Updated guide to internal control keeps you in line with ISO 9001
by Sandford Liebesman
The Sarbanes-Oxley Act (SOX) was passed in 2002 in response to scandals at Enron, Tyco International, Adelphia, WorldCom and other companies. Section 404 requires management and external auditors to report on the adequacy of the company’s internal control on financial reporting.1
Early on, guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was identified as an effective way of establishing control. The Securities and Exchange Commission (SEC) suggests using COSO when firms review their internal control system.
COSO developed the internal control integrated framework (ICIF) in 1992 in response to the savings and loan scandals in the 1980s.2 COSO is now 20 years old and is due for an upgrade to incorporate changes in the financial environment.3
Since 1992, business and operating environments have changed, and stakeholders’ expectations have evolved. In response to these changes, COSO’s revisions are designed to accomplish the following:
- Clarify the role of objective-setting.
- Include the increased relevance of technology.
- Enhance governance concepts relating to boards of directors and subcommittees, such as audit committees.
- Expand reporting categories of objectives beyond financial reporting.
- Contain more discussion of potential causes of fraud and anti-fraud expectations.
- Consider different business models and organizational structures, including outsourcing various functions of the value chain.
In addition, many organizations have expanded their reporting efforts, moving to include other types of external reporting beyond just financial reporting. If management operates in accordance with International Organization for Standardization (ISO) quality management standards, it may report publicly on its operations. For example, the entity may conduct an independent audit and report on the entity’s conformance with ISO 9001.
While changes have been made to each of the original five components of COSO, they have not changed in name:
1. Control environment
The control environment is the foundation for all other components of internal control. The board of directors and senior management establish the tone regarding the importance of internal control and expected standards of conduct. The control environment provides discipline, process and structure.4
The control environment has changed greatly in the past 20 years because of the greater complexity of business models, the expanded use of third parties and business partners, and the globalization of most industries. Because of the new complexity, transparency, operations and internal governance have been extended beyond financial performance.
Risk-based programs are expected to be more robust and detailed, corporate social responsibility is more important to stakeholders, and regulatory requirements have expanded the discussion of integrity and ethical values.
In addition, the new control environment must include a commitment to competence and a clearer definition of boards of directors’ and audit committees’ roles, management’s philosophy and operating style, organizational structures, assignment of authority and responsibility, and HR policies and practices.
- There are five principles applied to the control environment:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
- Management establishes—with board oversight—structures, reporting guidelines and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their
internal control responsibilities in the pursuit of objectives.
2. Risk assessment
Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the organization’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within the organization’s business model that may impede the ability to achieve its objectives.5
In the past few years, organizations have increased risk taking as evidenced by the financial crisis that began in 2008. As the scandals of 2000 triggered the creation of SOX, the financial crisis of 2008 led to the Dodd-Frank Wall Street Reform and Consumer Protection Act.6
Dodd-Frank requires an organization to perform an expanded assessment of risks to the financial system and to make general regulatory recommendations on risks to government agencies. The result is that COSO now includes a more risk-based approach to internal control and a clearer description of how it considers risk assessment.
A pre-condition to risk assessment is the establishment of measurable objectives, as required by ISO 9001.7 Also, the revision clarifies risk assessment to include processes for risk identification, analysis and response. To protect against fraud risk, an organization must consider inadequate safeguarding of assets and corruption as part of the risk assessment process.
In the four principles applied to risk assessment, the organization:
- Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- Identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- Considers the potential for fraud in assessing risks to the achievement of objectives.
and assesses changes that could significantly impact the system of internal
3. Control activities
Control activities are the actions established through policies and procedures that help ensure the execution of management’s directives to mitigate risks to the achievement of objectives. Control activities are performed at all levels of the organization, at various stages in business processes and throughout the technology environment.8
The growth of technology has been the major change affecting control activities. This includes IT and decentralized methods—such as mobile, intelligence and web-based tools—that may be operated by a third party. Today, controls are found throughout the organization, often in non-financial environments. For example, compliance to ISO 9001 requires gathering numerous sets of data to be used in decision making.
Control activities are especially important in monitoring the status of objectives and identifying impending risks. Because objectives must be measurable, controls are used to gather data for each objective that can be used to determine future efforts. The use of the preventive and corrective action tools of ISO 9001 can act as supports for the control activities of COSO.
In the three principles applied to the control activities, the organization:
- Selects and develops control activities that help mitigate risks to the achievement of objectives.
- Selects and develops general control activities over technology to support the achievement of objectives.
control activities as manifested in policies that establish what is expected
and in relevant procedures to affect the policies.
4. Information, communication
Information is necessary for the organization to carry out internal control responsibilities in support of the achievement of its objectives. Communication occurs internally and externally, and provides the organization with the information needed to carry out day-to-day internal control activities. Communication enables all personnel to understand internal control responsibilities and their importance to the achievement of objectives.9
There has been an expansion of information sources and the impact of technology over the past 20 years, including the introduction of Google, Wikipedia and social networking. Accompanying this expansion is a greater demand for information and greater requirements for quality, protection and communication.
Here again, the use of third-party service providers has expanded for internal processes such as payroll, customer relations management, data-center operations, supply chain management and manufacturing. Information and communication with outsourced entities has become critical to organizations.
In the three principles applied to information and communication, the organization:
- Obtains or generates and uses relevant quality information to support the functioning of other components of internal control.
- Internally communicates information necessary to support the functioning of other components of internal control, including objectives and responsibilities for internal control.
with external parties regarding matters affecting the functioning of other
components of internal control.
5. Monitoring activities
Ongoing evaluations, separate evaluations or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to affect the principles within each component, is present and functioning.
Ongoing evaluations built into business processes at different levels of the organization provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on the assessment of risks, effectiveness of ongoing evaluations and other management considerations. Findings are evaluated against management’s criteria, and deficiencies are communicated to management and the board of directors as appropriate.10
Monitoring is considered in its broader and intended context—assisting management in understanding how all components of internal control are being applied and whether the overall system of internal control operates effectively.
As part of the monitoring activities, organizations may conduct ongoing or separate evaluations. For example, the quality officer of a medium-sized manufacturing company participates in a monthly production meeting in which he obtains information regarding approval of product modifications. The quality officer’s review includes questions to identify unusual trends or anomalies, investigations and information obtained from the investigations to modify control activities that authorize other personnel to alter production terms.11
Separate evaluations are usually conducted by the internal audit function. Other means of accomplishing separate evaluations include:
- Other objective evaluations.
- Cross-operating unit or functional evaluations.
- Benchmarking or peer evaluations.
Outsourced service providers are another monitoring issue. Periodic information must be obtained to monitor activities and controls used by the service provider. Often, the organization may attain information by reviewing an independent audit or examination report.
After the evaluations are complete, the findings should be communicated to the personnel responsible for preventive or corrective action. Deficiencies that are categorized as material weaknesses, significant deficiencies, major nonconformities and some minor nonconformities should be reported to senior management and the board of directors.
In the two principles applied to the monitoring activities, the organization:
- Selects, develops and performs ongoing or separate evaluations to ascertain whether the components of internal control are present and functioning.
and communicates internal control deficiencies in a timely manner to the
parties responsible for taking corrective action, including senior management
and the board of directors.
A few more additions
The following are specific quality management inputs added to the revised COSO framework:
- Objectives must be measurable and may relate to improving quality—such as avoiding waste and rework—reducing costs and production time, improving innovation, and improving customer and employee satisfaction.
- In areas in which management operates in accordance with ISO standards for quality management, it may report publicly on its operations.
- A precondition to risk assessment is establishing measurable objectives linked at various levels of the organization.
- Setting the overall level of acceptable risk and associated risk appetite is part of strategic planning and enterprise risk management.
- Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives.
- Risk appetite is the broad-based amount of risk an organization is willing to accept in pursuit of its mission and vision.
- Examples of internal reports include results of marketing programs, daily sales flash reports, production quality, and employee and customer satisfaction results.
- Communication to external suppliers and customers is critical to establishing the appropriate control environment.
- Communications from external parties include customer feedback related to product quality, improper charges and missing or erroneous receipts.
- Customer information on product quality may include customer feedback related to product quality, improper charges, and missing or erroneous receipts.
of internal reports include results of marketing programs, daily sales flash
reports, production quality, and employee and customer satisfaction results.
References and note
- "Sarbanes-Oxley Act of 2002," July 30, 2002, www.gpo.gov/fdsys/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf (case sensitive).
- COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, which consists of the American Institute of Certified Public Accountants, American Accounting Association, Financial Executives International, Institute of Internal Auditors and the Institute of Management Accountants. For more information, see www.coso.org.
- The COSO advisory panel recently asked PricewaterhouseCoopers LLP to develop the revision to COSO and J. Stephen McNally, the Institute of Management Accountants (IMA) representative for the ICIF, to form an IMA advisory panel to review the revision. The team included IMA COSO Board Member and Chair Emeritus Sandra Richterme. I am the quality management member on the team that helped craft the changes to COSO under public review as of March 2012, including several quality-related aspects.
- COSO, "Internal Control—Integrated Framework Executive Summary," December 2011, www.ic.coso.org/download.aspx.
- "Dodd-Frank Wall Street Reform and Consumer Protection Act," July 21, 2010, www.gpo.gov/fdsys/pkg/PLAW-111publ203/pdf/PLAW-111publ203.pdf (case sensitive).
- International Organization for Standardization, ISO 9001:2008—Quality management systems—Requirements, clause 5.4.1.
- COSO, "Internal Control—Integrated Framework Executive Summary," see reference 4.
Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, following more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an ASQ fellow and past chair of the Electronics and Communications Division, and is a member of ISO technical committee 176 and the ANSI Z-1 committee on quality assurance.