As with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally.
Principle 13: Use of relevant and quality information.
Principle 14: Communicate internally.
Principle 15: Communicate externally.
Discussion. Obviously, there must be communications up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.
Joe Howell noted “communication internally is how you establish the communications with your sales organization, with your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.”
Three key takeaways:
- Consider the use of relevant and quality information.
- You need to document your internal communications so auditors can review the audit trail.
- This objective relates to your third-party compliance program.