COSO ICIP Questions Part IIPosted: February 2, 2015
Last week I responded to some of the questions I have received while making presentations on adoption of the COSO 2013 Internal Control Integrated Framework. This week I conclude with a response to a final “big” question about implementing the new framework.
How do you get process owners and non-financial stakeholders on board to document/update/create new controls to cover all of the principles in the new framework?
There are so many ways to go with this question, but here are a few of my thoughts.
In most cases I’ve seen, the additional controls are really not new controls, but simply newly documented controls in the Sox documentation. Once you explain to people you aren’t really asking them to do anything different or more, but to simply help you document what they are already doing, then they are usually cooperative. I’ve even had the experience where people are glad their work is now part of a Sox control because they feel like they have a new tool – the Sox hammer – to use when other groups are not cooperative in doing what they should by following the control. Finding how it benefits them is usually the key to getting people to help you.
On the other hand, if you are adding new controls to your business (not just document additional controls that already existed) to cover all of the principles, then you really need to question if you were ever operating an effective system of internal controls. While there is no restatement requirement related to prior section 404 disclosures, one way to scare the heck out of most CFOs and CEOs is to point out that they signed a document that might have had an error. At least in the past they thought they were right, now they know their system is not sufficient and they would be knowingly falsifying an SEC document. If you get pushback from the CEO and CFO then all that does is add further proof that the company does not take its section 404 requirements and internal control seriously and is just a material misstatement waiting to happen.
If you can’t get the CEO and CFO to take action, another option is to have your auditors aid you in pointing out the importance of the missing controls. If the auditor is not going to give a clean opinion on the section 404 statement that should certainly get the attention of the audit committee and the Board of directors. If that doesn’t get people to cooperate than nothing will.
I consider getting the auditor and Board involved the nuclear option and even going to the CEO and CFO can burn bridges with other departments, so you want to use those techniques sparingly. I find most people really do care about doing things right and doing the right things for the business. If you can find some way they benefit from helping you as well, then most of the time you will get the help you need.