COSO CubeBrian Christensen, in an article in Corporate Compliance Insights (CCI) entitled “The Updated COSO Framework: Time for a Fresh Look at Internal Control”, said that the updated 2013 COSO Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. However, it is the emphasis on the principles, which is new to the 2013 Framework. Today I want to explore in some detail the first Objection-the Control Environment.

The first of the five objectives is Control Environment. Rittenberg said this “sets the tone for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the Control Environment object are as follows:

Principle 1 – The organization demonstrates a commitment to integrity and ethical values.

Principle 2 – The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Principle 3 – Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.

Principle 4 – The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.

Principle 5 – The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Principle 1 – Commitment to integrity and ethical values

What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

Principle 2 – Board independence and oversight

This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

Principle 3 – Structures, reporting lines, authority and responsibility

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you should consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

Principle 4 – Attracting, developing and retaining competent individuals

This Principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

Principle 5 – Individuals held accountable

This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorizes and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

The COSO formulation for internal controls is a key component for any best practices compliance program; whether based upon a Foreign Corrupt Practices Act (FCPA) formulation or another anti-corruption law, such as the UK Bribery Act. Moreover, as it probably the most utilized internal controls formulation under Sarbanes-Oxley 404 reporting, it should be well-known to your corporate internal controls function and therefore assessable to you as a Chief Compliance Officer (CCO) or compliance professional. In addition to the Principles listed herein the specific Points of Focus can provide to you a roadmap for testing and evidencing your compliance program in this area. You should not fail to take advantage of it.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016