Control Frameworks

GCC SMITH
IIA WESTERN CAPE
APRIL 2006

Contents

† Questions asked by Boards

† Integrated control frameworks
† Defining Control
† CoCo versus COSO – practical example
† Evolution of Control

1
Questions asked by Boards,
Investors, Management etc…
“Do we have adequate controls to
effectively mitigate the risks we face?”
or
“Do we have sufficiently effective controls
in place to achieve our objectives?”

SOX requirement

SOX 404(a) mandates that management must

issue a report on the company’s INTERNAL
CONTROLS over FINANCIAL REPORTING (i.e.,
must identify risks, evaluate control designs, test
the controls, correct weaknesses & report on
results).
„ Statement of management’s responsibility
„ Management’s assessment of effectiveness
(disclose material weaknesses, if any)
„ Identify framework used for the assessment
„ Statement that the auditors have issued a report
on management’s assessment

2
Integrated Frameworks
† Internal Control – Integrated Framework issued
by the Committee of Sponsoring Organizations
of the Treadway Commission (COSO), 1992

† The Cadbury Report, Code of Best Practices,

issued by the Cadbury Committee of the United
Kingdom, 1994

† Guidance on Control issued by the Criteria of

Control Board (CoCo) of the Canadian Institute
of Chartered Accountants, 1995

Integrated Frameworks
† Enterprise Risk Management – Integrated
Framework issued by COSO, 2004

† COSO is expanding its existing framework to

provide more guidance on how it can be applied
to small companies, 2005

3
Control Frameworks - Cadbury

† Cadbury (UK) – 1993

„ Changes in London Stock Exchange listing
requirements obliged directors to publish in
annual report disclosures relating to
corporate governance, including “the
effectiveness of the company’s
system of internal control”

Control Framework - Cadbury

„ Interpreted narrowly – internal financial

controls
„ Directors
‡ Worried about how to judge effectiveness
‡ Worried about legal liability if they stated
controls were effective and something
subsequent went wrong
„ Therefore – they did not make statement
about effectiveness of control – instead
acknowledged their responsibility for
effective internal control

4
Control Framework - Hampel

† January 1998
„ Supported what companies were actually
doing – recommending that making a
statement about effectiveness of controls
be dropped from the listing requirements
„ Expanded directors’ role – advising that
they “maintain and review controls relating
to ALL relevant control objectives, and not
merely financial controls”

Control Framework - COSO

† 1992 – United States of America (Committee of

Sponsoring Organisations of the Treadway Commission)
„ Defines internal control as:

„ “a process – effected by entity’s board, management

and other personnel, designed to provide
REASONABLE assurance regarding ACHIEVEMENT
of OBJECTIVES in following categories
‡ Effectiveness and efficiency of operations
‡ Reliability of financial reporting
‡ Compliance with applicable laws and regulations

5
Control Framework - CoCo

† Canadian Institute of Chartered Accountants

„ Criteria of Control (CoCo) – first focused on:
‡ Developing guidance on how to provide
information relevant to the effectiveness of control
to the board of directors
‡ Receiving such information allow boards to
experiment with disclosing information about
whether the organisation is in control.
‡ Control comprises “those elements of an
organisation (including its resources, systems,
processes, culture, structure and tasks) that, taken
together, support people in the achievement of the
organisation’s objectives.

Defining control

† Control – a relative concept

† Taking risks knowingly – organisation
† Who sees risk as something desirable?
† Who sees control primary role – to
mitigate risks?
† Traffic cameras, Marriage & Movies !!!!
† Bungi-jumping, Deap Sea Diving

6
 Defining control

† Carpe Diem – Seize the Day

„ Not primarily about mitigating risk – about
pursuing opportunity – if it involves
calculated risk – good
„ Risk undesirable – ignores human nature –
we all need some risk in our lives
„ Seek risk because it is exciting
„ Thrill of pulling off risky ventures

COSO & COCO in practical

terms
† South African Cricket Team (COSO)
† Limitation - COSO
„ control only gives information about
achievement of objectives
„ Won’t change bad players into good ones
„ Cannot address changes in an
organisational environment

7
What COSO will tell public &
supporters
† Key day-to-day processes are under
control
† Identifies risks and controls that are
taken, e.g.
„ Team is fed and paid
„ Equipment in good condition
„ Training and accommodation facilities are
excellent

What COSO will tell public &

supporters
† Establish a control environment
„ Culture that does not permit late night
parties during matches
„ Requires players to turn up for all training
sessions
† Ensures information systems in place
„ Batting targets
„ Statistics of all players
„ Analysis of competition

8
What COSO will tell public &
supporters
† Ongoing monitoring
„ Coaching staff monitor information
systems, e.g. fitness assessment of
players and report to coach/captain

What Coso does not tell …

† Won’t tell / shed light on

„ whether the team is heading in the right direction
(whether it has the right objectives)
„ whether the team has a good or bad captain
„ whether the team will win (“survive”) a close
contest
„ Subject of ethical integrity (e.g. excessive
appealing of players, conduct of players on field of
play and after hours)

9
COCO - Team

† Does look at team’s direction – because it

includes objective setting as a key part of its
model of control
† Attempts to address “survival” of team –
requires managers to challenge assumptions
on which control processes rest and by learning
to make continuous improvements
† Will assess the team’s competence, i.e.
knowledge, skills

CoCo team does not tell …

† Explicitly whether the team has a good

or bad captain
† Whether the team is doing the right thing
† Whether it is a viable team

10
Evolution of control

† Definition of control is a broad one,

encompassing virtually all of an organisation’s
activities
† Emerging principle of learning and reflection
which has evolved from monitoring and
measuring control activities
† Growing recognition of values and the critical
importance of values as an essential part of the
control environment
† Models devote attention to the concept of
responsibility of control

Conclusion

† “Contol models/frameworks present exceptional

opportunity to directors, management and
auditors:
„ Applied with care, insight and vision – models can
be basis of control systems that directly support
success of the organisation
„ Applied mechanically, the resulting control system
may support good control, but they will not
necessarily support organisational success”
DJ Galloway

11