COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective IV, Information and Communication.
The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
The objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they should be communicated downward in the organization and there should be feedback up the organization regarding this process. Further, Rittenberg notes, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”
Principle 13: Use of relevant and quality information. The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. For the CCO or compliance practitioner this means that you need to identify relevant data, which can be both internal and external. The hard part is to move that data to actionable information. The Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”
Principle 14: Communicate internally. This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process.”
Under this Principle you will need to determine whether the Board communicates in a downward mechanism that gets its relevant instructions to the CCO or compliance function, and if the CCO or compliance function communicates upwards with the Board. Note that this principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.
Principle 15: Communicate externally. This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Code of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, this principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls… and regulatory communication.”
Discussion. Obviously, there must be communications up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.
Information and Communication requires a wide range of information to go up and down the corporate chain. A 2014 Corporate Compliance Insight article by Ron Kral, entitled “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13”, relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.
Joe Howell noted “communication internally is how you establish the communications with your sales organization, with your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.”
Join us tomorrow for Objective V, Monitoring Activities. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go here. The Compliance Handbook 2nd edition will be available in both print and eBook editions.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2021