PRINCIPLE 4: COMMITMENT TO ATTRACT, DEVELOP, AND

RETAIN COMPETENT INDIVIDUALS IN ALIGNMENT WITH

OBJECTIVES
Competence should relate to the knowledge and skills necessary to accomplish tasks that
define an individual’s job. Commitment to competence includes management’s consideration
of the competence levels for particular jobs and how those levels translate into
requisite skills and knowledge.
Competence is an attribute that is assessed based on the company and its operating
environment. The controller of a small company with a simple operating environment
may be fully capable ofmeeting the accounting and reporting needs of that business, but
the person’s experience and trainingmight not support his or her serving in that role in
a large, complex SEC reporting business environment.
The points of focus regarding this principle include:
◾ Establishing competence policies and practices.

◾ Evaluating competence and addressing deficiencies.

◾ Attracting, developing, and retaining competent employees (and contract workers

from outsourcing companies).

◾ Planning for succession.

While this may be a judgment call, signs of competence problems are usually visible
if they are looked for. In the context of the controller position, problems include:
◾ Frequent or significant corrections in accounting and reporting matters.

◾ Auditors discover significant adjustments to accounting records.

◾ Failure to obtain ormaintain professional licenses and meet continuing professional

education (CPE) requirements.

◾ Frequent reliance on consultants and auditors to address somewhat routine

accounting issues.

A small public company hired a controller with industry but not SEC experience.
To support the controller, additional resources were brought on board to
address SEC reporting issues, and a training program involving an outside vendor
was put in place to help the controller become proficient with the reporting
requirements and SEC literature.
What could have been rated a severe deficiency due to a competence issue
was mitigated by the additional resources and the implemented training program.

HR policies and practices affect an entity’s ability to employ sufficient competent

personnel to accomplish its goals and objectives. HR policies and practices include an
entity’s policies and procedures for hiring, orienting, training, evaluating, counseling,
promoting, compensating, and taking remedial action. In some entities, the policies
may not be extensive, but they should nevertheless exist and be communicated. For
example, in a smaller entity, senior management may make explicit his or her expectations
about the type of person to be hired to fill a particular job andmay even be active in
the hiring process. Unfortunately, some formof formal documentation is expectedwhen
regulations or audit standards seek documentary evidence that a policy is in place and
112 ◾ Control Environment
operating effectively. While COSO originally did not require written documentation,
the 2013 revisions made a clarification to address audit and Sarbanes-Oxley (SOX)
concerns. Therefore, entities that wish to be able to demonstrate controls assessments
to third parties (or auditors) need to consider documentation of competencies sought
in such situations.
Standards for hiring the most qualified individuals, with emphasis on educational
background, prior work experience, past accomplishments, and evidence of integrity
and ethical behavior, demonstrate an entity’s commitment to competent and trustworthy
people. Hiring practices that include formal, in-depth employment interviews and
informative and insightful presentations on the company’s history, culture, and operating
style send a message that the company is committed to its people.
Personnel policies that communicate prospective roles and responsibilities and that
provide training opportunities indicate expected levels of performance and behavior.
Rotation of personnel and promotions driven by periodic performance appraisals
demonstrate the entity’s commitment to advancement of qualified personnel to higher
levels of responsibility. Competitive compensation programs that include bonus incentives
serve to motivate and reinforce outstanding performance. Disciplinary actions
send a message that violations of expected behavior will not be tolerated.
Some issues involving competence may also involve HR issues (hiring, training,
etc.), and an issue identified may be a competence issue and may also involve a control
environment issue. For example, deliberately seeking lesser levels of competence than
required for the position and salary may be a way for management to control or
intimidate employees. Consequently, such issues may be assigned to more than one
category in your assessment. In the COSO Framework, issues often may not neatly fall
into only one principle, but the important thing is that they be assessed and considered.
In some cases it may be appropriate when using a formatted tool to cross reference an
issue that could be assessed in one place or another in your documentation to where
it is actually addressed to avoid repeating the assessment and to help reviewers and
auditors follow the documentation better and identify the relationships.
Common sources of evidence regarding this principle include a full review of HR
policies and procedures and seeking some evidence that the policies and documented
procedures are actually in place. Seekingmore evidence, such aswhen high reliance on
controls is sought, would perhaps lead to interviews or group discussions. The absence
of contrary evidence is also a consideration. Lawsuits and allegations from the hotline or
from active or settled cases could belie the effective implementation of policies. Accountants
are likely to be particularly sensitive to indications that accounting supervisory
and clerical staff might not be properly trained or of the proper background for their
assigned responsibilities.
Auditors and corporate project team members may be reluctant to criticize the
quantity or quality of accounting resources and leadership, even when called for,
since auditors have to work with these individuals in the audit process. However, not
addressing the issue usually does not lead to a resolution and often just delays the
Principle 5 ◾ 113
inevitable. Failing to note such deficiencies can be a source of business risk to the
auditor since professional standards require communication of deficiencies that are
significant or material. In addition, ignoring the issue leads to continuing risk that a
problem will arise that may not be detected in a timely manner. Concrete examples of
delays in processing or errors discovered can help support observations and judgments.
Research has shown that deficiencies are rated more severely when there is an accompanying
misstatement of somemagnitude,3 although theory states that amisstatement
need not be present for a deficiency to be rated as severe (significant deficiency or
material weakness). In most cases the communication can be accompanied with some
remediation suggestions that can make the communication less of a pure criticism.
Some auditing vendor products provide sample deficiency citations that can bemodified
for the particular circumstances.
PRINCIPLE 5: THE ORGANIZATION HOLDS INDIVIDUALS
ACCOUNTABLE FOR THEIR INTERNAL CONTROL
RESPONSIBILITIES IN THE PURSUIT OF OBJECTIVES
When viewed as awhole, the control environment is highly dependent on every key person
having controls awareness. Controls are not likely to be effective if thought of as the
controller’s problem. Every individual in an organization has some role in implementing
internal control, and these roles and responsibilities will vary.
Points of focus for this principle are that the entity:
◾ Enforces accountability.

◾ Establishes performance benchmarks and rewards based on performance.

◾ Actively reconsiders the performance and rewards structure.

◾ Looks for excessive pressures thatmay deteriorate performance or encourage fraud.

◾ Rewards or disciplines individuals.

Some of these points may also relate to the flawed implementation of incentives associated
with fraud risk (Principle 8).
Management and governance need to follow through when controls significantly
fail or employees performvery poorly. An organization that fails to set a tone that shows
there will be consequences when performance fails to meet expectations in essence
neuters the stated policies and creates a paper-tigermentality despite all the bluster that
the policies and management may imply. Others in the organization are often affected
when obvious problems are ignored. Subordinates and peers can become complacent
or cynical, and their work may also be affected.
3 Bedard, J., and L. Graham. 2011. Detection and severity classification of Sarbanes-Oxley Section 404 internal
control deficiencies. The Accounting Review 86 (3): 825–855.
114 ◾ Control Environment

A n entity hired an information technology (IT) specialist into a leadership role.

She had not worked in the practice end of IT in some years. After the initial
honeymoon period, she began to fail to deliver promised project output, became
visibly absent when on business trips, and submitted some questionable expense
reports. Questions also were raised about her competence regarding current
technology and whether she was growing in that knowledge over time. She
became abusive and defensive when questioned about her poor work habits and
other concerns. She generously spread around blame to others.
Because IT is often a difficult area to assess for general management,
problems went on for a relatively long period. The consequence was that she drove
capable IT subordinates and peers to become demoralized and angry and to seek
positions with other companies or transfers to other positions in the organization.
Eventually, the real source of the problems was crystal clear, and she was fired. The
weakened department then required a complete overhaul to ensure the proper
skill sets were able to meet the organizational needs.
Better oversight and early identification of the competence issues (maybe
during or shortly after the hiring process) could have resulted in a much less
disruptive and costly process to the organization.
Sources of evidence to support or refute adherence to this principle can be management
files and records regarding disciplinary actions, issues reported via the hotline, patterns
of excessive turnover in specific business functions, and issues raised in interviews
or focus group discussions. Has the entity found a way to communicate that actions,
and not just words, are behind the policies and procedures?What monitoring steps are
taken to ensure that problems do not go on without internal identification? In that sense,
Monitoring Principle 17 on evaluating and communicating deficiencies can be related
to this issue of accountability.
Appendix 4A summarizes guidance on the responsibilities of those in the organization
who often contribute most significantly to the effectiveness of internal control.
Important Interactions with Other Components and Principles
More than in other iterations of the COSO guidance, the interrelationship of the components
and principles is stressed in this update to the Framework guidance. When analyzing
deficiencies, it will be necessary to try to identify a possible root cause in order to
identify relevant interactions. It does not seem possible to hard-code linkages between
specific principles such that, in all cases, the linkage will hold. It really requires analysis
of the deficiency to see where the linkage might be.
Suppose management was not timely in resolving an alleged ethical breach.
Ethical considerations and effective implementation issues are a Principle 1 issue.
If the employee did not know or understand the ethical guidelines, that is one potential
principle affected. Holding individuals accountable is Principle 5, so the delay, if management
was able to resolve the issue, may relate also to that issue. Did analysis of the
breach indicate that management did not receive important information on a timely
Principle 5 ◾ 115
basis? If the information came in via the hotline, management’s hotline antifraud
controls (perhaps evaluated with Principle 8, Fraud Risk) might be affected. If the
deficiency seemed to be a failure to receive timely information, that might imply the
root of the deficiency was related to Principle 14, Internal Communication. Without
careful analysis, how could you identify related components and principles?
Because this is a complex analysis and involves judgment, it may not be an effective
task for junior staff to address. Knowledge of COSO aswell as knowledge of the entity and
ability to reason through to a conclusionmay require several skills. If a dispersed responsibility,
then controls and training (including review) may need to surround implementation.
In all fairness, it may also be a process that not everyone will go about in the
same way and/or reach the same conclusions. As with deficiencies when first studied
under the AICPA guidance or the SEC/PCAOB guidance, some information sharing and
team group discussion may be necessary to train individuals to be more consistent in
the performance of the task. Training can followwhen some limited experience is developed.
I suspect this will initially be an unstructured exercise for companies and auditors
alike. Disputes can be costly in terms of time and reaching correct conclusions, so there
is value in developing a process and examples that can be communicated to the team. If
you knew the root cause would be important, staff might be able to gather some information
toward that endwhen the deficiency is first identified. This issue is pervasive and
holds importance for every principle and component in the Framework.
Sample templates distributed with the 2013 Framework make special note of cross
referencing and relating other principles and components impacted by documented deficiencies.
We discuss these templates and propose other approaches in Chapter 14.
Transition to 2013 Principles
Those transitioning directly from then 1992 Frameworkwill need to link existing documentation
and controls testing to the principles and components in the newFramework.
The new principles and points of focus can then be used to identify any obvious holes in
the analyses conducted to date. In earlier guidance, control objectives or assertions may
have been used to classify controls within components. Generally, the most accurate
mapping of controls to the new guidance usually starts with themore granular descriptions
and tests of the controls and then associates them with the components, then the
principles, then the points of focus in the 2013 guidance. Since control objectives and
assertions are often related, either may be used to ensure that all the relevant financial
statement assertions are being addressed in the new documentation. My personal preference
would be to use the financial statement assertions in the control activities area
for the validation of the mappings and identification of any gaps. This will also help synchronize
company and auditor assessments regarding the mapping and the resulting
documentation, since the auditor is likely to use assertions in the auditing process.
Those transitioning from the 2006 guidance for smaller public companies (and
nonpublic companies that also used that guidance to structure their assessments) will
find some reshuffling of the former 20 Principles to the new 17 Principles. Presumably
the fewer categories will be simpler to work with. In the control environment area,
116 ◾ Control Environment
two former stand-alone principles have disappeared and been merged into other
principles. The new principles have been reworded, so be careful to identify the new
principles as they are now worded, with the assistance of the points of focus. The 2006
Principles that were merged are:
◾ Management Philosophy and Operating Style. This principle seems mostly encapsulated

in new Principle 1, but some deficiencies can have a relation to accountability

(Principle 5).
◾ Human Resources. This principle seemsmostly encapsulated in the new competence

principle (Principle 4).