“The organization internally communicates information, including objectives and responsibilities for internal control, necessary to the functioning of internal control.” (COSO Principle 14 – Communicates Internally COSO Framework) is the second of the three principles relating to the Information & Communication component of internal control. For those who view the COSO framework and compliance as “check the box” activities divorced from organizational success, this principle exposes their folly. Principle 14 requires management to take their strategic vision and objectives and activate these in their organization as operational objectives and sub-objectives assigned to stakeholders via roles and governed by policy and procedures with an effective communication system to make this happen. The communication extends to oversight activities that ensure completion of tasks to achieve objectives thereby realizing the entity’s strategic vision, or otherwise identifying impediments precluding achieving this vision with appropriate time to allow management to pivot to either ensure success or halt unprofitable activities.
In “Reflections of a For Purpose Executive”, Tom Hood states, “Imagine what it would be like if every one of your team members knew your organization's "why" and how they contribute to it.” This is the heart of COSO principle 14. Effectively communicating objectives and sub-objectives to stakeholders, communicating their roles and responsibilities targeted at achieving these objectives, and enabling them to fulfill their role provides the “why” which empowers stakeholders while also positively impacting internal control. Internal control is a means to accomplishing objectives which leads to the success of the organization. Mr. Hood provides an example of President Kennedy approaching a janitor on a visit to NASA saying, “Hi, I’m Jack Kennedy. What are you doing?” The janitor responded, “I’m helping put a man on the moon, Mr. President.” This is where we need to get our organizational culture. Effective use of the COSO framework significantly helps get us there. Compliance cannot be a separate consideration overseen by separate departments but must be ingrained in the fabric of the organization such that proper behavior is ubiquitous. All of our janitors must feel that they are part of the mission.
Communication to the Board of Directors (BOD) is critical to their oversight and advisory role. We are familiar with the advanced reports and standard “deck” companies present to the Board and the Audit Committee. An excellent practice of most audit committees is to meet privately with the chief audit executive (CAE), with the external auditors and with both of these parties together but with no other management present. All three of these brief sessions are important. The private meeting with the CAE is important because they may not feel it appropriate to voice potential concerns in front of the external auditors if such concerns are not yet fully validated. During my days as CAE at Lenox (the tabletop and collectibles company), the audit committee requested a presentation by one of the other compliance functions at each meeting on a rotating basis. This was an excellent practice that gave the audit committee more insight into the Company and provided leaders within these functions with an audience in front of the audit committee. Expanding the depth of organizational leaders that the audit committee connects with can be a powerful influence supporting a strong culture of compliance. This practice also sends a clear message that senior management supports open communication channels with the BOD.
Technology to enable communication of objectives, expectations, roles, policy and procedures is available and essential to the modern organization. Technology to manage execution of internal controls should be viewed more broadly as technology to ensure execution against organizational objectives with effective internal controls as a consequence of execution. Cascading strategic objectives to operational and compliance objectives can be actuated in many available GRC solutions. Effective deployment of security within this technology ensures that stakeholders are provided with all and only what they need to know while also understanding their role in the organization (recall the “Why” from above). Role-based assignments cans then be actuated using tasking that many GRC solutions provide, including escalation of tasks for review or higher level actions. Dashboards, e-mail notifications and other features will focus management attention on the outliers that require action with the knowledge that all other tasks are completed as management planned. Thus, a large portion of the achievement of the entity objectives are actuated within a GRC platform whereby completing the tasks required for success also achieves the tasks required for compliance. Managements must move beyond the “check the box” mentality to embrace and deploy technology to achieve their goals, with the boxes checking themselves. Management must seize the opportunity to leverage compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/#complaince #COSO #InternalAudit #Audit #IA #GRC