This is the third in a series of the internal control.  The first blog, Internal Control and COSO, introduced this framework including highlighting some of its short comings.  The second blog, A List of Internal Controls, attempted to create the most comprehensive list of controls ever constructed (or that at least I could find). This blog asks the question, “does COSO have competitors or is there a better control framework out there?“.

COSO Competitors

In a word NO.  COSO has lots of kissing cousins and more distant relations all of which look to COSO (one author describes the frameworks as being indistinguishable from each other [3, p. 2]).   The frameworks tend to inter-influence each other as demonstrated in the following diagram [4, p. 6].

There has been some excellent analysis comparing the various control methods which I don’t intend to repeat here (and which are listed in the reference annex below).  Instead, this is a quick overview of what else is out there and what these alternatives offer an organization.

CoCo – Criteria of Control

• Authors: the former Canadian Institute of Chartered Accounts, now the Canadian Chartered Professional Accountants.
• CoCo can be said to be a concise superset of COSO and is premised on judgement rather than prescriptive rules for implementing internal control.
• The underlying premise of CoCo is that internal control is reliant on the individual rather than the top levels of the organization for internal control.  In this respect it has a bottom up rather than a top down view of control [5,
  • The smallest unit of an organization is the individual person.
  • A person performs a task, guided by an understanding of its purpose (the objective to be achieved) and supported by capability (information, resources, supplies and skills).
  • The person will need a sense of commitment to perform the task well over time.
  • The person will monitor his or her performance and the external environment to learn about how to do the task better and about changes to be made.
  • The same is true of any team or work group. In any organization of people, the essence of control is purpose, commitment, capability, and monitoring and learning.
• Despite some excellent reviews, this framework is invisible and does not seem to be updated or maintained.
• It is only available as a series of annexes from within Canadian accounting standards and is not even listed on the CPA Canada website.
• The focus definitely appears to be exclusively for Canadian external and internal auditors.

UK Corporate Governance Code

• Authors: The Institute of Chartered Accountants in England & Wales.
• This is a UK focused framework in particular for companies listed on the London Stock Exchange.
• It is less prescriptive than COSO and principle rather than rule based [1, p. 4].
  • Turnbull strongly favors a principles-based approach in which, reflecting sound business practice, internal control is embedded in the organization’s business processes, whilst remaining relevant over time and through the organization’s changing circumstances. It argues that internal control should be incorporated within the normal management and governance processes of an organization and not treated as a separate exercise undertaken to meet regulatory requirements.
  • Turnbull further states that, “For the purposes of this guidance, internal controls considered by the board should include all types of controls including those of an operational and compliance nature, as well as internal financial controls.”

Control Objectives for Information and Related Technology (COBIT)

• Author: Information Systems Audit and Control Association.
• COBIT is now on version 5.0 although its original definition of internal control originated from COSO.
• The focus is on information technology and management although much of the governance functions can be retrofitted to the organization at large.

ISO 31000 – Risk Management

• Author: International Standards Organization.
• Although not a true internal control framework, this standard is the STANDARD for risk management although not without its critics [2].
• The risk management functions are silo in nature as opposed to being integrated into the larger organization as proposed by COSO, CoCo, COBIT or Turnbull.

Which Framework to Choose

Unlike accounting standards, the above frameworks (and others) provide guidance.  Certainly there are reporting requirements for different security exchanges (e.g. SOX for the US and Turnbull for the UK) but these are generally similar enough …. assuming that there is good management, governance and oversight within an organization.  And there is the rub.  In some cases organizations must focus on compliance but not necessarily value added.  Ideally, organizations should be focusing on not only organizational control but also organizational enablement – which leads us to the next blog and the Management Control and Enablement Framework (MCEF).

Sources:

1. Internal Controls—A Review of Current Developments; International Federation of Accountants; Information Paper, August 2006.
2. ISO 31000 Revision Analysis: https://www.ifac.org/global-knowledge-gateway/risk-management-internal-control/discussion/revised-iso-31000-risk.
3. Monitoring the system of internal control; Grant Thornton: http://www.boardoptions.com/monitoringinternalcontrol.pdf.
4. An Introduction to Information Control Models; Sandia National Laboratories; SAND2002-0131, September 2003.
5. Guidance of the Criteria of Control Board, Canadian Chartered Professional Accountants; accessed via www.Knotia.ca.

Further Reading (to Save You Googling)

• Evaluation of the Effectiveness of Internal Control over Financial Reporting, Lembi Noorve; Master Thesis, University of Tartu.
• Managing Organizational Culture for Effective Internal Control: From Practice to Theory, Jan A. Pfister.
• Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors, The Institute of Internal Auditors Research Foundation; 2013.
• Two Sides of the Same Coin; CICA’s Guidance on Control and CCAF’s Effectiveness Reporting Framework; May 1996.
• A comparative study of well-established internal control models, Sorin Briciu; http://www.sciencedirect.com.
• Integrated Control Guidance – A Management Framework, icorp.ca.