In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.” The concept of a ‘second set of eyes’ is directly enshrined in this objective. Finally, Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.
I. Objective III: Control Activities
The objective of Control Activities consists of three principles. They are:
Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”
Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”
Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”
A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”
Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”
The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.
This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”
While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.
This Objective demonstrates the inter-relatedness of the corporate functions in your organization. From a financial reporting perspective, the Control Activities objectives requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets, software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.
Howell explained in the financial realm, “if you’re dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that that is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.
This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place both for the disclosures that you need to make for the reconciliation of that disclosure.
This Objective requires that you have new ways of capturing that information, gathering that information, confirming the accuracy and completeness of the controls reporting it. When selecs the control activities, what control activities do you need if you are using disparate accounting systems in different locations across the globe? Moreover, if you getting into the general controls over technology, what are the system controls are in place to ascertain that the new information that you’re getting is the information you really need and it’s what you think you’re getting? The Control Activities regarding the policies and procedures is certainly an important consideration going forward.
Three Key Takeaways
- Think of a second set of eyes as a primary control activity.
- Segregation of duties must always be employed.
- Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.