
- Step 3 – Facilitate Broad Awareness, Training and Comprehensive Assessment
- Step 4 – Develop and Execute COSO Transition Plan
- Step 5 – Drive Continuous Improvement
The transition should be tailored to meet the needs the particular organisation. Start making the changes now as your company deserves to be the “Great” rather than “Good”.
For further discussion on this subject please contact PFC representative or e-mail: firstname.lastname@example.org or call us: +1(403) 375 9955