Many organizations base their Sarbanes-Oxley (SOX) documentation on COSO’s Internal Control – Integrated Framework. This publication was originally issued in 1992 and significantly updated in 2013. In the next year these organizations must update their financial reporting internal control documentation and testing to match the newly updated framework.
This major update adds 17 newly articulated principles which support the 5 already-existing components of internal control. These new principles must all be present, functioning, and working together in order to achieve an effective system of internal controls.
In my view, an organization cannot accomplish 12 of these 17 new principles without a functioning performance and risk management environment. That’s a good thing – it seems that COSO is now heading in the right direction. Internal control isn’t simply about having a certain set of control processes. It’s about having an environment that assures an organization is meeting its performance and control objectives.
Having an effective performance and risk environment is a little bit like having a good exercise program. Everyone knows that it’s a good idea. Sometimes we’re too lazy to do what we know we should do. But there is no doubt, once it’s in place, that we’re extremely better off because of it.
It’s time to think of COSO 2013 like a doctor’s “wake up” call. Let’s stop paying lip service to managing risk and performance; let’s actually do it. The group at Risk Leader (http://rskldr.com) has a new approach that links risk management with performance management. They call it, not so surprisingly, Performance Risk Management and their idea is that risk management is not a separate stand-alone activity. It has a clear and distinct purpose as part of an organization’s normal management activities — to help an organization achieve its objectives better, faster, and more completely. It seems to me that a system like this solves two issues for COSO 2013:
- It is a risk and performance environment that, by its very existence, directly supports the organization’s ability to meet 12 of the new principles relating to organizational performance and risk management, and
- Because it is a risk and performance environment, it can be used to identify, assess, and monitor financial reporting risk
So is this (or something like it) the way to go for COSO 2013? I think that the accounting and investing communities expect an organization to have a real performance and risk management in place. COSO 2013 is merely reflecting this. Good job.