P5. Jill, M. D., & Houmes, R. (2014)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

M A N A G E M E N T

not-for-profit organizations

COSO’s Updated Internal Control and


Enterprise Risk Management
Frameworks
Applying the Concepts to Governments and Not-for-Profit Organizations
By Jill M. D’Aquila and Robert Houmes

n May 2013, the Committee of Sponsoring Organizations Control–Integrated Framework: Updating the Original Concepts

I (COSO) published its revised edition of the Internal


Control–Integrated Framework (IC Framework). COSO’s
actions were in direct response to the changing demands of
the business environment over the 20 years since the original
framework was issued in 1992 (see “COSO’s Internal
for Today’s Framework” by Jill M. D’Aquila in the October 2013
CPA Journal for a complete description of the IC Framework).
A noticeable change in the updated IC Framework is the inclu-
sion of 17 principles to provide detail on applying existing com-
ponents. PricewaterhouseCoopers has stated that “these principles

54 MAY 2014 / THE CPA JOURNAL


are relevant for a variety of entities, pub- Federal Government, also known as the among other things, enhance the important
lic, private, not-for-profit” (PWC Dataline, Green Book. The proposed revisions are risk assessment component of the original
May 14, 2013). Accordingly, while the designed to represent a modernized version framework. Specifically, ERM expands the
business community is paying attention to of internal control standards. It is the third “Risk Assessment” component of COSO’s
the updated COSO Framework, not-for- such revision since the GAO first issued IC Framework into “Objective Setting,”
profit organizations (NFPO) and govern- these standards in 1983 as a result of the “Event Identification,” and “Risk
ments are also focusing on it. Federal Manager’s Financial Integrity Act Assessment,” and it also adds a “Risk
The IC Framework is intended to pro-
vide a conceptual blueprint for a variety of
NFPOs. COSO explicitly points out that
reliable financial reporting, one of three
objectives of internal control, also applies
to NFPOs. COSO states “since these enti-
ties’ purpose is other than realizing and COSO explicitly points out that reliable financial
generating a profit, they may prepare other
financial reporting for donors, government
agencies, or other third parties in order to reporting, one of three objectives of internal control,
raise funds to support stated causes, not
necessarily in accordance with specific
standards or regulations” (COSO, Internal also applies to NFPOs.
Control–Integrated Framework, public
exposure draft, 2012). In addition, NFPOs
may be required to file annual reports (IRS
Form 990, Return of Organization Exempt
from Income Tax).
The IC Framework is applicable also (FMFIA), which requires the GAO to issue Response” component (see the Exhibit).
to governmental entities at all levels. The standards for internal control. The GAO The IC Framework defines risk assess-
current economy requires governments to retains the same standards conceptually, ment as follows: “Risk assessment involves
do more with fewer resources. because it includes the same five internal a dynamic and iterative process for iden-
Governments face growing budget pres- control components. It now also introduces tifying and analyzing risks to achieving the
sures, as well as other internal and exter- the IC Framework’s 17 principles. COSO entity’s objectives, forming a basis for
nal pressures. Competing priorities can indicated that the principles are broad determining how risks should be man-
have a negative impact on the govern- because they are intended to apply to a aged.” Principles 6 through 9 address risk
ment’s efficiency; in fact, 85% of federal wide variety of organizations, including assessment:
managers surveyed in a 2012 study from governmental organizations and NFPOs. n Principle 6: The organization specifies
the Government Business Council, spon- Accordingly, the GAO adapted these prin- objectives with sufficient clarity to enable
sored by Deloitte (“Cutting Costs, Inside ciples for the government environment. the identification and assessment of risks
the Effort to Improve Efficiency”), said that relating to objectives.
competing priories are the most significant Risk as the Primary Criteria: ERM n Principle 7: The organization identifies
impediment to reducing inefficiency in An overall objective of internal control risks to the achievement of its objectives
their agency. Only 29% of federal man- is to help entities achieve their mission, across the entity and analyzes risks as a
agers surveyed graded their own agency’s including the best outcome at the best value basis for determining how they should be
overall efficiency at least a B, and only for taxpayers and donors. Deloitte, in its managed.
16% gave the federal government at least “2013 Federal CFO Insights,” states, n Principle 8: The organization considers
a B. Governmental entities are also expect- “Given that consideration of risk is the pri- the potential for fraud in assessing risks
ed to improve operations and implement mary design criteria for internal controls, to the achievement of objectives.
new technologies. Thus, there is a strong CFOs should fully leverage the organiza- n Principle 9: The organization identifies
focus on internal control tools that can tion’s Enterprise Risk Management (ERM) and assesses changes that could significant-
adapt to such demands and changes. Framework and risk assessment results to ly impact the system of internal control.
routinely assess the effectiveness of exist- Ultimately, COSO’s ERM Framework
Updating the Green Book for ing internal controls and provide a basis deals with risk avoidance, acceptance, shar-
Modernized Internal Control Standards for moderating their design for optimum ing, and reduction, whereas COSO’s IC
In response to challenges facing gov- cost and efficiency.” COSO issued the Framework deals primarily with risk reduc-
ernmental entities, as well as NFPOs, the ERM Framework in 2004 in order to tion. In COSO’s Internal Control–
Government Accountability Office (GAO) enhance risk management and improve the Integrated Framework executive summa-
in September 2013 proposed changes to internal control process. ERM was ry, chair David L. Landsittel states that “the
Standards of Internal Control in the intended to be more comprehensive and, ERM Framework and recently updated

MAY 2014 / THE CPA JOURNAL 55


Internal Control–Integrated Framework are ing agencies, Congress, etc). Similarly, CFO Insights: Aligning Internal Controls
intended to be complimentary, and nei- governmental entities don’t seek to maxi- and Enterprise Risk Management
ther supersedes the other.” mize profits for stockholders, but they do Frameworks,” Deloitte, 2013)
While corporations are increasingly focus- seek to deliver mission critical services for
ing on risk oversight, the AICPA pointed out stakeholders.” The same can be said for Seven Risk Areas
in a “Government Accountability Brief” NFPOs. Deloitte identified the following seven major
(February 2010) that all types of organiza- Don Dixon, director, Deloitte & Touche areas of risk affecting federal agencies:
tions, including governmental entities, need LLP, also noted the following: n Reputation
to focus on risk. “No organization is immune Like other enterprises, federal agencies are n Political
to risks affecting the entity’s existence and under intense pressure to manage strate- n Key infrastructure
its ability to fulfill mission critical objectives.” gic, regulatory, security and reputational n Human capital
Government agencies face unique, and, at risks, just for starters. But in some ways, n Compliance and regulatory
times, new risks as they oversee programs. federal risk oversight can be even more n Transparency and accountability
The ERM Framework, which is sometimes complex than the challenge faced by pri- n Information technology. (Deloitte 2013)
thought of as a corporate-focused paradigm, vate corporate boards. How do cabinet Some of these risks are also applicable
is also relevant for governmental entities and secretaries and other senior leaders gain to other areas of government and NFPOs.
NFPOs. “It’s merely the context that cre- the clear view they need to uphold pub- Examples of how the COSO frameworks
ates differences in how governments imple- lic trust and congressional expectations apply are detailed below.
ment key ERM concepts at the tactical level: when departmental risk management is Reputation risk. An impaired reputation
governments don’t have stockholders, but widely dispersed among large, often inde- can significantly impact both government
they have stakeholders (e.g., taxpayers, fund- pendent administrations? (“Federal entities and NFPOs. Both frameworks

EXHIBIT
Relationship of ERM and Internal Control

Source: Adapted from “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,”
http://www.coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf

56 MAY 2014 / THE CPA JOURNAL


begin with the control environment (IC developing controls to mitigate risk; key element of “Internal Environment”
Framework) or internal environment (ERM selecting and developing general controls (ERM Framework). The integrity and com-
Framework), the foundations for all other over technology; and implementing these petency of employees is one of the most
components. In fact, the first Principle of controls through policies that establish effective controls for reducing risk.
the IC Framework (Control Environment) expectations. Governments must protect Entities should forecast the need for
relates to the integrity and ethical values critical installations and facilities. For future human capital. Trends in popula-
of an organization. A central element is the example, only authorized employees tion affect both the needs of citizens for
ethical disposition of senior managers. The should have access to key facilities, government-provided services, as well as
reputation of an entity is a function of the such as electric utilities, water treatment the tax revenues received from these cit-
reputation of its leadership. In a recent
interview on the updated IC Framework
transition, PricewaterhouseCoopers partner
Chuck Harris stated that, for many orga-
nizations, the focus to date has been on
control activities. Hence the principles- Government agencies must identify and manage
based updated IC Framework may promote
the softer side of COSO, including the con-
trol environment component (http://www.
pwc.com/us/en/cfodirect/standard-
risks associated with key infrastructure. Principles
setters/coso/index.jhtml).
Political risk. Government agencies face relating to “Control Activities” (IC Framework) are
unique challenges in managing risks relat-
ed to changing political priorities that
may affect funding, as well as overall particularly relevant.
performance. NFPOs are impacted as well,
given the numerous government grants
many rely upon. Changing political prior-
ities can affect the availability of funds.
Principles 7 and 9 of the IC Framework,
described earlier, are particularly relevant plants, and ports of entry. Management izens. These trends share a critical con-
here, as both refer to external factors, must maintain policies and procedures to sideration for acquiring the necessary
such as economic and regulatory factors. monitor and regulate key infrastructure resources to meet future demand, as well
An entity needs to adapt to these changes operations. Governments with typically as manage human capital risks. Similarly,
by adjusting their priorities and business large IT infrastructures must secure the NFPOs should attempt to predict the
processes. Although political risk may privacy and integrity of information. The effects of demographic changes on mis-
largely be beyond an entity’s ability to IC Framework specifically states that sion-related capabilities. For example,
directly control, organizations should restricted access is critical whenever tech- charities should attempt to identify and
attempt to forecast potential events that nology is an integral part of an entity’s estimate economic and social factors
could impact its mission and objectives. operations. affecting a population’s philanthropic
“By enhancing capability to identify poten- Human capital risk. Human capital can propensity to donate.
tial events and establish responses,” COSO account for a large portion of operating Compliance and regulatory risk.
has stated, “the organization reduces the costs and can significantly impact an orga- Compliance is especially important for
risk of unwanted surprises and their asso- nization’s bottom line. Risks include governments since laws and regulations
ciated cost or losses” (“Improving managing issues related to sufficient often determine their mission and struc-
Organizational Performance and knowledge and training; an aging employ- ture. NFPOs are also subject to unique
Governance, How the COSO Frameworks ee base; decreases in retirement funding; compliance and reporting requirements.
Can Help,” 2014). Rather than reacting to underfunded defined benefit pension plans; In order to qualify for tax-exempt status,
the effects of adverse political events after and employee morale. A key principle of NFPOs must comply with relevant tax
the fact, entities should proactively man- the Control Environment (IC Framework) provisions. An important component of
age political risk using the concepts from is an organization’s commitment, as both COSO frameworks is the require-
both COSO frameworks. described in Principle 4, to attract, devel- ment that entities comply with applica-
Key infrastructure risk. Government op, and retain competent individuals in sup- ble regulations, rules, and laws. To miti-
agencies must identify and manage risks port of the organization’s objectives. gate the effects of risks associated with
associated with key infrastructure. Principle 4 addresses such issues as men- compliance and regulatory risk, entities
Principles relating to “Control Activities” toring and training programs, as well as must first be knowledgeable about the
(IC Framework) are particularly relevant. evaluating competence across the organi- rules, regulations, laws, and reporting
These principles relate to selecting and zation. Similarly, human resources are a requirements, as clearly stated in the IC

MAY 2014 / THE CPA JOURNAL 57


Framework. Funding from the U.S. gov- financial management and assurances transparency reinforces accountability of
ernment can also require audits, as per the team at the GAO, stated— senior management and the board. The
Single Audit Act and OMB Circular the bottom line really is about account- AICPA points out that the audit committee
A-133. To reduce regulatory and com- ability and transparency. I think inter- of a government unit plays a very impor-
pliance risk, however, NFPOs should con- nal controls are critical if you think of tant role in helping to ensure accountability
sider obtaining audits regardless of their any of the major events that happened and compliance:
legal requirements. “The Guide to Not- during the course of a year where maybe At no time in recent memory is the need
for-Profit Governance” is a useful sum- government funds have to be spent very for an effective audit committee in
mary of tax and other governance issues quickly. It’s very important to have those government more important than now.
from Weil, Gotshal & Manges LLP internal controls so you do have account- With looming budget shortfalls, program
(http:// www.pbpatl.org/ wp-content/ ability. cuts and employee layoffs, government
uploads/2012/10/NFPGuide_2012.pdf). In a similar sense, NFPOs that compete units are wrestling with maintaining ser-
Transparency and accountability risk. for voluntary donations and grants benefit vices with fewer resources. Government
Because governments exist for the pub- from increased visibility regarding their use officials need to diligently assess the
lic good and derive their financing from of donated funds. need for expenditures and ensure that
taxpayers, transparency and accountabil- Principle 2 of the IC Framework revenues are received timely and man-
ity regarding finances is paramount. (Oversight Responsibility) states that the aged correctly. (“Audit Committee
When discussing proposed changes to the board of directors should provide oversight Brief,” Jul. 15, 2011).
Green Book, Jim Dalkin, director of the for internal controls. It also points out that Principles 14 (Internal Communication)

COSO’S SUGGESTIONS ON USING BOTH FRAMEWORKS


AND EXAMPLES IN PRACTICE

COSO’s Suggestions Examples in Practice


Ensure ERM is integrated with core management processes. The Department of Homeland Security has a Risk Steering
Committee to ensure that risk management is consistent
throughout the agency.
Improve the dialogue about risk tolerance between senior The Information Analysis and Infrastructure Protection (IAIP)
management and the board of directors, as well as Directorate developed benchmark threat scenarios to analyze
downward throughout the organization. potential attacks relating to critical infrastructure assets.
Strengthen the risk culture by improving the control The Department of Health and Human Services created a
environment (IC Framework) or internal environment “Secretary’s Council on Program Integrity” to look at areas,
(ERM Framework). including Medicare, and public health grants, and conduct risk
assessments of those programs most vulnerable to fraud or abuse.
Improve the identification, prioritization, and response to risk The Department of Energy has a “Risk Management Guide” that
by structuring risk assessment according to characteristics defines key roles relating to risk, as well as a chain of authority
of risks being assessed and by assigning risk assessment and communication for risk management decisions.
to appropriate management.
Strengthen internal controls using COSO’s 17 principles. The GAO proposed revisions to the Green Book that incorporate
these 17 principles.
Integrate both frameworks in the organization. The Centers for Disease Control implemented a risk management
framework which partially resembles COSO’s ERM Framework.
The CDC Internal Controls Program is a bottom-up strategy for
assessing risk and supports the broader, top-down approach to ERM.

58 MAY 2014 / THE CPA JOURNAL


and 15 (External Communication) of the technology risk. Principle 11 (General Control Frameworks and Examples in Practice) on
IC Framework are also relevant. Activities over Technology) of the IC using both frameworks. Several of these
Voluntarily published reports can reduce Framework includes a discussion of tech- suggestions are already in place at gov-
transparency and accountability risk. For nology general controls, technology infras- ernment agencies.
example, reports that document the per- tructure, security management processes, and COSO described the frameworks as follows:
centage of donated dollars that go to vic- technology acquisition, development, and Robust enough to be applied inde-
tims reduce the risks associated with a maintenance processes. Steve Shafer, IT pendently on their own, the two COSO
lack of transparency. Reports that improve administrator of finance for the Nebraska state frameworks have a common pur-
decision making or identify variances chief information officer, points out that pose—to help the enterprise achieve
from standards can provide evidence to although most of the literature on internal its objectives and to optimize the
support and justify funding needs. In light controls focuses on financial systems, orga- inevitable tension between the enter-
of the recent impetus to reduce budgets nizations can also apply internal control prise’s value creation and value pro-
at state and local levels, this objective may concepts to information technology; for tection activities. Therefore, both
be particularly significant for govern- example, an application development team [frameworks] facilitate and support the
ments. Principle 10 (Selecting and can use these strategies to identify weaknesses governance process when implement-
Developing Control Activities) identifies relating to cost overruns. The team can ed effectively (p. 6).
a number of business process control address cost overruns using a system that While applications will vary accord-
activities that relate to transparency and tracks resources used versus deliverables. In ing to the particular risk profiles of each
accountability risk for both governments addition, risk assessment can be used to iden- entity, both frameworks provide a con-
and NFPOs. These controls relate to tify weaknesses that could potentially lead ceptual foundation from which govern-
authorizations, verifications, physical con- to a loss of information technology services. ments and NFPOs may proactively
trols, controls over standing data, recon- design, implement, and sustain efficient
ciliations, and supervisory controls. Improving Performance and effective risk management initiatives,
Information technology risk. The and Governance including the application of appropriate
increased use of information technology leads In February 2014, COSO released controls that mitigate the risk to mis-
to increased risks. As municipalities grow, “Improving Organizational Performance sions and objectives. q
information systems must adapt to meet and Governance: How the COSO
future requirements. Online donors to NFPOs Frameworks Can Help,” which illustrates
should assume that their information is secure. how both frameworks can enhance orga- Jill M. D’Aquila, PhD, CPA, and Robert
Information technology risk exposure is espe- nizational performance and governance for Houmes, PhD, CMA, are both associate
cially great for large federal agencies that pro- sustainable success. COSO provides spe- professors of accounting in the Davis
cess large amounts of data. Both COSO cific suggestions (summarized in the side- College of Business at Jacksonville
frameworks play a key role with information bar, COSO’s Suggestions on Using Both University, Jacksonville, Fla.

Let Us Hear From You


The CPA Journal welcomes letters from readers in response to articles
published in the magazine as well as those concerning issues of general
interest to the accounting profession. Although we receive more letters than
we are able to publish, all letters receive consideration.
The editors reserve the right to edit letters for clarity and length. Writers
should include their contact information, including a daytime telephone
number and an e-mail address, if possible.
Letters may be addressed to Letters to the Editor, The CPA Journal, 3 Park
Avenue, 18th Floor, New York, N.Y., 10016, or to [email protected].

MAY 2014 / THE CPA JOURNAL 59


Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.

You might also like