The COSO framework is a powerful tool in that it allows an organization to focus on key structures, values and processes that together form this concept of internal control, far outside the narrow financial focus that used to be the case. The individual is part of the process but it can be hard to get a corporate solution down to grassroots. The criteria of control (CoCo) is a further control framework that can mean more to teams and individuals and includes an interesting learning dynamic. CoCo was developed by the Canadian Institute of Chartered Accountants (CICA) and is now an international standard. The CICA website (www.cica.ca) gives an account of their understanding of control as a platform for the criteria that was developed:
Control needs to be understood in a broad context. Control comprises those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization's objectives. The effectiveness of control cannot be judged solely on the degree to which each criterion, taken separately, is met. The criteria are interrelated, as are the control elements in an organization. Control elements cannot be designed or evaluated in isolation from each other. Control is as much a function of people's ethical values and beliefs as it is of standards and compliance mechanisms. Control should cover the identification and mitigation of risks. These risks include not only known risks related to the achievement of a specific objective but also two more fundamental risks to the viability and success of the organization:
1. failure to maintain the organization's capacity to identify and exploit opportunities;
2. failure to maintain the organization's capacity to respond and adapt to unexpected risks and opportunities, and make decisions on the basis of the telltale indications in the absence of definitive information.
The principles may be organized according to the four groupings of the CICA criteria of control framework as illustrated in Figure 4.5.
The main components are explained below:
Purpose The model starts with the need for a clear direction and sense of purpose. This includes objectives, mission, vision and strategy; risks and opportunities; policies; planning; and performance targets and indicators. It is essential to have a clear driver for the control criteria and since controls are about achieving objectives, it is right that people work to the corporate purpose. Much work can be done here in setting objectives and getting people to have a stake in the future direction of the organization. The crucial link between controls and performance targets is established here as controls must fit in with the way an organization measures and manages performance to make any sense at all.
Commitment The people within the organization must understand and align themselves with the organization's identity and values. This includes ethical values, integrity, human resource policies, authority, responsibility and accountability, and mutual trust. Many control systems fail to recognize the need to get people committed to the control ethos as a natural part of the way an organization works. Where people spend their time trying to 'beat the system', there is normally a lack of commitment to the control criteria. The hardest part in getting good control is getting people to feel part of the arrangements.
Capability People must be equipped with the resources and competence to understand and discharge the requirements of the control model. This includes knowledge; skills and tools; communication processes; information; co-ordination; and control activities. Where there is a clear objective, and everyone is ready to participate in designing and installing good controls, there is still a need to develop some expertise in this aspect of organizational life. Capability is about resourcing the control effort by ensuring staff have the right skills, experience and attitudes not only to perform well but also to be able to assess risks and ensure controls make it easier to deal with these risks. Capability can be assisted by training and awareness seminars, either at induction or as part of continuing improvement programmes.
Action This stage entails performing the activity that is being controlled. Before employees act, they will have a clear purpose, a commitment to meet their targets and the ability to deal with problems and opportunities. Any action that comes after these prerequisites has more chance of leading to a successful outcome.
Monitoring and learning People must buy into and be part of the organization's evolution. This includes monitoring internal and external environments, monitoring performance, challenging assumptions, reassessing information needs and information systems, follow-up procedures, and assessing the effectiveness of control. Monitoring is a hard control in that it fits in with inspection, checking, supervising and examining. Challenging assumptions is an important soft control in that it means people can develop and excel. Each activity is seen as part of a learning process that lifts an organization to a higher dimension. Some organizations employ people who have tried and failed to start their own high risk venture, on the basis that they have had invaluable experiences that, if they have learnt lessons from, will make them stronger and much more resilient in growing a new business. Organizations that are based around blame cultures will not encourage positive learning experiences, and will interpret controls as mechanisms for punishing people whose performance slips. The CoCo criteria encourages a positive response to feedback on activities.
Was this article helpful?