COSO’s Updated Internal Control and Enterprise Risk Management Frameworks

Applying the Concepts to Governments and Not-for-Profit Organizations

In May 2013, the Committee of Sponsoring Organizations (COSO) published its revised edition of the Internal Control-Integrated Framework (IC Framework). COSO's actions were in direct response to the changing demands of the business environment over the 20 years since the original framework was issued in 1992 (see "COSO's Internal Control-Integrated Framework: Updating the Original Concepts for Today's Framework" by Jill M. D'Aquila in the October 2013CPA Journal for a complete description of the IC Framework). A noticeable change in the updated IC Framework is the inclusion of 17 principles to provide detail on applying existing components. PricewaterhouseCoopers has stated that "these principles are relevant for a variety of entities, public, private, not-for-profit" (PWC Dataline, May 14, 2013). Accordingly, while the business community is paying attention to the updated COSO Framework, not-forprofit organizations (NFPO) and governments are also focusing on it.

The IC Framework is intended to provide a conceptual blueprint for a variety of NFPOs. COSO explicitly points out that reliable financial reporting, one of three objectives of internal control, also applies to NFPOs. COSO states "since these entities' purpose is other than realizing and generating a profit, they may prepare other financial reporting for donors, government agencies, or other third parties in order to raise funds to support stated causes, not necessarily in accordance with specific standards or regulations" (COSO, Internal Control-Integrated Framework, public exposure draft, 2012). In addition, NFPOs may be required to file annual reports (1RS Form 990, Return of Organization Exempt from Income Tax).

The IC Framework is applicable also to governmental entities at all levels. The current economy requires governments to do more with fewer resources. Governments face growing budget pressures, as well as other internal and external pressures. Competing priorities can have a negative impact on the government's efficiency; in fact, 85% of federal managers surveyed in a 2012 study from the Government Business Council, sponsored by Deloitte ("Cutting Costs, Inside the Effort to Improve Efficiency"), said that competing priories are the most significant impediment to reducing inefficiency in their agency. Only 29% of federal managers surveyed graded their own agency's overall efficiency at least a B, and only 16% gave the federal government at least a B. Governmental entities are also expected to improve operations and implement new technologies. Thus, there is a strong focus on internal control tools that can adapt to such demands and changes.

Updating the Green Book for Modernized Internal Control Standards

In response to challenges facing governmental entities, as well as NFPOs, the Government Accountability Office (GAO) in September 2013 proposed changes to Standards of Internal Control in the Federal Government, also known as the Green Book. The proposed revisions are designed to represent a modernized version of internal control standards. It is the third such revision since the GAO first issued these standards in 1983 as a result of the Federal Manager's Financial Integrity Act (FMFIA), which requires the GAO to issue standards for internal control. The GAO retains the same standards conceptually, because it includes the same five internal control components. It now also introduces the IC Framework's 17 principles. COSO indicated that the principles are broad because they are intended to apply to a wide variety of organizations, including governmental organizations and NFPOs. Accordingly, the GAO adapted these principles for the government environment.

Risk as the Primary Criteria: ERM

An overall objective of internal control is to help entities achieve their mission, including the best outcome at the best value for taxpayers and donors. Deloitte, in its "2013 Federal CFO Insights," states, "Given that consideration of risk is the primary design criteria for internal controls, CFOs should fully leverage the organization's Enterprise Risk Management (ERM) Framework and risk assessment results to routinely assess the effectiveness of existing internal controls and provide a basis for moderating their design for optimum cost and efficiency." COSO issued the ERM Framework in 2004 in order to enhance risk management and improve the internal control process. ERM was intended to be more comprehensive and, among other things, enhance the important risk assessment component of the original framework. Specifically, ERM expands the "Risk Assessment" component of COSO's IC Framework into "Objective Setting," "Event Identification," and "Risk Assessment," and it also adds a "Risk Response" component (see the Exhibit).

The IC Framework defines risk assessment as follows: "Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed." Principles 6 through 9 address risk assessment:

* Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

* Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how they should be managed.

* Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.

* Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

Ultimately, COSO's ERM Framework deals with risk avoidance, acceptance, sharing, and reduction, whereas COSO's IC Framework deals primarily with risk reduction. In COSO's Internal ControlIntegrated Framework executive summaiy, chair David L. Landsittel states that "the ERM Framework and recently updated Internal Control-Integrated Framework are intended to be complimentary, and neither supersedes the other."

While corporations are increasingly focusing on risk oversight, the AICPA pointed out in a "Government Accountability Brief' (February 2010) that all types of organizations, including governmental entities, need to focus on risk. "No organization is immune to risks affecting the entity's existence and its ability to fulfill mission critical objectives." Government agencies face unique, and, at times, new risks as they oversee programs. The ERM Framework, which is sometimes thought of as a corporate-focused paradigm, is also relevant for governmental entities and NFPOs. "It's merely the context that creates differences in how governments implement key ERM concepts at the tactical level: governments don't have stockholders, but they have stakeholders (e.g., taxpayers, funding agencies, Congress, etc). Similarly, governmental entities don't seek to maximize profits for stockholders, but they do seek to deliver mission critical services for stakeholders." The same can be said for NFPOs.

Don Dixon, director, Deloitte & Touche LLP, also noted the following:

like other enterprises, federal agencies are under intense pressure to manage strategic, regulatory, security and reputational risks, just for starters. But in some ways, federal risk oversight can be even more complex than the challenge faced by private corporate boards. How do cabinet secretaries and other senior leaders gain file clear view they need to uphold public trust and congressional expectations when departmental risk management is widely dispersed among large, often independent administrations? ("Federal CFO Insights: Aligning Internal Controls and Enterprise Risk Management Frameworks," Deloitte, 2013)

Seven Risk Areas

Deloitte identified the following seven major areas of risk affecting federal agencies:

* Reputation

* Political

* Key infrastructure

* Human capital

* Compliance and regulatory

* Transparency and accountability

* Information technology. (Deloitte 2013)

Some of these risks are also applicable to other areas of government and NFPOs. Examples of how the COSO frameworks apply are detailed below.

Reputation risk. An impaired reputation can significantly impact both government entities and NFPOs. Both frameworks begin with the control environment (IC Framework) or internal environment (ERM Framework), the foundations for all other components. In fact, the first Principle of the IC Framework (Control Environment) relates to the integrity and ethical values of an organization. A central element is the ethical disposition of senior managers. The reputation of an entity is a function of the reputation of its leadership. In a recent interview on the updated IC Framework transition, PricewaterhouseCoopers partner Chuck Harris stated that, for many organizations, the focus to date has been on control activities. Hence the principlesbased updated IC Framework may promote the softer side of COSO, including the control environment component (http://www. pwc.com/us/en/cfodirect/standardsetters/coso/index.jhtml).

Political risk. Government agencies face unique challenges in managing risks related to changing political priorities that may affect funding, as well as overall performance. NFPOs are impacted as well, given the numerous government grants many rely upon. Changing political priorities can affect the availability of funds. Principles 7 and 9 of the IC Framework, described earlier, are particularly relevant here, as both refer to external factors, such as economic and regulatory factors. An entity needs to adapt to these changes by adjusting their priorities and business processes. Although political risk may largely be beyond an entity's ability to directly control, organizations should attempt to forecast potential events that could impact its mission and objectives. "By enhancing capability to identify potential events and establish responses," COSO has stated, "the organization reduces the risk of unwanted surprises and their associated cost or losses" ("Improving Organizational Performance and Governance, How the COSO Frameworks Can Help," 2014). Rather than reacting to the effects of adverse political events after the fact, entities should proactively manage political risk using the concepts from both COSO frameworks.

Key infrastructure risk. Government agencies must identify and manage risks associated with key infrastructure. Principles relating to "Control Activities" (IC Framework) are particularly relevant. These principles relate to selecting and developing controls to mitigate risk; selecting and developing general controls over technology; and implementing these controls through policies that establish expectations. Governments must protect critical installations and facilities. For example, only authorized employees should have access to key facilities, such as electric utilities, water treatment plants, and ports of entry. Management must maintain policies and procedures to monitor and regulate key infrastructure operations. Governments with typically large IT infrastructures must secure the privacy and integrity of information. The IC Framework specifically states that restricted access is critical whenever technology is an integral part of an entity's operations.

Human capäal risk. Human capital can account for a large portion of operating costs and can significantly impact an organization's bottom line. Risks include managing issues related to sufficient knowledge and training; an aging employee base; decreases in retirement funding; underfunded defined benefit pension plans; and employee morale. A key principle of the Control Environment (IC Framework) is an organization's commitment, as described in Principle 4, to attract, develop, and retain competent individuals in support of the organization's objectives. Principle 4 addresses such issues as mentoring and training programs, as well as evaluating competence across the organization. Similarly, human resources are a key element of "Internal Environment" (ERM Framework). The integrity and competency of employees is one of the most effective controls for reducing risk.

Entities should forecast the need for future human capital. Trends in population affect both the needs of citizens for government-provided services, as well as the tax revenues received from these citizens. These trends share a critical consideration for acquiring the necessary resources to meet future demand, as well as manage human capital risks. Similarly, NFPOs should attempt to predict the effects of demographic changes on mission-related capabilities. For example, charities should attempt to identify and estimate economic and social factors affecting a population's philanthropic propensity to donate.

Compliance and regulatory risk. Compliance is especially important for governments since laws and regulations often determine their mission and structure. NFPOs are also subject to unique compliance and reporting requirements. In order to qualify for tax-exempt status, NFPOs must comply with relevant tax provisions. An important component of both COSO frameworks is the requirement that entities comply with applicable regulations, rules, and laws. To mitigate the effects of risks associated with compliance and regulatory risk, entities must first be knowledgeable about the rales, regulations, laws, and reporting requirements, as clearly stated in the IC Framework. Funding from the U.S. government can also require audits, as per the Single Audit Act and OMB Circular A-133. To reduce regulatory and compliance risk, however, NFPOs should consider obtaining audits regardless of their legal requirements. "The Guide to Notfor-Profit Governance" is a useful summary of tax and other governance issues from Weil, Gotshal & Manges LLP (http://www.pbpatl.org/wp-content/ uploads/2012/10/NFPGuide_2012 .pdf).

Transparency and accountability risk. Because governments exist for the public good and derive their financing from taxpayers, transparency and accountability regarding finances is paramount. When discussing proposed changes to the Green Book, Jim Dalkin, director of the financial management and assurances team at the GAO, stated-

the bottom line really is about accountability and transparency. I think internal controls are critical if you think of any of the major events that happened during the course of a year where maybe government funds have to be spent very quickly. It's very important to have those internal controls so you do have accountability.

In a similar sense, NFPOs that compete for voluntary donations and grants benefit from increased visibility regarding their use of donated funds.

Principle 2 of the IC Framework (Oversight Responsibility) states that the board of directors should provide oversight for internal controls. It also points out that transparency reinforces accountability of senior management and the board. The AICPA points out that the audit committee of a government unit plays a very important role in helping to ensure accountability and compliance:

At no time in recent memory is the need for an effective audit committee in government more important than now. With looming budget shortfalls, program cuts and employee layoffs, government units are wrestling with maintaining services with fewer resources. Government officials need to diligently assess the need for expenditures and ensure that revenues are received timely and managed correctly. ("Audit Committee Brief," Jul. 15,2011).

Principles 14 (Internal Communication) and 15 (External Communication) of the IC Framework are also relevant. Voluntarily published reports can reduce transparency and accountability risk. For example, reports that document the percentage of donated dollars that go to victims reduce the risks associated with a lack of transparency. Reports that improve decision making or identify variances from standards can provide evidence to support and justify funding needs. In light of the recent impetus to reduce budgets at state and local levels, this objective may be particularly significant for governments. Principle 10 (Selecting and Developing Control Activities) identifies a number of business process control activities that relate to transparency and accountability risk for both governments and NFPOs. These controls relate to authorizations, verifications, physical controls, controls over standing data, reconciliations, and supervisory controls.

Information technology risk. The increased use of information technology leads to increased risks. As municipalities grow, information systems must adapt to meet future requirements. Online donors to NFPOs diould assume that their information is secure. Information technology risk exposure is especially great for large federal agencies that process large amounts of data. Both COSO frameworks play a key role with information technology risk. Principle 11 (General Control Activities over Technology) of the IC Framework includes a discussion of technology general controls, technology infrastructure, security management processes, and technology acquisition, development, and maintenance processes. Steve Shafer, IT administrator of finance for the Nebraska state chief information officer, points out that although most of the literature on internal controls focuses on financial systems, organizations can also apply internal control concepts to information technology; for example, an application development team can use these strategies to identify weaknesses relating to cost overruns. The team can address cost overruns using a system that tracks resources used versus deliverables. In addition, risk assessment can be used to identify weaknesses that could potentially lead to a loss of information technology services.

Improving Performance and Governance

In February 2014, COSO released "Improving Organizational Performance and Governance: How the COSO Frameworks Can Help," which illustrates how both frameworks can enhance organizational performance and governance for sustainable success. COSO provides specific suggestions (summarized in the sidebar, COSO's Suggestions on Using Both Frameworks and Examples in Practice) on using both frameworks. Several of these suggestions are already in place at government agencies.

COSO described the frameworks as follows: Robust enough to be applied independently on their own, the two COSO frameworks have a common purpose-to help the enterprise achieve its objectives and to optimize the inevitable tension between the enterprise's value creation and value protection activities. Therefore, both [frameworks] facilitate and support the governance process when implemented effectively (p. 6).

While applications will vary according to the particular risk profiles of each entity, both frameworks provide a conceptual foundation from which governments and NFPOs may proactively design, implement, and sustain efficient and effective risk management initiatives, including the application of appropriate controls that mitigate the risk to missions and objectives. ?

COSO explicitly points out that reliable financial reporting, one of three objectives of Internal control, also applies to NFPOs.

Government agencies must identify and manage risks associated with key infrastructure. Principles relating to "Control Activities" (IC Framework) are particularly relevant.

Jill M. D'Aquila, PhD, CPA, and Robert Houmes, PhD, CMA, are both associate professors of accounting in the Davis College of Business at Jacksonville University, Jacksonville, Fla.