Next, consider what COSO says about assessing compliance internal controls. In its Illustrative Guide, COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO 2013 Internal Controls Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the 2020 FCPA Resource Guide, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

Three key takeaways:

  1. A new revenue recognition standard has become effective. What have you done from the compliance perspective?
  2. This new revenue recognition standard is much more judgment based and when a standard is more judgment based, there can be more room for manipulation.
  3. Compliance internal controls now can also be used to gather the information which will be presented to auditors under the new rev rec standard.