OSO—A Primer and Discussion on: Is OSO...

Vienna Based International Organization’s Finance Network www.myorgbio.org

2018-12-05 P. 1 of 20

COSO—A Primer and

Discussion on:

“Is COSO Pragmatic”

Vienna Based International Organizations

Finance Community of Practice

December 2018

Frank Potter, CMA/CPA (Canada), MBA

based on Original Research, Thinking and Other Thoughts available:

WWW.MYORGBIO.ORG


2018-12-05 P. 2 of 20

What the Heck is COSO Exactly Anyway? The Framework Provides:

Means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of entity, operating unit, or function.

A Principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal control—principles that can be applied at the entity, operating, and functional levels.

Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate.

A means to identify and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on antifraud.

An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives.

An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing the risks to achieving the entity's objectives

External stakeholders are provided Greater Confidence in:

Oversight by the board or equivalent

Objective achievement

Risk management

Definition of Internal Control, Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed

to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Geared to the achievement of objectives in one or more separate but overlapping categories—operations, reporting, and compliance;

Operations Objectives—effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss.

Reporting Objectives—internal and external financial and nonfinancial reporting. Reporting objectives may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity's policies.

Compliance Objectives—Adhering to the laws and regulations to which the entity is subject.

Internal Control and the Management Process Internal control is a part of management's overall responsibility, not every is part of internal control:

Making strategic decisions impacting the entity's objectives is not part of internal control.

Setting the overall level of acceptable risk and associated risk appetite is part of strategic planning and enterprise risk management, not part of internal control.

Setting risk tolerance levels in relation to specific objectives is also not part of internal control.

http://myorgbio.org/coso-introduction


2018-12-05 P. 3 of 20

COSO: 3 Objectives > 5 Components > 17 Principles > 87 Points of Focus

Governing Body / Board / Audit Committee

Senior Management

Regu

lator

External A

ud

itorInternal

Audit

Financial Control

Security

Risk Management

Quality

Inspection

Compliance

Internal Control Measures

Management Controls

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Three Lines of Defense ModelThe Three Lines of Defense in Effective Risk Management and Control


2018-12-05 P. 4 of 20

What the Heck is COSO Exactly Anyway?

Control Environment The set of standards, processes, and structures that provide the basis for carrying out internal control across the

organization.

The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

Risk Assessment Dynamic and iterative process for identifying analyzing and managing risks.

Control Activities Established by policies and procedures to ensure management directives are carried out.

Performed at all levels and various stages within business processes and technology environment.

Information and Communication Internally and externally, the organization provides information needed for day-to-day controls.

Enables personnel to understand their responsibilities and the relationship to objective achievement.

Monitoring Activities Ongoing evaluations, separate evaluations, or in combination

Used to ascertain whether internal control is present and functioning.

Findings are evaluated and deficiencies are communicated in a timely manner

COSO Cube Component Principles

1. Demonstrates integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structures, authority &

responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and assesses significant change 10. Selects and Develops control activities 11. Selects and develops technology controls 12. Deploys through policy and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies.


2018-12-05 P. 5 of 20

ID Name Description

1 Demonstrates integrity and ethical values

The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.

2 Exercises oversight re-sponsibility

The board of directors identifies and accepts its oversight responsibilities in relation to es-tablished requirements and expectations.

3

Establishes structures, authority & responsibil-ity

Board & Management consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support objectives.

4 Demonstrates commit-ment to competence

Policies and practices reflect expectations of competence necessary to support the achieve-ment of objectives.

5 Enforces accountability

Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action, as necessary.

6 Specifies suitable ob-jectives

Operations objectives reflect management's choices about structure, industry considera-tions, and performance of the entity.

7 Identifies and analyzes risk

The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8 Assesses fraud risk The assessment of fraud considers fraudulent reporting, possible loss of assets, and corrup-tion resulting from the various ways that fraud and misconduct can occur.

9 Identifies and assesses significant change

Management develops approaches to identify significant changes in any material assump-tion or condition that have taken place or will shortly occur; to the extent practicable, these mechanisms are forward-looking, so an entity can anticipate and plan for significant chang-es.

10 Selects and Develops control activities

Control activities are established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities serve as mechanisms to achieve objectives; may be preventive or detective and encompass manual and automated activities; control activities support one or more of operations, reporting, and compliance objectives.

11 Selects and develops technology controls

Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.

12 Deploys through policy and procedures

Management establishes responsibility and accountability for control activities with man-agement (or other designated personnel) of the business unit or function in which the rele-vant risks reside.

13 Uses relevant infor-mation

A process is in place to identify the information required and expected to support the func-tioning of the other components of internal control and the achievement of the entity's ob-jectives.

14 Communicates inter-nally

A process is in place to communicate required information to enable all personnel to under-stand and carry out their internal control responsibilities.

15 Communicates exter-nally

Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, financial analysts and other external parties.

16 Conducts ongoing and/or separate evaluations

Monitoring assess whether each of the five components of internal control and relevant principles is present and functioning; identifies and examines expectation gaps relating to anomalies and abnormalities, which may indicate one or more deficiencies in an entity's sys-tem of internal control.

17 Evaluates and com-municates deficiencies. Management and the board assess results of ongoing and separate evaluations.


2018-12-05 P. 6 of 20

ID Point of Focus Name

PF001 Sets the tone at the top

PF002 Establishes standards of conduct

PF003 Evaluates adherence to standards of conduct

PF004 Addresses deviations in a timely manner

PF005 Establishes oversight responsibilities

PF006 Applies relevant expertise

PF007 Operates independently

PF008 Provides oversight for the system of internal control

PF009 Considers all structures of the entity

PF010 Establishes reporting lines

PF011 Defines, assigns, and limits authorities and responsibilities

PF012 Establishes policies and practices

PF013 Evaluates competence and addresses shortcomings

PF014 Attracts, develops, and retains individuals

PF015 Plans and prepares for succession

PF016 Enforces accountability through structures, authorities, and responsibilities

PF017 Establishes performance measures, incentives, and rewards

PF018 Evaluates performance measures, incentives, and rewards for ongoing relevance

PF019 Considers excessive pressures

PF020 Evaluates performance and rewards or disciplines individuals

PF021 Reflects management’s choices

PF022 Considers tolerances for risk

PF023 Includes operations and financial performance goals

PF024 Forms a basis for committing of resources

PF025 Complies with applicable accounting standards

PF026 Considers materiality

PF027 Reflects entity activities

PF028 Complies with externally established standards and frameworks

PF029 Considers the required level of precision


PF031 Reflects management’s choices

PF032 Considers the required level of precision


PF034 Reflects external laws and regulations

PF035 Considers tolerances for risk

PF036 Includes entity, subsidiary, division, operating unit, and functional levels

PF037 Analyzes internal and external factors

PF038 Involves appropriate levels of management

PF039 Estimates significance of risks identified

PF040 Determines how to respond to risks

PF041 Considers various types of fraud

PF042 Assesses incentive and pressures

PF043 Assesses opportunities

PF044 Assesses attitudes and rationalizations

PF045 Assesses changes in the external environment

PF046 Assesses changes in the business model

PF047 Assesses changes in leadership PF048 Integrates with risk assessment


2018-12-05 P. 7 of 20

ID Point of Focus Name

PF049 Considers entity-specific factors

PF050 Determines relevant business processes

PF051 Evaluates a mix of control activity types

PF052 Considers at what level activities are applied

PF053 Addresses segregation of duties

PF054 Determines dependency between the use of technology in business process and technology general con-trols

PF055 Establishes relevant technology infrastructure control activities

PF056 Establishes relevant security management process control activities

PF057 Establishes relevant technology acquisition, development, and maintenance process control activities

PF058 Establishes policies and procedures to support deployment of management’s directives

PF059 Establishes responsibility and accountability for executing policies and procedures

PF060 Performs in a timely manner

PF061 Takes corrective action

PF062 Performs using competent personnel

PF063 Reassesses policies and procedures

PF064 Identifies information requirements

PF065 Captures internal and external sources of data

PF066 Processes relevant data into information

PF067 Maintains quality throughout processing

PF068 Considers costs and benefits

PF069 Communicates internal control information

PF070 Communicates with the board of directors

PF071 Provides separate communication lines

PF072 Selects relevant method of communication

PF073 Communicates to external parties

PF074 Enables Inbound Communications

PF075 Communicates with the board of directors

PF076 Provides separate communication lines

PF077 Selects relevant method of communication

PF078 Considers a mix of ongoing and separate evaluations

PF079 Considers rate of change

PF080 Establishes baseline understanding

PF081 Uses knowledgeable personnel

PF082 Integrates with business processes

PF083 Adjusts scope and frequency

PF084 Objectively evaluates

PF085 Assesses results

PF086 Communicates deficiencies PF087 Monitors corrective actions


2018-12-05 P. 8 of 20

Criticisms of the COSO Framework There you have it, the COSO framework… so what are you waiting for, go ahead and implement it… While conceptually brilliant and a very good start, the framework has received criticism for a number of reasons including the following:

Mechanistic View of Organizations. An underlying assumption of the COSO framework is a large corporate structure in which the board commands and the workers on the bottom execute. Nothing particularly wrong with this model other than organizations are increasingly moving away from it. For example, how do you manage internal control in a virtual organization or account for corporate structures, pushing accountability down as far as possible? Another example of this is the suggestion that culture and organizational tone is entirely a function of the board or senior management rather than a large set of interactions among staff, contractors and of course customers.

Overly Complex. The COSO framework suggests that a control is a function of 3 Objectives X [5 components composed of 17 principles and 87 focal points (87)] X the complexity of the organization. This is a LOT of data points and measurement factors to consider.

Not Practical. A function of this complexity is practicality of the framework. A CFO is hard pressed to implement controls and then show a sequential evidence chain of this particular control mapped up to the framework.

No Review, Revision, Retirement or Continuous Improvement. There is almost no focus whatsoever in sustaining, improving and retiring controls. Thus once a control is put into place it is almost a statement of gospel and unchangeable as opposed to being simply a tool for management to achieve its objectives. Like any tool, internal controls periodically need to be sharpened, maintained and retired.

Overtly Accountant and US Focused. COSO is too much a document of its circumstances – reacting to fraud and misdeeds – rather than helping the majority of the organizations build better organizations. Personally I think that COSO could benefit from some globalization (e.g. add a Canadian, UK or Singapore accounting organization to its ranks) and from a non-academic roster (perhaps also add a trade union as a sponsoring organization).

Too Audit Focused. A continuation of the above, but really the last line of defense is the auditor or the regulator? To me the last line of defense is the shareholder or the citizen. The auditor is simply a service function or bridge between these stakeholders and the management in the company. COSO over-inflates the importance of the audit function.

Re-Draw the 2nd and 3rd Line of Defense Blocks. Okay this one is a bit nit-picky but if you go up to the above lines of defense I would more proportionally draw the lines of defense. Of course the problem is that the first line then should be drawn at say 90% of the real estate with the second coming in at 9.9% and internal audit the nominal remainder. Nevertheless, how about a 50%, 40% and 10% ratio at least?

No Usable List of Controls. For all of its focus on control activities, exactly what are the control activities that can be used, the cost/benefit of control, control effectiveness and maintenance considerations. Such a publicly available list would be a great service to the larger accounting community (and an excellent topic for the next blog!).

The Principles are an Excellent Start but Seem Incomplete. In the 2013 COSO update, 17 principles were added each having points of focus. The principles are generally very good but the problem with a list is that it is never complete. Nevertheless somehow 17 seems to few and too incomplete – nevertheless an excellent start.

http://myorgbio.org/coso-introduction


2018-12-05 P. 9 of 20

A Comprehensive (‘ish) List of Controls

Governance & Oversight Controls: establishing the organizational values and structures to monitor, motivate and manage control .

Preventive controls: prevents an entity from failing to achieve an objective or address a risk.

Detective controls: discovers when an entity is not achieving an objective or addressing a risk before the entity’s operation has concluded.

Corrective Actions: The oversight body or management oversees the prompt remediation of deficiencies of a control by communicating

and delegating authority to the appropriate level of the organizational structure.

Hard control is tangible, often physical (even in a digital sort of way), generally easier to understand. Structure, reconciliations, policies,

etc. are all examples of a hard control. A soft control is intangible, more informal and often a cultural or social norm. When existing it is

more effective than a hard control but when corrupted may result in actions that are harder to detect. Trust, culture, integrity and

competence are examples.

# Control

1 Demonstrated commitment to integrity and ethical values

2 Board Independence.

3 Establish structures, reporting lines, authorities and responsibilities

4 Commitment to a Competent Workforce

5 Hold People Accountable (COSO Principle 5)

6 Specify Objectives (COSO Principle 6)

7 Selects and develops general controls over technology (COSO Principle 11)

8 Manage, Monitor, Review, Revise and Retire Controls (COSO Principle 0)

9 Authorization Limits

10 Review and approval

11 Manage or Eliminate Related Party Transactions

12 Manage Significant Project or Operational Change

13 Reconciliations

14 Segregation of duties

15 Digital Security over Assets

16 Standardized Documentation

17 Master Data Record Management

18 Competitive processes for purchases, contracts and hiring staff

19 Confidentiality Agreement for Staff and Contractors

20 Physical Audits

21 Implement Whistle Blower Protection and Processes

22 Management of Financial Statement Estimates


2018-12-05 P. 10 of 20

COSO—Mind the Gap Overall the framework does a good job describing the top of Internal Control. Things such as ethics, board accountability, good information systems, etc. However when the framework gets closer to defining exactly what is an ‘internal-control’, how many controls should you have and what processes they should be controlling – it goes silent. Instead it simply points to Management and says: “take care of all those icky bits”.

On the one hand, that is reasonable given the diversity of organizations and situations. After all, COSO is a framework and is not meant to be prescriptive. The little help COSO provides (e.g. ‘illustrative tools‘) shows the organization’s audit DNA. The assessment tool look more like an auditor’s working paper rather than a dynamic – real-time tool to be used by management.

Examples of middle bits are well-known. The ISO 9000 standard on quality management or recommended Business Process Management organizations. Heck, even best practices in planning at the strategic, tactical and operational levels.

All is Not Lost Despite the Gap between the top down view of COSO to the management chasm at the bottom, all is not lost. Firstly COSO encourages organizations to add ‘Points of Focus’ to better align the framework to the organization. If necessary, an organization can even add an additional principle to the original 17 in the framework. These additions or adaptations is the most important A-HA of this course. COSO is a framework and not a standard. It is a starting point that organizations can adapt to fit their specific circumstances.

As a final thought, it would be interesting if CPA-Canada modify the course or even better, an international version that transcends the American context found in COSO. In other words, just like the flexibility of the underlying framework, stretch the course to fit a wider variety of circumstances.

http://myorgbio.org/coso-mind-the-gap


2018-12-05 P. 11 of 20

A Practical Overview of a Practical COSO Internal Control Belongs to Management Not the Auditors

COSO is a Framework, NOT a Standard

Surprise: Internal Control is About Planning, Process and People!

DIY Organizational Definition

DIY Points of Focus

Measuring a Point of Focus: Weight, Target & Current State

Ta Dah, a COSO-Metric – Results May Vary

COSOPS, COSO for the Public Sector

Control in a Bigger Context—MCEF

Internal Control Belongs to Management Not the Auditors Definition of internal control: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

In this definition (reasonable assurance) you can see COSO’s audit and account firm’s pedigree. This is not surprising given that COSO was developed in response to the abject failure of auditors and management to detect, prevent and mitigate massive frauds and business scandals. As a result, COSO has a strong accountant/auditor flavour.

However, it is the “entity’s board” that owns internal controls, full stop. Okay, the board delegated to management, full stop. Okay, the board, management and other personnel, stop. Okay, the board, management, employees and outsource providers, can we please stop? Okay, just one more – shoehorn in the auditors (internal or otherwise). Okay, I am going to stop putting my tongue in my cheek long enough to point out that the auditors were the last in that long parade of responsibility. Auditors have an important role to play in internal control but this role is definitely reasonable assurance and not accountability or responsibility.

COSO is a Framework, NOT a Standard Now that we know who is responsible, a reminder that COSO is a framework and not a standard. This means that the Board/Management (with support of the above parade) can change and adapt it to fit the organization and this is something that COSO encourages. Organizations can add principles and Points of Focus to better match the framework to the organization.

87 Points of Focus, How are They Working Out for You? Introduced in the updated framework, Points of Focus are intended to help design, implement, maintain and (potentially) measure internal controls. There are 87 Points of Focus which help to represent important features of the principles and thus the 5-components.

While 87 things seems like a lot, this is also where the greatest practicality for COSO can be achieved by looking at them as either measurement points or by building your own Points of Focus!


2018-12-05 P. 12 of 20

Surprise: Internal Control is About Planning, Process and People! While COSO sees the 87 Points of Focus in a hierarchical structure ending with the 5-components, they can also be mapped to other criteria. For example, the following is a mapping to one of the following 7 P’s [1].

1. Purpose: is there a consistent and wide spread understanding of what the organization does.

2. People: does the organizational have the adeptness (people) capacity to carry out organizational objectives.

3. Process & Plant: Do the People have the right Operational knowledge to operate the systems.

4. Product: Does the organization have a product or service that the market/society wants.

5. Planning: Does the organization know how to do Operational and Tactical Planning.

6. Power: Does the organization have the material resources as well as the strategic and leadership capacity.

7. Pivot (or Risk Tested): How can the above be used to support reporting and risk management.

The top 3 things that organizations can do to improve their internal controls according to the above measurement is:

1. Improve their Operational and Tactical Planning.

2. Improve their processes and plan (no surprise here).

3. Improve their relationship with their employees.

Control Overview The 17 Principles or the 87+ Points of Focus provide a pretty good set of milestones to assess the control-worthiness of an organization. As a result a worthwhile exercise is to scan the organization at a high level evaluating each of points. The International Fund for Agricultural Development (IFAD) has done this by taking each Principle and asking the question, how are we doing: (Internal Control-Integrated Framework Application of Principles in IFAD, December 2015).

The result is a lengthy document that nevertheless is pretty compelling evidence of a strong control environment. Such a scan can be easily ‘gamed’ so it is important that it is further tested and measured.

ARM Criteria (7Ps) Count

1.Purpose 2

2.Power 11

3.Product 1

4.People 19

5.Process/Plant 24

6.Planning 29

7.Pivot 1

Grand Total 87


2018-12-05 P. 13 of 20

Organizational Definition (Kudos to Helen BC for this idea) While each of the Points of Focus has its own definition, describing it in the context of the organization will help to make COSO more practical to the organization. Building on the IFAD example provided above, compare the Point of Focus definition to a possible IFAD interpretation [*note, written by me for illustrative purposes].

DIY Points of Focus Want to hear a COSO secret when it comes to Points of Focus you can (and should) add your own. I can think of five that most organizations should include:

Create and Nurture a Planning and Execution Culture: returning to the definition introduced above, achieving objectives implicitly means that an organization has identified what the objectives are (planning) and then applied resources to complete them (execution). Particularly important in the public sector, this culture of Plan, Do, Act and Check requires a supporting culture, leadership and structures.

Establishes Strategic and Tactical Objectives: Part of a planning and execution culture is establishing the bigger picture goals to achieve. While these Objectives are central to the 17 COSO principles, a Point of Focus to create them is missing. A note on terminology, I am using the following definitions for things like Strategic, Tactical, Operations, etc.

Product/Service Catalog: The strategic objectives say go and build widgets! If you are in the public service it is go and execute public policy! Both services and goods though are made up of externally and internally provided goods and services. This logistical and governance structure was defined in the Porter’s Value Chain and is the focus of this Point of Focus. Thus producing financial statements is a product produced to meet a regulatory compliance requirement.

Business Process catalog: A catalog of business process which a (sub) entity uses to deliver products or services (and as defined in the above Product/Service Catalog). Business processes need only be defined down to the level practical and recognizing that there is often a lot of judgement and skill used by staff that will never make it to a procedure (for more on this see my blog Documentation is a Waste of Time).

Control Lifecycle: Controls are end dated, pruned and re-affirmed in a systematic manner. Products, business processes and controls should all have a best before date and their continued existence should be overtly confirmed by management as adding value.

Point of Focus COSO Definition IFAD Interpretation*

1.Sets the

Tone at the

Top

The Executive Board and management at all levels of the enti-

ty demonstrate through their directives, actions, and behavior the

importance of integrity and ethical values to support the function-

ing of the system of internal control.

IFAD board and management live Tone at

the Top by constantly demonstrating the

IFAD’s 4 core values and adhering to our

code of conduct.


2018-12-05 P. 14 of 20

Measuring a Point of Focus: Weight, Target & Current State Although the Points of Focus were intended to be enablers, they can also be used to direct and help management focus on troublesome areas. There are two proposed measures (Weight & Maturity) which can be applied to each Point of Focus:

1. Weight: How important is the Point of Focus to the Organization.

A Scale of 0-5 with 5 being very extreme and 0 Not applicable.

While it is tempting to make everything a ‘5’ the total score should not exceed an average of 3 or medium or

about 270-350. Weighting descriptions are provided below.

2. Maturity Scores: How relatively mature is the organization relative to this Point of Focus. The Scale runs from 0-5 with 0 being non-existent and 5 optimized. Maturity is considered from a Target position, where the organization wants to be in a defined time period – e.g. 1 year, and Current Status. The definitions of the maturity levels is found below.

Maturity – Target: The ideal maturity for this Point of Focus for the organization. In a perfect world, everything

is a 5; The cost to sustain this level for all control areas would not be worth the benefits. Set a realistic overall

maturity target to measure the self-assessment against.

Current Status: An assessment of the current status to be compared to the target status. A self assessment is

one method of doing this and depending upon the Point of Focus can be done by different groups with differ-

ent separate or over-lapping perspectives. Because of the inclination to ‘game this number’, it can be kept con-

fidential. Independent measurement is possible through anonymous surveys, third-party evaluators or audi-

tors.

The Current Status can either focus on year over year comparability or targeting different aspects of the Points

of Focus. While year over year is appealing to accountants, targeting different problem areas is probably of

greater value to the organization.

Ta Dah, a COSO-Metric – Results May Vary The result of such a weighting and evaluation can be a dash-board such as the following from a fictious Vienna Based International Organization (VBIO). Because this organiza-tion is focusing on establishing a basic control environment, the weight for the current year is on the first two COSO compo-nents. This does not mean the others are not important it simply helps to focus resources (see Next Page).

In the above example, the or-ganization has set itself an overall Control Target of 417 against a current self-assessed score of 250. Most of the improvement is to come in the COSO component areas of Risk Assessment and Control Activ-ities. In other words, to significantly improve the overall internal control environment of this organization, the most dramatic impact can be achieved by focusing on these areas.


2018-12-05 P. 15 of 20

LV NAME DESCRIPTION REPORTING MGT/STAFF

0 Non-existent Desired/needed/required but does not exist in any systematic, ad hoc or implicit manner.

Non-existent Unaware of the need for or the val-ue; or awareness is unfocused and not specific.

1 Informal Activities are done but in an ad hoc, chaotic or non-standard manner.

Ad hoc not comparable Use pre-existing professional and personal judgement but lack coordi-nation or a larger awareness to con-textualize their actions.

2 Documented Activities are documented and as such are emerging, currently or previously managed, some standardization and potentially repeatable. Unable to standardized and optimized actions to ensure the highest value, lowest cost or even compliance.

Transactional focused, management reporting is ad hoc, inconsistent and not comparable

Have overarching conceptual mod-els to contextualize their work and have received education and train-ing to assist in this.

3 Standardized Building on level 2, policies, proce-dures and systems support the explic-it compliance across the organization.

Level 2+ standardized administrative and Execu-tive reporting

Level 2+ internalization of policies, procedures and systems improve compliance and innovation in con-trols.

4 Integrated Building on level 3, a point of focus has been integrated to existing opera-tional activities so that reporting, compliance and monitoring is general-ly implicit.

Level 3+ reporting is part of planning and opera-tional activities.

Level 3+ awareness of localized chal-lenges and the ability to articulate the need for derivation from stand-ards.

5 Optimized Building on level 4, a best practice is established with documented deriva-tions to match local conditions

Level 4+ localized adapta-tions

Time, talent and treasure is spent refining and improving the Point of Focus

LV NAME DESCRIPTION

0 Not-Applicable

Not applicable to the organization and therefore not weighted.

1 Nominal Of limited or very low importance to the organization. This is the lowest score possible with the point of focus still being applicable to the organization. Almost no management effort should be expended on this point of focus.

2 Low Nominal+, of low importance but not trivial. A low ranking maybe a function of timing in which one focus point is de-emphasized so that others can be managed more closely. Little to marginal management effort should be expended.

3 Medium The default or standard weighting applied to all points of focus. Similar to low, a medium ranking may be a function of timing and capacity available in management effort.

4 High Highly important and an area requiring considerable management effort and organizational time, talent and resources to improve upon. Ideally there should be no more than a dozen of such points reduced in number if resources are constrained.

5 Extreme The most critical points of focus for the organization/executive structure. Typically there are no more than a half dozen at any one time. These will capture a large portion of management effort and considerable organ-izational time, talent and resources to mitigate risks, enhancement controls thereto and establish processes to enable opportunities.

Maturity Level Scores and Descriptions

Weighting Level Scores and Descriptions


2018-12-05 P. 16 of 20

COSOPS, COSO for the Public Sector COSO was created for Corporations doing business in the United States. Its American pedigree is in its name, Committee of Sponsoring Organizations of the Treadway Commission COSO). The Treadway Commission was organized in the mid-1980’s in response to misdeeds committed in the United States in the 1970’s. As a result, there is always a gap between COSO’s origins and other applications such as the public sector.

Internal Control Defined – Public Sector

Internal control is a process, effected by a public sector entity (government, public agency, international organization) board of directors, management and other personnel, designed to provide “reasonable assurance” regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Development and enactment of public policies through good government

Compliance with and management of applicable laws and regulations.

Three Lines of Defense

Similar to COSO classic, COSOPS also has Three Lines of Defense, albeit with modifications. In particular the role of the public, electorate, free press and public interest groups is paramount for not only the internal operations but the achievement of organizational objectives via public policy.

COSOPS uses the same overall structure of COSO but replaces the features of an American corporate entity with those found in most public sectors to greater or lesser degrees. As an interesting aside, the existence or not of the features discussed above very closely align to the corruption indexes of countries and organizations. Proof that controls such as a free press or an engaged electorate or critical to control one’s government.


2018-12-05 P. 17 of 20

Key Differences Between COSO and COSOPS

Public Policy measures whether a government/organization done what it said it would do? Is this what the stakeholders want from the government/organization?

Professional Civil Service is different from a for profit organization as the service should transcend a change in government or changes to public policy for organizations.

Public Budgeting and Accounts is more central and critical than a corporate budget as it represents an authority to expend and indirectly a request to supply tax monies or debt.

Privacy and Freedom of Information legislation or policies provides a reminder to management and civil service of the citizen’s right to know and the obligation to protect their information. While this may lead to occasional perverse incentives, on the whole it acts as a powerful internal control.

Internal Audit and Internal Oversight Offices include the classic internal audit functions but also such things as investigative powers of a public service commissioner, appeals bodies, ombudsmen, etc.

Free Press, Public Interest Groups, Open Government may seem to be redundant to the first line of defense but they represent the other side of the coin. These are the consumers of information about government operations.

Government Efficiency a precursor for corruption (and thus loss of corresponding control) is an inefficient or ineffective government that leads to bribes and circumvention of controls. Thus an ease of doing business is a critical control factor for the public sector.

Effective and Independent Judiciary is a key control to manage excesses of governments and its abuse of power.

Government of the Day is the group of individuals and associations who have decision-making authority – for the moment. As institutions they also have authority over elements of the lines of defense. For example an external auditor may report to the legislature or senate as opposed to the executive functions of a government or organization.

Constitutional Functions are the legislative structures of the political entity in question including such things as the degree of enfranchisement among the population, political structure, constitutional powers, etc.

Where Internal Ends and External Begins

Unlike a for-profit or even non-governmental organization, there is a fuzzy area of where a government stops and political process begins. In other words, it is not the job of the civil service to maintain the government of the day through the next election. The civil service’s job is to be as faithful, competent and diligent no matter who their political masters-of-the-day area. To this end, much of COSO is completely relevant to a public sector entity with some acknowledged deviations to support the public policy functions.


2018-12-05 P. 18 of 20

Control in a Bigger Context Organizations don’t make profits or deliver public services by focusing on controls, they add or create value by achieving their organizational Objectives. The Management Control and Enablement Framework is the last element of making COSO pragmatic by contextualizing it.

MCEF – Not Another Framework!

Organizations are surrounded by voluntary and mandated control concepts. These includes frameworks, statutes (e.g. for taxation and government compliance), accounting /IT/ international standards. All of these standards compete for management attention and organizational resources. Many of these standards have organizational success as an overriding objective. Despite this sometimes positive intent, it is questionable whether any organization can ever be perfectly compliant with all of the mandated laws let alone frameworks that are voluntary.

A Framework’s Framework!

MCEF can be seen as an over-arching way to consider Control and Enablement of an organization to contextualize existing ways to manage and support an organization.

On the left is Control of an organization which will mitigate risks but not exploit opportunities. On the right is the concept of enablement which will exploit opportunities but will a corresponding increase in risk and corresponding loss of control. Organizations are constantly moving from left to right along this continuum as they grow and evolve; management’s job to make the best compromise of control relative to enabling the organization.

On the facing page shows MCEF but this time over laid with a selection of other mental models and methods to understand the continuum of Control versus Enablement. On the far left of the graphic are the laws and standards that primarily focus on control. They include things such as legislation, societal norms or basic concepts of human decency and human rights. They are included to provide the absolute outer edge of the control functions. Their companion concepts on the right are lassie-faire capitalism, human ingenuity and personal motivations. These two outer boundaries represent the best and the worst of capitalism, organizations, and the over all human condition – the stuff in the middle represents (to borrow from – or bastardize – Freud) the Ego’s ongoing compromise between organizational Id (Enablement) and societal Superego (Control).

Other frameworks, standards, laws, etc. can be mapped onto the MCEF. There are a few things that are purely Control or purely Enablement. External legislation against child labour is perhaps an example of something that is pure control. Concepts on leadership, employee motivation and a higher purpose for an organization approach the right boundary organizational Enablement.


2018-12-05 P. 19 of 20

Filling the Pragmatic Gap

MCEF came about because of a frustration with COSO on how to make the leap from good sounding principles to the mechanics and specific of implementing internal controls within an organization. From the above graphic it is obvious that COSO’s role is not to enable an organization but to identify the ‘things’ that would dis-enable the organization. To do this managers need to use a well stock tool box of things such as Six Sigma, business process engineering and employee motivation. This is how to fill the COSO gap and ultimately how it can be pragmatic.


2018-12-05 P. 20 of 20

COSO Definitions

and Basic Concepts

DIY Points of Focus,

87+

COSO Definitions

and Basic Concepts

Measuring Points of

Focus: Weight X Ma-

turity

COSO 5-

Components

COSOPS, COSO for

the Public Sector

COSO 17 Principles

MCEF, Control + En-

ablement

COSO 87 Points of

Focus including Or-

ganizational Defini-

tions

Mehhh, Nothing In-

terests Me…

COSO as a Frame-

work versus a

Standard

When Can We Go to

the Commie?

And Back to the Auditors... The MCEF model effectively describes the challenges of pragmatic and effective controls. The shareholders, board, member states, public, etc. demand perfect control while at the same time increased share value, profits and innova-tive public policy. This is the pragmatic conundrum for organizations achieving the mutually exclusive goals of perfect control and perfect freedom to enable. To the VBIO conference goers, what are your thoughts and if we can explore one topic in greater detail, which one will it be? Voting will occur concurrent with the explanations in three rounds:

1. Pass One: Place ONE Dot on a topic of interest to you.

2. Pass Two: Place TWO Dots on a topic of interest to you on one or more squares.

3. Pass Three: Place the REMAINING Dots on topic of interest to you on one or more squares.

OSO—A Primer and Discussion on: Is OSO...

Documents

Transcript of OSO—A Primer and Discussion on: Is OSO...